Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ddj3E3qerh.exe

Overview

General Information

Sample name:Ddj3E3qerh.exe
renamed because original name is a hash value
Original sample name:88ec98143583ec8e9c2ab137463322ce04bfb1a03f112fe1fb0d09ad502a1429.exe
Analysis ID:1588297
MD5:0a6d497237dc22f74fa9eb514ef6aef1
SHA1:99ced63b28ed88283f8b293d1a4804acb22cf01c
SHA256:88ec98143583ec8e9c2ab137463322ce04bfb1a03f112fe1fb0d09ad502a1429
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Ddj3E3qerh.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\Ddj3E3qerh.exe" MD5: 0A6D497237DC22F74FA9EB514EF6AEF1)
    • cmd.exe (PID: 6248 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Ddj3E3qerh.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 8180 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7692220058:AAEny12fSzuKXI7iNJaESECu5UR80nmwLAQ/sendMessage?chat_id=7342994424", "Token": "7692220058:AAEny12fSzuKXI7iNJaESECu5UR80nmwLAQ", "Chat_id": "7342994424", "Version": "5.1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Ddj3E3qerh.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Ddj3E3qerh.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Ddj3E3qerh.exeJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        Ddj3E3qerh.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x14bcf:$a1: get_encryptedPassword
        • 0x14ebb:$a2: get_encryptedUsername
        • 0x149db:$a3: get_timePasswordChanged
        • 0x14ad6:$a4: get_passwordField
        • 0x14be5:$a5: set_encryptedPassword
        • 0x1623c:$a7: get_logins
        • 0x1619f:$a10: KeyLoggerEventArgs
        • 0x15e0a:$a11: KeyLoggerEventArgsEventHandler
        Ddj3E3qerh.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1c51c:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x1b74e:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x1bb81:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1cbc0:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 2 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x149cf:$a1: get_encryptedPassword
            • 0x14cbb:$a2: get_encryptedUsername
            • 0x147db:$a3: get_timePasswordChanged
            • 0x148d6:$a4: get_passwordField
            • 0x149e5:$a5: set_encryptedPassword
            • 0x1603c:$a7: get_logins
            • 0x15f9f:$a10: KeyLoggerEventArgs
            • 0x15c0a:$a11: KeyLoggerEventArgsEventHandler
            00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
            • 0x19954:$x1: $%SMTPDV$
            • 0x18338:$x2: $#TheHashHere%&
            • 0x198fc:$x3: %FTPDV$
            • 0x182d8:$x4: $%TelegramDv$
            • 0x15c0a:$x5: KeyLoggerEventArgs
            • 0x15f9f:$x5: KeyLoggerEventArgs
            • 0x19920:$m2: Clipboard Logs ID
            • 0x19b5e:$m2: Screenshot Logs ID
            • 0x19c6e:$m2: keystroke Logs ID
            • 0x19f48:$m3: SnakePW
            • 0x19b36:$m4: \SnakeKeylogger\
            00000000.00000002.1616729861.00000000025F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              Click to see the 4 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.Ddj3E3qerh.exe.280000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.0.Ddj3E3qerh.exe.280000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.Ddj3E3qerh.exe.280000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.0.Ddj3E3qerh.exe.280000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                    • 0x14bcf:$a1: get_encryptedPassword
                    • 0x14ebb:$a2: get_encryptedUsername
                    • 0x149db:$a3: get_timePasswordChanged
                    • 0x14ad6:$a4: get_passwordField
                    • 0x14be5:$a5: set_encryptedPassword
                    • 0x1623c:$a7: get_logins
                    • 0x1619f:$a10: KeyLoggerEventArgs
                    • 0x15e0a:$a11: KeyLoggerEventArgsEventHandler
                    0.0.Ddj3E3qerh.exe.280000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                    • 0x1c51c:$a2: \Comodo\Dragon\User Data\Default\Login Data
                    • 0x1b74e:$a3: \Google\Chrome\User Data\Default\Login Data
                    • 0x1bb81:$a4: \Orbitum\User Data\Default\Login Data
                    • 0x1cbc0:$a5: \Kometa\User Data\Default\Login Data
                    Click to see the 2 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T23:40:28.147802+010028033053Unknown Traffic192.168.2.1049817104.21.96.1443TCP
                    2025-01-10T23:40:34.147765+010028033053Unknown Traffic192.168.2.1049861104.21.16.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T23:40:24.249618+010028032742Potentially Bad Traffic192.168.2.1049722132.226.247.7380TCP
                    2025-01-10T23:40:26.812425+010028032742Potentially Bad Traffic192.168.2.1049722132.226.247.7380TCP
                    2025-01-10T23:40:28.921505+010028032742Potentially Bad Traffic192.168.2.1049821132.226.247.7380TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: Ddj3E3qerh.exeAvira: detected
                    Found malware configuration
                    Source: 00000000.00000002.1616729861.00000000025F1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7692220058:AAEny12fSzuKXI7iNJaESECu5UR80nmwLAQ/sendMessage?chat_id=7342994424", "Token": "7692220058:AAEny12fSzuKXI7iNJaESECu5UR80nmwLAQ", "Chat_id": "7342994424", "Version": "5.1"}
                    Multi AV Scanner detection for submitted file
                    Source: Ddj3E3qerh.exeVirustotal: Detection: 69%Perma Link
                    Source: Ddj3E3qerh.exeReversingLabs: Detection: 91%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: Ddj3E3qerh.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Ddj3E3qerh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49798 version: TLS 1.0
                    Source: Ddj3E3qerh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: Ddj3E3qerh.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                    Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                    Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                    Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49821 -> 132.226.247.73:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49722 -> 132.226.247.73:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49817 -> 104.21.96.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49861 -> 104.21.16.1:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49798 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027A9000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000026BF000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027A9000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000026B3000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002702000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000026BF000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002789000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000025F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: Ddj3E3qerh.exeString found in binary or memory: http://checkip.dyndns.org/q
                    Source: Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027A9000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000025F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027A9000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002702000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000026BF000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: Ddj3E3qerh.exeString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                    Source: Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027A9000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002702000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: Ddj3E3qerh.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Ddj3E3qerh.exe, type: SAMPLEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: Ddj3E3qerh.exe, type: SAMPLEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: Ddj3E3qerh.exe, type: SAMPLEMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: Process Memory Space: Ddj3E3qerh.exe PID: 7644, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: Ddj3E3qerh.exe PID: 7644, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008CC1970_2_008CC197
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008C61080_2_008C6108
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008CB3280_2_008CB328
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008CC4700_2_008CC470
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008C67300_2_008C6730
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008CC7530_2_008CC753
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008C98580_2_008C9858
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008C4AD90_2_008C4AD9
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008CCA330_2_008CCA33
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008CBBD30_2_008CBBD3
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008CBEB70_2_008CBEB7
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008CB4F30_2_008CB4F3
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeCode function: 0_2_008C35730_2_008C3573
                    Source: Ddj3E3qerh.exe, 00000000.00000002.1616097570.0000000000A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Ddj3E3qerh.exe
                    Source: Ddj3E3qerh.exe, 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ddj3E3qerh.exe
                    Source: Ddj3E3qerh.exeBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ddj3E3qerh.exe
                    Source: Ddj3E3qerh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Ddj3E3qerh.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Ddj3E3qerh.exe, type: SAMPLEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Ddj3E3qerh.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: Ddj3E3qerh.exe, type: SAMPLEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: Process Memory Space: Ddj3E3qerh.exe PID: 7644, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: Ddj3E3qerh.exe PID: 7644, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: classification engineClassification label: mal100.troj.winEXE@6/1@3/3
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ddj3E3qerh.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
                    Source: Ddj3E3qerh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Ddj3E3qerh.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Ddj3E3qerh.exeVirustotal: Detection: 69%
                    Source: Ddj3E3qerh.exeReversingLabs: Detection: 91%
                    Source: Ddj3E3qerh.exeString found in binary or memory: F-Stopw
                    Source: unknownProcess created: C:\Users\user\Desktop\Ddj3E3qerh.exe "C:\Users\user\Desktop\Ddj3E3qerh.exe"
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Ddj3E3qerh.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Ddj3E3qerh.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                    Source: Ddj3E3qerh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Ddj3E3qerh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Self deletion via cmd or bat file
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Ddj3E3qerh.exe"
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Ddj3E3qerh.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeMemory allocated: 8C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeMemory allocated: 25F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeMemory allocated: 2400000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599277Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599170Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599044Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598937Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598828Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598717Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598609Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598500Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598390Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598280Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598172Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598062Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597953Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597843Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597734Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597625Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597515Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597406Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597296Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597187Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597078Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596968Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596859Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596750Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596640Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596531Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596422Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596312Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596203Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596094Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595969Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595859Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595750Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595640Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595531Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595422Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595309Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595203Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595094Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 594969Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 594859Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 594745Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 594640Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 594531Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeWindow / User API: threadDelayed 1718Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeWindow / User API: threadDelayed 8139Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep count: 32 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 3472Thread sleep count: 1718 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 3472Thread sleep count: 8139 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -599277s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -599170s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -599044s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -598937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -598828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -598717s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -598609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -598500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -598390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -598280s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -598172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -598062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -597953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -597843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -597734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -597625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -597515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -597406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -597296s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -597187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -597078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -596968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -596859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -596750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -596640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -596531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -596422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -596312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -596203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -596094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -595969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -595859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -595750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -595640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -595531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -595422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -595309s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -595203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -595094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -594969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -594859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -594745s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -594640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exe TID: 6220Thread sleep time: -594531s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599277Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599170Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 599044Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598937Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598828Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598717Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598609Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598500Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598390Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598280Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598172Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 598062Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597953Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597843Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597734Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597625Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597515Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597406Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597296Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597187Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 597078Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596968Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596859Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596750Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596640Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596531Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596422Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596312Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596203Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 596094Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595969Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595859Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595750Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595640Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595531Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595422Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595309Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595203Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 595094Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 594969Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 594859Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 594745Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 594640Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeThread delayed: delay time: 594531Jump to behavior
                    Source: Ddj3E3qerh.exe, 00000000.00000002.1616166621.0000000000A51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Ddj3E3qerh.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeQueries volume information: C:\Users\user\Desktop\Ddj3E3qerh.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Ddj3E3qerh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: Ddj3E3qerh.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1616729861.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Ddj3E3qerh.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Ddj3E3qerh.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Ddj3E3qerh.exe PID: 7644, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: Ddj3E3qerh.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Ddj3E3qerh.exe.280000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1616729861.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Ddj3E3qerh.exe PID: 7644, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    Query Registry                    		Remote Services1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS31
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    File Deletion                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Ddj3E3qerh.exe69%VirustotalBrowse
                    Ddj3E3qerh.exe92%ReversingLabsWin32.Keylogger.NotFound
                    Ddj3E3qerh.exe100%AviraTR/ATRAPS.Gen
                    Ddj3E3qerh.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		high
                      reallyfreegeoip.org
                      		104.21.96.1
                      		truefalse
                        		high
                        checkip.dyndns.com
                        		132.226.247.73
                        		truefalse
                          		high
                          checkip.dyndns.org
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://checkip.dyndns.org/false
                              		high
                              https://reallyfreegeoip.org/xml/8.46.123.189false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://reallyfreegeoip.orgDdj3E3qerh.exe, 00000000.00000002.1616729861.00000000027A9000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002702000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000026BF000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://checkip.dyndns.orgDdj3E3qerh.exe, 00000000.00000002.1616729861.00000000027A9000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000026B3000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002702000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000026BF000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002789000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://checkip.dyndns.comDdj3E3qerh.exe, 00000000.00000002.1616729861.00000000027A9000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000026BF000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDdj3E3qerh.exe, 00000000.00000002.1616729861.00000000025F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.org/qDdj3E3qerh.exefalse
                                          		high
                                          https://reallyfreegeoip.org/xml/8.46.123.189$Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027A9000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002702000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://reallyfreegeoip.orgDdj3E3qerh.exe, 00000000.00000002.1616729861.00000000027A9000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000276D000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000026D7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.00000000027B7000.00000004.00000800.00020000.00000000.sdmp, Ddj3E3qerh.exe, 00000000.00000002.1616729861.000000000275F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://reallyfreegeoip.org/xml/Ddj3E3qerh.exefalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                104.21.16.1
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUSfalse
                                                104.21.96.1
                                                		reallyfreegeoip.orgUnited States
                                                		13335CLOUDFLARENETUSfalse
                                                132.226.247.73
                                                		checkip.dyndns.comUnited States
                                                		16989UTMEMUSfalse

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1588297
                                                Start date and time:2025-01-10 23:39:14 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 3m 46s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:8
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:Ddj3E3qerh.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:88ec98143583ec8e9c2ab137463322ce04bfb1a03f112fe1fb0d09ad502a1429.exe
                                                Detection:MAL
                                                Classification:mal100.troj.winEXE@6/1@3/3
                                                EGA Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 53
                                                • Number of non-executed functions: 3
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Stop behavior analysis, all processes terminated

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target Ddj3E3qerh.exe, PID 7644 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                17:40:25API Interceptor130x Sleep call for process: Ddj3E3qerh.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                104.21.16.1NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                • www.kkpmoneysocial.top/86am/
                                                JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                                104.21.96.1gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                • www.dejikenkyu.cyou/58m5/
                                                EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                • www.mffnow.info/0pqe/
                                                zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                • www.aonline.top/fqlg/
                                                QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                • www.mzkd6gp5.top/3u0p/
                                                SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                • pelisplus.so/administrator/index.php
                                                Recibos.exeGet hashmaliciousFormBookBrowse
                                                • www.mffnow.info/1a34/
                                                132.226.247.736cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • checkip.dyndns.org/
                                                4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • checkip.dyndns.org/
                                                6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • checkip.dyndns.org/
                                                JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                upXUt2jZ0S.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • checkip.dyndns.org/
                                                6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • checkip.dyndns.org/
                                                oEQp0EklDb.exeGet hashmaliciousMassLogger RATBrowse
                                                • checkip.dyndns.org/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                reallyfreegeoip.org6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.32.1
                                                PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.64.1
                                                7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 104.21.80.1
                                                C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.80.1
                                                rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.96.1
                                                4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                • 104.21.112.1
                                                Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.112.1
                                                b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.80.1
                                                UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.48.1
                                                9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.32.1
                                                s-part-0017.t-0009.t-msedge.netWN9uCxgU1T.exeGet hashmaliciousUnknownBrowse
                                                • 13.107.246.45
                                                Full-Ver_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                • 13.107.246.45
                                                Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 13.107.246.45
                                                Qz8OEUxYuH.exeGet hashmaliciousFormBookBrowse
                                                • 13.107.246.45
                                                ztcrKv3zFz.exeGet hashmaliciousFormBookBrowse
                                                • 13.107.246.45
                                                gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                • 13.107.246.45
                                                3j7f6Bv4FT.exeGet hashmaliciousUnknownBrowse
                                                • 13.107.246.45
                                                rComprobante_swift_8676534657698632.exeGet hashmaliciousAgentTeslaBrowse
                                                • 13.107.246.45
                                                6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 13.107.246.45
                                                iRmpdWgpoF.exeGet hashmaliciousUnknownBrowse
                                                • 13.107.246.45
                                                checkip.dyndns.com6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 132.226.247.73
                                                PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                • 158.101.44.242
                                                7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 132.226.8.169
                                                C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 193.122.130.0
                                                rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 132.226.247.73
                                                4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                • 132.226.247.73
                                                Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 193.122.6.168
                                                b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 132.226.8.169
                                                UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                • 132.226.8.169
                                                9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 132.226.247.73

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CLOUDFLARENETUSSetup.exeGet hashmaliciousUnknownBrowse
                                                • 104.21.80.1
                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                • 172.67.162.153
                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                • 172.67.223.109
                                                6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.32.1
                                                PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.64.1
                                                Full-Ver_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.11.60
                                                7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 104.21.80.1
                                                C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.80.1
                                                rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.96.1
                                                4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                • 104.21.112.1
                                                CLOUDFLARENETUSSetup.exeGet hashmaliciousUnknownBrowse
                                                • 104.21.80.1
                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                • 172.67.162.153
                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                • 172.67.223.109
                                                6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.32.1
                                                PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.64.1
                                                Full-Ver_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                • 104.21.11.60
                                                7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 104.21.80.1
                                                C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.80.1
                                                rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.96.1
                                                4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                • 104.21.112.1

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                54328bd36c14bd82ddaa0c04b25ed9ad6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.96.1
                                                PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.96.1
                                                7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 104.21.96.1
                                                C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.96.1
                                                rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.96.1
                                                4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                • 104.21.96.1
                                                Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.96.1
                                                b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.96.1
                                                UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                • 104.21.96.1
                                                9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.96.1

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ddj3E3qerh.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1039
                                                Entropy (8bit):5.353332853270839
                                                Encrypted:false
                                                SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                                                MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                                                SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                                                SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                                                SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):5.827490492485909
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                File name:Ddj3E3qerh.exe
                                                File size:134'144 bytes
                                                MD5:0a6d497237dc22f74fa9eb514ef6aef1
                                                SHA1:99ced63b28ed88283f8b293d1a4804acb22cf01c
                                                SHA256:88ec98143583ec8e9c2ab137463322ce04bfb1a03f112fe1fb0d09ad502a1429
                                                SHA512:4764ea38a57f5617ef748bc52cb9c6a0aa8c435dfd6dfdec993ecf113d3bd1e413b95c49b94424e5eb9256f525328746a894f8322ca8a4a3817a6c6a1243c6c3
                                                SSDEEP:3072:y99yINAgKjV545jbvk5Hbe7fMuJN07TBqKj+EmfJ9K4b5bPmmmWMIwvcXvQgbY:1INAgKjV5Cjbvk5Hbe7fMuJN07T49K49
                                                TLSH:D9D31A1927E49814E1FF99730271A111C7BAF8131A26DF1D1BC2F8692A7D6D1CE0AF93
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.f..............P.................. ... ....@.. .......................`............@................................

                                                File Icon

                                                Icon Hash:90cececece8e8eb0

                                                Static PE Info

                                                General

                                                Entrypoint:0x42142e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x66972DD9 [Wed Jul 17 02:35:05 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x213d40x57.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x108f.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x240000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x1f4340x1f600b5f6da105e0bdfa55e2ee028c737a23fFalse0.35525087151394424data5.840469572542788IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x220000x108f0x1200f59392b7fa5e8b22ad0c6b19a0b07c20False0.3663194444444444data4.868462934974607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x240000xc0x200378513806a7b2efb061376f2f8071fd8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x220a00x394OpenPGP Secret Key0.42358078602620086
                                                RT_MANIFEST0x224340xc5bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3926651912741069

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-01-10T23:40:24.249618+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049722132.226.247.7380TCP
                                                2025-01-10T23:40:26.812425+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049722132.226.247.7380TCP
                                                2025-01-10T23:40:28.147802+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049817104.21.96.1443TCP
                                                2025-01-10T23:40:28.921505+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049821132.226.247.7380TCP
                                                2025-01-10T23:40:34.147765+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1049861104.21.16.1443TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 10, 2025 23:40:11.725390911 CET4972280192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:11.730329037 CET8049722132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:11.730402946 CET4972280192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:11.730616093 CET4972280192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:11.735457897 CET8049722132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:23.572590113 CET8049722132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:23.580374002 CET4972280192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:23.585244894 CET8049722132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:24.194122076 CET8049722132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:24.242693901 CET49798443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:24.242722988 CET44349798104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:24.242789984 CET49798443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:24.249618053 CET4972280192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:24.250802040 CET49798443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:24.250819921 CET44349798104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:24.731762886 CET44349798104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:24.732016087 CET49798443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:24.793127060 CET49798443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:24.793155909 CET44349798104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:24.794333935 CET44349798104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:24.843394995 CET49798443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:25.048485994 CET49798443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:25.091334105 CET44349798104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:25.172180891 CET44349798104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:25.172419071 CET44349798104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:25.172467947 CET49798443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:25.183751106 CET49798443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:25.188186884 CET4972280192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:25.193110943 CET8049722132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:26.761034012 CET8049722132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:26.763598919 CET49817443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:26.763639927 CET44349817104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:26.763710022 CET49817443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:26.764072895 CET49817443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:26.764089108 CET44349817104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:26.812424898 CET4972280192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:27.988269091 CET44349817104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:27.991523027 CET49817443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:27.991552114 CET44349817104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:28.147806883 CET44349817104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:28.147859097 CET44349817104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:28.147943020 CET49817443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:28.148533106 CET49817443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:28.151920080 CET4972280192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:28.154119015 CET4982180192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:28.158216000 CET8049722132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:28.158934116 CET8049821132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:28.159018993 CET4972280192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:28.159219027 CET4982180192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:28.159219027 CET4982180192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:28.163986921 CET8049821132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:28.866862059 CET8049821132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:28.868478060 CET49827443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:28.868511915 CET44349827104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:28.868711948 CET49827443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:28.869005919 CET49827443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:28.869015932 CET44349827104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:28.921504974 CET4982180192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:29.327245951 CET44349827104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:29.338254929 CET49827443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:29.338274002 CET44349827104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:29.467658043 CET44349827104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:29.467735052 CET44349827104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:29.467921972 CET49827443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:29.469217062 CET49827443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:29.474219084 CET4983180192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:29.479017973 CET8049831132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:29.482330084 CET4983180192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:29.482417107 CET4983180192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:29.487128973 CET8049831132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:32.168098927 CET8049831132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:32.169576883 CET49852443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:32.169622898 CET44349852104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:32.169868946 CET49852443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:32.170214891 CET49852443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:32.170228004 CET44349852104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:32.218372107 CET4983180192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:32.635623932 CET44349852104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:32.637948036 CET49852443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:32.637969017 CET44349852104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:32.784729004 CET44349852104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:32.784785986 CET44349852104.21.96.1192.168.2.10
                                                Jan 10, 2025 23:40:32.785439968 CET49852443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:32.785439968 CET49852443192.168.2.10104.21.96.1
                                                Jan 10, 2025 23:40:32.789175987 CET4983180192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:32.794096947 CET8049831132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:32.794159889 CET4983180192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:32.794217110 CET4985580192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:32.800937891 CET8049855132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:32.804016113 CET4985580192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:32.804016113 CET4985580192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:32.811630964 CET8049855132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:33.483732939 CET8049855132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:33.492978096 CET49861443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:33.493011951 CET44349861104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:33.493169069 CET49861443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:33.493498087 CET49861443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:33.493505955 CET44349861104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:33.530905008 CET4985580192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:33.990834951 CET44349861104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:33.992644072 CET49861443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:33.992660999 CET44349861104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:34.147789955 CET44349861104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:34.147849083 CET44349861104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:34.147898912 CET49861443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:34.148430109 CET49861443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:34.152010918 CET4985580192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:34.153131962 CET4986680192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:34.156985044 CET8049855132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:34.157051086 CET4985580192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:34.157934904 CET8049866132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:34.157990932 CET4986680192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:34.158098936 CET4986680192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:34.162822962 CET8049866132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:34.920676947 CET8049866132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:34.922616959 CET49872443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:34.922645092 CET44349872104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:34.922698975 CET49872443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:34.922977924 CET49872443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:34.922990084 CET44349872104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:34.968554020 CET4986680192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:35.411700964 CET44349872104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:35.413656950 CET49872443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:35.413691044 CET44349872104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:35.561645985 CET44349872104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:35.561713934 CET44349872104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:35.561835051 CET49872443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:35.562887907 CET49872443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:35.568324089 CET4986680192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:35.573241949 CET8049866132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:35.573348045 CET4986680192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:35.577461958 CET4987780192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:35.582261086 CET8049877132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:35.582345963 CET4987780192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:35.582443953 CET4987780192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:35.587219000 CET8049877132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:38.266036034 CET8049877132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:38.267664909 CET49895443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:38.267707109 CET44349895104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:38.267796040 CET49895443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:38.268126011 CET49895443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:38.268141985 CET44349895104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:38.312144041 CET4987780192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:38.728893042 CET44349895104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:38.730751038 CET49895443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:38.730775118 CET44349895104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:38.851677895 CET44349895104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:38.851748943 CET44349895104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:38.851875067 CET49895443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:38.852509975 CET49895443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:38.856188059 CET4987780192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:38.857511044 CET4989980192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:38.861371994 CET8049877132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:38.861471891 CET4987780192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:38.862306118 CET8049899132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:38.862380028 CET4989980192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:38.862505913 CET4989980192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:38.867296934 CET8049899132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:40.534389019 CET8049899132.226.247.73192.168.2.10
                                                Jan 10, 2025 23:40:40.536264896 CET49911443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:40.536314964 CET44349911104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:40.536427021 CET49911443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:40.536735058 CET49911443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:40.536746979 CET44349911104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:40.577789068 CET4989980192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:41.000272989 CET44349911104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:41.002152920 CET49911443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:41.002182007 CET44349911104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:41.157655001 CET44349911104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:41.157718897 CET44349911104.21.16.1192.168.2.10
                                                Jan 10, 2025 23:40:41.157816887 CET49911443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:41.158375025 CET49911443192.168.2.10104.21.16.1
                                                Jan 10, 2025 23:40:41.303813934 CET4989980192.168.2.10132.226.247.73
                                                Jan 10, 2025 23:40:41.303929090 CET4982180192.168.2.10132.226.247.73

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 10, 2025 23:40:11.708592892 CET5561853192.168.2.101.1.1.1
                                                Jan 10, 2025 23:40:11.715509892 CET53556181.1.1.1192.168.2.10
                                                Jan 10, 2025 23:40:24.234199047 CET5920653192.168.2.101.1.1.1
                                                Jan 10, 2025 23:40:24.241508961 CET53592061.1.1.1192.168.2.10
                                                Jan 10, 2025 23:40:33.485044003 CET4920753192.168.2.101.1.1.1
                                                Jan 10, 2025 23:40:33.492167950 CET53492071.1.1.1192.168.2.10

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jan 10, 2025 23:40:11.708592892 CET192.168.2.101.1.1.10x5350Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:24.234199047 CET192.168.2.101.1.1.10x275Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:33.485044003 CET192.168.2.101.1.1.10x7084Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jan 10, 2025 23:40:08.443109035 CET1.1.1.1192.168.2.100xda09No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                Jan 10, 2025 23:40:08.443109035 CET1.1.1.1192.168.2.100xda09No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:11.715509892 CET1.1.1.1192.168.2.100x5350No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Jan 10, 2025 23:40:11.715509892 CET1.1.1.1192.168.2.100x5350No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:11.715509892 CET1.1.1.1192.168.2.100x5350No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:11.715509892 CET1.1.1.1192.168.2.100x5350No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:11.715509892 CET1.1.1.1192.168.2.100x5350No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:11.715509892 CET1.1.1.1192.168.2.100x5350No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:24.241508961 CET1.1.1.1192.168.2.100x275No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:24.241508961 CET1.1.1.1192.168.2.100x275No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:24.241508961 CET1.1.1.1192.168.2.100x275No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:24.241508961 CET1.1.1.1192.168.2.100x275No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:24.241508961 CET1.1.1.1192.168.2.100x275No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:24.241508961 CET1.1.1.1192.168.2.100x275No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:24.241508961 CET1.1.1.1192.168.2.100x275No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:33.492167950 CET1.1.1.1192.168.2.100x7084No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:33.492167950 CET1.1.1.1192.168.2.100x7084No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:33.492167950 CET1.1.1.1192.168.2.100x7084No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:33.492167950 CET1.1.1.1192.168.2.100x7084No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:33.492167950 CET1.1.1.1192.168.2.100x7084No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:33.492167950 CET1.1.1.1192.168.2.100x7084No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                Jan 10, 2025 23:40:33.492167950 CET1.1.1.1192.168.2.100x7084No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • reallyfreegeoip.org
                                                • checkip.dyndns.org

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.1049722132.226.247.73807644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 23:40:11.730616093 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 10, 2025 23:40:23.572590113 CET273INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:23 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                Jan 10, 2025 23:40:23.580374002 CET127OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Jan 10, 2025 23:40:24.194122076 CET273INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:24 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                Jan 10, 2025 23:40:25.188186884 CET127OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Jan 10, 2025 23:40:26.761034012 CET273INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:26 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.1049821132.226.247.73807644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 23:40:28.159219027 CET127OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Jan 10, 2025 23:40:28.866862059 CET273INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:28 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.1049831132.226.247.73807644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 23:40:29.482417107 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 10, 2025 23:40:32.168098927 CET273INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:32 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.1049855132.226.247.73807644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 23:40:32.804016113 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 10, 2025 23:40:33.483732939 CET273INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:33 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.1049866132.226.247.73807644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 23:40:34.158098936 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 10, 2025 23:40:34.920676947 CET273INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:34 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.1049877132.226.247.73807644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 23:40:35.582443953 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 10, 2025 23:40:38.266036034 CET273INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:38 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.1049899132.226.247.73807644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 23:40:38.862505913 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 10, 2025 23:40:40.534389019 CET273INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:40 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.1049798104.21.96.14437644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-10 22:40:25 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-10 22:40:25 UTC861INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:25 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1863614
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KGgrMKeoN8w9mVlmEAYH2Hxi8DQkqanc%2F3Bl%2Bf1m%2BdkGkKda1sTp%2F%2Fs6G5Kmol1Mxn3SyL6DET749YwuHK7cYHHGpFwJmymxr15KZYbsaJV%2FIP2rreusxyXOhHpGHlIAc1JcpW0A"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90002b2cdaad4363-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1583&rtt_var=599&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1844598&cwnd=240&unsent_bytes=0&cid=e8f9da3fb541c08d&ts=448&x=0"
                                                2025-01-10 22:40:25 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.1049817104.21.96.14437644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-10 22:40:27 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                2025-01-10 22:40:28 UTC859INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:28 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1863617
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kOJ%2FE5vfirprbaXl01B8aaFngql36gezqY%2BCVwnS96smyhIkXOlK6zz63yYDFsygfDWljTeI1DolQeiRxycG81x%2FCh1kY%2F3OMN5U%2FcDVvi0PcU4FCwchGUhoGq2A5lzM7EAu32HH"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90002b3f7dd5c32e-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1658&min_rtt=1647&rtt_var=625&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1772920&cwnd=178&unsent_bytes=0&cid=0d7c89d897743a06&ts=906&x=0"
                                                2025-01-10 22:40:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.1049827104.21.96.14437644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-10 22:40:29 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-10 22:40:29 UTC855INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:29 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1863618
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oBxQw79kG9bL4hM7rpXhUpgwC3OrMn%2FxbQcBSVm9tcqX7oWohvl7vLcSmTv5bePKMM9BubIp%2FXWGXedW7t%2BtsmLDEbuP2MFyweX98hbBkMV2JVqY7AEeb8FVMSKTEg71e6Pby3Sq"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90002b47cf331a48-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=2013&min_rtt=2002&rtt_var=774&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1393794&cwnd=157&unsent_bytes=0&cid=97c4f24c93d00d12&ts=148&x=0"
                                                2025-01-10 22:40:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.1049852104.21.96.14437644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-10 22:40:32 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-10 22:40:32 UTC857INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:32 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1863621
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z0cLasxhb4OWpDnl4TJImWxrx22m5s9z1G79DAxBKf%2FLfnrE3nIAIAisJ9yFDU16n1jocC6z%2BOT4JeRpg37No7SmIuHHWdfwj5xpdwTYUrDYJXGcQ1GZ65x%2FU1DL6uEL7bIy%2BLMW"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90002b5c7da61a48-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1922&rtt_var=740&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1459270&cwnd=157&unsent_bytes=0&cid=98bb68b105b289e2&ts=154&x=0"
                                                2025-01-10 22:40:32 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.1049861104.21.16.14437644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-10 22:40:33 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                2025-01-10 22:40:34 UTC869INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:34 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1863623
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9t0Qb%2BzHZDN70hmHtpRApj5XH8pVfknAhTxjjIc%2B4hXfS6XxNG7hvwH%2Fb%2Bubauc9%2BgalAFHTi463%2FfU0Z%2B6AKB8%2BJZ9tPVeUczcXATlaMMAd%2FvoT6VVz%2BvTai9CTpT3DQKMBzmBD"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90002b64faf67293-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1920&min_rtt=1908&rtt_var=741&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1452736&cwnd=158&unsent_bytes=0&cid=d479866b0b92677c&ts=162&x=0"
                                                2025-01-10 22:40:34 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.1049872104.21.16.14437644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-10 22:40:35 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-10 22:40:35 UTC859INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:35 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1863624
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gJ3athWS7ZGM7dfYYjnAdBAUKJaezqzaUtI7FlMIPk637CC1XieuB80lIzos9ui7E%2ByR64vqvUJ5Fo3K%2BFgCp9nIHwnH9seKJ%2BWh1hn4aKoZULsWDUZXdvUEQG6h%2FzSMV9CH%2BTf5"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90002b6dcae80fa8-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1461&rtt_var=564&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1998631&cwnd=252&unsent_bytes=0&cid=51fdd81fce86a069&ts=155&x=0"
                                                2025-01-10 22:40:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.1049895104.21.16.14437644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-10 22:40:38 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-10 22:40:38 UTC853INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:38 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1863627
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nb7LqYzHxFZgn8IMNOW6LrjkvkppgZU8AGhp4FVr2Asa4tjMos%2Fyyj1z46iRHZan4oQHKhqjs5v9QJd9cYw%2BkEoul6THeOT7GeBwxUZOzEOWlrx0M1YAZXwkA2U7MCu0v9Z9dfcv"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90002b827ab37293-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=2078&min_rtt=1968&rtt_var=816&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1483739&cwnd=158&unsent_bytes=0&cid=7429dcc5a81d6e3b&ts=135&x=0"
                                                2025-01-10 22:40:38 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.1049911104.21.16.14437644C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-10 22:40:40 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-10 22:40:41 UTC857INHTTP/1.1 200 OK
                                                Date: Fri, 10 Jan 2025 22:40:41 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1863630
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=olsJN7lxfiXetqfU%2BGET0u4Q7s79y9354y7EU5TyWZrmBsWq3BkmlZwyXaUIczp9R%2FHtKN%2BWpcTrT8K4%2FRCBKZlifJvHe5r11tsBUF3RPMKbiXAHL3FL3QfZ6GmraSRYzOb2vUIs"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90002b90dbbe4388-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1572&rtt_var=603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1794714&cwnd=221&unsent_bytes=0&cid=0148f159c4e007ee&ts=163&x=0"
                                                2025-01-10 22:40:41 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:17:40:10
                                                Start date:10/01/2025
                                                Path:C:\Users\user\Desktop\Ddj3E3qerh.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\Ddj3E3qerh.exe"
                                                Imagebase:0x280000
                                                File size:134'144 bytes
                                                MD5 hash:0A6D497237DC22F74FA9EB514EF6AEF1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.1316295496.0000000000282000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1616729861.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:17:40:40
                                                Start date:10/01/2025
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Ddj3E3qerh.exe"
                                                Imagebase:0xd70000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:17:40:40
                                                Start date:10/01/2025
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:17:40:40
                                                Start date:10/01/2025
                                                Path:C:\Windows\SysWOW64\choice.exe
                                                Wow64 process (32bit):true
                                                Commandline:choice /C Y /N /D Y /T 3
                                                Imagebase:0xd10000
                                                File size:28'160 bytes
                                                MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 008C6730 Relevance: 6.7, Strings: 5, Instructions: 444COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (oq$(oq$(oq$,q$,q
                                                  • API String ID: 0-189141485
                                                  • Opcode ID: 8ce18da8702f64beb4246d664f368376c03d5f746637ac494db019dced6e7ced
                                                  • Instruction ID: fca02c29f3f1e3fda29da25d9b3a8da071bddd2abcbd2245611de7dba976afea
                                                  • Opcode Fuzzy Hash: 8ce18da8702f64beb4246d664f368376c03d5f746637ac494db019dced6e7ced
                                                  • Instruction Fuzzy Hash: 1B023870A002199FCB14CF68C984FAEBBB2FF88314F158469E855EB261E730ED65DB51
                                                  Function 008CB328 Relevance: 4.1, Strings: 3, Instructions: 358COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: E$PHq$PHq
                                                  • API String ID: 0-3203107152
                                                  • Opcode ID: 731cf0faa45d789ea8f96a9518b0e899922a98fa9140d3a3c461b878dc919236
                                                  • Instruction ID: 3ddf22b9e8ccc763b7761741d98cc867341d273eada604bfd120fd0de888a1b4
                                                  • Opcode Fuzzy Hash: 731cf0faa45d789ea8f96a9518b0e899922a98fa9140d3a3c461b878dc919236
                                                  • Instruction Fuzzy Hash: EDE1E474A046588FDB14CFA9D885F9DBBB1FF49310F158069E819EB262DB30EC41CB54
                                                  Function 008C9858 Relevance: 3.4, Strings: 2, Instructions: 860COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (oq$4'q
                                                  • API String ID: 0-1336004174
                                                  • Opcode ID: deb331ebfae159f4f89a8e8431ad413fb97a3eab1a4a3e4b6a5c5da3be26e86f
                                                  • Instruction ID: 708ef5100343c95da56af4e0af7cebdfbf10ab415b0bd7111b7054cc348cc671
                                                  • Opcode Fuzzy Hash: deb331ebfae159f4f89a8e8431ad413fb97a3eab1a4a3e4b6a5c5da3be26e86f
                                                  • Instruction Fuzzy Hash: F9727E71A00609DFCB19CF68C888EAEBBB2FF48314F158599E846DB2A1D730ED45DB51
                                                  Function 008C6108 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (oq$Hq
                                                  • API String ID: 0-2917151738
                                                  • Opcode ID: 0b1985571768991874c3ae973346260296488a9deea23bfb59dca55341f4234a
                                                  • Instruction ID: f9269984a5f26f07ca12309cca149f2f37d2f6a78a416b020c9eeebe48caf7d1
                                                  • Opcode Fuzzy Hash: 0b1985571768991874c3ae973346260296488a9deea23bfb59dca55341f4234a
                                                  • Instruction Fuzzy Hash: F8125870A002189FDB18DF69C854BAEBBB6FF88304F248569E406DB391EB34DD56CB50
                                                  Function 008CBBD3 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq$PHq
                                                  • API String ID: 0-1274609152
                                                  • Opcode ID: 3153df5d7beb1ddbe3cba5daa36f85de8c102b420f158501bce637b7ef3a9fe0
                                                  • Instruction ID: cac6bf95ac88c99401d56e972a7e627ad0d9bd70093a8501979defc35628a1b5
                                                  • Opcode Fuzzy Hash: 3153df5d7beb1ddbe3cba5daa36f85de8c102b420f158501bce637b7ef3a9fe0
                                                  • Instruction Fuzzy Hash: 33B16870E006188FDB15DFA9C851B9DBBB2FF89314F2480AAE405EB266DB349C46CF50
                                                  Function 008CC197 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq$PHq
                                                  • API String ID: 0-1274609152
                                                  • Opcode ID: 694811648a21ffe5973a54baa18f7be4697c5d2f6813ef0b8d73e27b61e58513
                                                  • Instruction ID: 101f5b1d4c9500c545f5072a1a99a4fab812e326f42812ce88d3bc22b3810ee3
                                                  • Opcode Fuzzy Hash: 694811648a21ffe5973a54baa18f7be4697c5d2f6813ef0b8d73e27b61e58513
                                                  • Instruction Fuzzy Hash: 9C919074E002188FDB14DFAAD884B9DBBB2FF89300F14C069E419EB265DB709985CF50
                                                  Function 008CBEB7 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq$PHq
                                                  • API String ID: 0-1274609152
                                                  • Opcode ID: f363d9a698fa4737ead76038a1bb9194d732779566ab83226f224e464f79a37f
                                                  • Instruction ID: b29b96c97f928653a96ff9428c42217049f3d9a00bed6ef9e6bed9f24fe6ad20
                                                  • Opcode Fuzzy Hash: f363d9a698fa4737ead76038a1bb9194d732779566ab83226f224e464f79a37f
                                                  • Instruction Fuzzy Hash: 31919174E00618CFDB14DFAAD984B9DBBB2FF89300F148069E419EB265DB309985DF11
                                                  Function 008CC470 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq$PHq
                                                  • API String ID: 0-1274609152
                                                  • Opcode ID: 4fff925c12a2510387646045ea11f1cd18cdf246a4f0e819a0af1ee0dd8a0cf9
                                                  • Instruction ID: 94cc527847e4a589c2dca1d344391bc46c32555eb4b509cd60ed5a0dcd80f929
                                                  • Opcode Fuzzy Hash: 4fff925c12a2510387646045ea11f1cd18cdf246a4f0e819a0af1ee0dd8a0cf9
                                                  • Instruction Fuzzy Hash: 218191B4E002188FDB14DFAAD984B9DBBF2FF89300F249069E419EB265DB749945CF11
                                                  Function 008CCA33 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq$PHq
                                                  • API String ID: 0-1274609152
                                                  • Opcode ID: 2adb68a8ee439e5d67e4a14f6504999cd8b1a082d3d5a8185f699b2b9ec43222
                                                  • Instruction ID: 4e87b949808caa3a5e27721bd0b53665a58b95b19c90d282c90a03c45195a9ac
                                                  • Opcode Fuzzy Hash: 2adb68a8ee439e5d67e4a14f6504999cd8b1a082d3d5a8185f699b2b9ec43222
                                                  • Instruction Fuzzy Hash: 87819074E002188FDB14DFAAD984B9DBBF2FF89300F148069E819EB265DB749945DF10
                                                  Function 008CC753 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq$PHq
                                                  • API String ID: 0-1274609152
                                                  • Opcode ID: 9093e5e6d29cf89f498d9f9f86de76381338c2f5bdded43704d32cfb12dcadb8
                                                  • Instruction ID: 273a065e49a33d003e2e27e7b72db9d00a33caceb632229057b14cf8065cf09b
                                                  • Opcode Fuzzy Hash: 9093e5e6d29cf89f498d9f9f86de76381338c2f5bdded43704d32cfb12dcadb8
                                                  • Instruction Fuzzy Hash: E6819F74E002189FEB14DFAAD884B9DBBF2FF89300F148069E419EB265DB749985CF50
                                                  Function 008C4AD9 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq$PHq
                                                  • API String ID: 0-1274609152
                                                  • Opcode ID: 328cfbf991ac8665e34000cc6e54db2601fabb6474a5f65b316aa68568ab55e5
                                                  • Instruction ID: f3d3219157ff80ea0a027211fb541b7e6fa8582ac53d5e45de6c65350f40bd20
                                                  • Opcode Fuzzy Hash: 328cfbf991ac8665e34000cc6e54db2601fabb6474a5f65b316aa68568ab55e5
                                                  • Instruction Fuzzy Hash: EB81B1B4E002188FDB14DFA9D894B9DBBF2FF88300F149069E819EB265DB349985DF10
                                                  Function 008CB4F3 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHq$PHq
                                                  • API String ID: 0-1274609152
                                                  • Opcode ID: 390999bc9b364b448ee70a5cfa809fb386ef0c46101a87ca892331c356eed788
                                                  • Instruction ID: 302c77cb3f93df279c02b8cc5e54a3df778c6993bf7dbb7008d928973395a7b6
                                                  • Opcode Fuzzy Hash: 390999bc9b364b448ee70a5cfa809fb386ef0c46101a87ca892331c356eed788
                                                  • Instruction Fuzzy Hash: A771C474E006089FDB18DFAAD985A9DBBF2FF89310F148069E409EB365DB349946CF50
                                                  Function 008C6E58 Relevance: 10.5, Strings: 8, Instructions: 478COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                                  • API String ID: 0-2212926057
                                                  • Opcode ID: ae6a44bd31a8195cdbf95226f6f6daceb19236682392f876f2ba5bc9ffddd3e4
                                                  • Instruction ID: 4a85954034697068ec2204103d7f0811285fb7c11a1db812abe15f3b34f7f47c
                                                  • Opcode Fuzzy Hash: ae6a44bd31a8195cdbf95226f6f6daceb19236682392f876f2ba5bc9ffddd3e4
                                                  • Instruction Fuzzy Hash: 50121430A046488FCB15CF69D884EAEBBF2FF89314B558569E856DB2A1DB30ED41CF50
                                                  Function 008C87E9 Relevance: 4.3, Strings: 3, Instructions: 503COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4'q$4'q$;q
                                                  • API String ID: 0-144927120
                                                  • Opcode ID: 1f2260585cb59cbfa831cc0622eea9968090435734585587a8365bb07d3a38b3
                                                  • Instruction ID: 4fcee53b67a3897eb17ea05aac81270eda263aa6727fc7764606a3b869131ba4
                                                  • Opcode Fuzzy Hash: 1f2260585cb59cbfa831cc0622eea9968090435734585587a8365bb07d3a38b3
                                                  • Instruction Fuzzy Hash: 5BF19A70384615CFDB199A29C868F3937B6FF85714F2844AEE502CB3A2EE35CC819752
                                                  Function 008C77F0 Relevance: 3.2, Strings: 2, Instructions: 707COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $q$$q
                                                  • API String ID: 0-3126353813
                                                  • Opcode ID: 0e93642e28b3e01a936a54d288d2db2474479bf204d5f188cd00ea2a5611a4a2
                                                  • Instruction ID: 44ba4adc5995635d7f1a30086aa56a9f416588309e0bf1b557cb577ee5a8f906
                                                  • Opcode Fuzzy Hash: 0e93642e28b3e01a936a54d288d2db2474479bf204d5f188cd00ea2a5611a4a2
                                                  • Instruction Fuzzy Hash: E3524034A00318CFEB159FA4C860B9EB772FF88301F1080AAD14AAB755DF759E859F55
                                                  Function 008C56A8 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Hq$Hq
                                                  • API String ID: 0-925789375
                                                  • Opcode ID: ec59faf33bcccb862aee322b8309ae172a1cba6771cf51d10eaa26bd73ac7b2e
                                                  • Instruction ID: d26b5d2e88db7f4f2f0d2b09f0924d7cb798294f4473c3c231e66e0ffc8a3898
                                                  • Opcode Fuzzy Hash: ec59faf33bcccb862aee322b8309ae172a1cba6771cf51d10eaa26bd73ac7b2e
                                                  • Instruction Fuzzy Hash: 22B1BB70B046148FDF269F38D894B6A7BB2FB88314F14892DE446CB291DB74EC86D791
                                                  Function 008C5C08 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ,q$,q
                                                  • API String ID: 0-1667412543
                                                  • Opcode ID: d92ee961bb254ddba9bbc8dafb0b2925e7a7618bad5f22a8bd4360e09285ab95
                                                  • Instruction ID: bab4a53bfcf44559f41f3b6349d4a34695887b60bc1dfd1367d9d643c1d6bb26
                                                  • Opcode Fuzzy Hash: d92ee961bb254ddba9bbc8dafb0b2925e7a7618bad5f22a8bd4360e09285ab95
                                                  • Instruction Fuzzy Hash: 60814B35A00A058FCF14CF69C888FAAB7B2FF89314B258169D506EB365DB31ED81CB51
                                                  Function 008C3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Xq$Xq
                                                  • API String ID: 0-1556399337
                                                  • Opcode ID: 1eb4ba66087031fe8a06d80db5d30f8565598c72b5e17113655b12cef22981a4
                                                  • Instruction ID: 6ff8c80f50754bfcbbcf102808060e026fcd98907b32ef0cab2ba3d989ba226b
                                                  • Opcode Fuzzy Hash: 1eb4ba66087031fe8a06d80db5d30f8565598c72b5e17113655b12cef22981a4
                                                  • Instruction Fuzzy Hash: C131C471B003298BDB1D9AB95995B7E71BAFBD4310F18843DE806C3380DBB4CE4697A5
                                                  Function 008C0C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LRq
                                                  • API String ID: 0-3187445251
                                                  • Opcode ID: 68c61a9cb63bf1250c59d2047833bf7e082d93a092e3f0c39f1dd7e2dd32a1c8
                                                  • Instruction ID: fed050653f8684cd80bb9161ecc3ed0fae95668a26490b60d7313da2bf7a656c
                                                  • Opcode Fuzzy Hash: 68c61a9cb63bf1250c59d2047833bf7e082d93a092e3f0c39f1dd7e2dd32a1c8
                                                  • Instruction Fuzzy Hash: 2A22B7B8900219CFDB55EF64E888A9DBBB2FF48301F1085A9D409E7368DB705D8ADF54
                                                  Function 008C0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LRq
                                                  • API String ID: 0-3187445251
                                                  • Opcode ID: dc094e216141ff107b4e139bc66a3c973d1f2d31544a3870769d305fcbe63bba
                                                  • Instruction ID: 9be1b2d79510deafc4865b7e52aa3ca89a2a2c06ade8f23e61a33fa5ff5c841b
                                                  • Opcode Fuzzy Hash: dc094e216141ff107b4e139bc66a3c973d1f2d31544a3870769d305fcbe63bba
                                                  • Instruction Fuzzy Hash: 1B22B6B8900219CFDB95EF64E888A9DB7B2FF48301F1085A9D409A7368DB705D8ADF54
                                                  Function 008CA650 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (oq
                                                  • API String ID: 0-1999159160
                                                  • Opcode ID: c76dacb5ff54ddd06ee78e3848913db58ad5e58bfaa08208a2a4d05336ea4dcb
                                                  • Instruction ID: b9ad8b9e3ac6a28dca4c1a585a3614bab4670d44954aaed52a244b393417ffae
                                                  • Opcode Fuzzy Hash: c76dacb5ff54ddd06ee78e3848913db58ad5e58bfaa08208a2a4d05336ea4dcb
                                                  • Instruction Fuzzy Hash: 7B41EF35B002089FCB199B78D855BEE7BB6FBC9211F244429E906D7391CE319C0ADB91
                                                  Function 008CA818 Relevance: .4, Instructions: 415COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cf8684a5e38f5384182c2809aae77428629225aa0faa4dd5a9afee3e291a0049
                                                  • Instruction ID: 15d7684711a97ca7df7e26214d0c29098807d516fa15cdd57a38ce06a3fa2691
                                                  • Opcode Fuzzy Hash: cf8684a5e38f5384182c2809aae77428629225aa0faa4dd5a9afee3e291a0049
                                                  • Instruction Fuzzy Hash: 58F10A75A006188FCB08CFA8D984EADBBF2FF88314B1A8059E555EB361CB35EC41CB55
                                                  Function 008C7438 Relevance: .2, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb700d62301485319cd5ca12d55061aa60865a26b5ec6cc8c6dd840dd1c3ba95
                                                  • Instruction ID: b8513379a8fa5f0ee377cb6100db23c28849b8ce8d3672d3dca2b73644ffc20d
                                                  • Opcode Fuzzy Hash: cb700d62301485319cd5ca12d55061aa60865a26b5ec6cc8c6dd840dd1c3ba95
                                                  • Instruction Fuzzy Hash: 1D71DF346086058FCB19DE29C898FAA7BF6FF59304B1944A9E902CB3A1DB70DC41DF90
                                                  Function 008CCEC7 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 450a7d19eb796899d4102b1ecd10037475daa9df23a774e922dded65d705048e
                                                  • Instruction ID: d00fba835839718824f7bf0c05fe0cb1fa11241f84eb26c01d59d35453ddf36b
                                                  • Opcode Fuzzy Hash: 450a7d19eb796899d4102b1ecd10037475daa9df23a774e922dded65d705048e
                                                  • Instruction Fuzzy Hash: C051B6348B27478FC78A2F34A5AC17BBB70FB0F3177046D54A41E810269BB594A9EE19
                                                  Function 008CCED8 Relevance: .2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b235814a79222c1e3194d5d6512a6249aec2974c23b5c536158c38324f8b683
                                                  • Instruction ID: 3738f0a214ac21cc91ec99f43436acf715ab54172c55b516385c4b496251c269
                                                  • Opcode Fuzzy Hash: 9b235814a79222c1e3194d5d6512a6249aec2974c23b5c536158c38324f8b683
                                                  • Instruction Fuzzy Hash: CB51A4348B27478FD78A2F30A5AC13BBB74FB0F3177046C14A51E810269BB194A9AA19
                                                  Function 008C38F9 Relevance: .1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b5805146fea4156206dd552e7e9d5a60c2565f7f5f1d5783179efd65b3982ed
                                                  • Instruction ID: eddf65dcd90d427ddc43b2c76e6995aab0b377bb4a867fe1ae72807df677f812
                                                  • Opcode Fuzzy Hash: 0b5805146fea4156206dd552e7e9d5a60c2565f7f5f1d5783179efd65b3982ed
                                                  • Instruction Fuzzy Hash: E25198B4E01208CFCB48DFA9D59499DBBF2FF89301F609569E805AB369DB319946CF40
                                                  Function 008CCD10 Relevance: .1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a6644e1cde4789817a10c5fdee5969364ba456d055a101cddb988bceb1fdf5e4
                                                  • Instruction ID: c0adda5698953dd7671a16a40c53fea14ce45e12f587b6b17af559b5ffbe14c8
                                                  • Opcode Fuzzy Hash: a6644e1cde4789817a10c5fdee5969364ba456d055a101cddb988bceb1fdf5e4
                                                  • Instruction Fuzzy Hash: 4B518674E01208DFDB44DFA9D994A9DBBF2FF89300F248169E819AB365DB30A945CF50
                                                  Function 008C3908 Relevance: .1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c0126c2d870fb88bc3cfb1441378788f7b0cce4f606400ee0f66d9a8e7455d52
                                                  • Instruction ID: fdb22b9923911714430ed258e6d91058c26de1dc7060bd9c0e2f3b1a73ab9005
                                                  • Opcode Fuzzy Hash: c0126c2d870fb88bc3cfb1441378788f7b0cce4f606400ee0f66d9a8e7455d52
                                                  • Instruction Fuzzy Hash: AB5196B4E01208CFCB48DFA9D59499DBBF2FF89301F609469E805AB364DB31A946CF40
                                                  Function 008C9A63 Relevance: .1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e0b341da3606b3255eb84448a55d711ac8dee202f0b4205f5c544bd9f6cdac3
                                                  • Instruction ID: e41f6fad0c6d187e0faa197bb147b1ad1207b3ce3523635bedcc8d2055dee221
                                                  • Opcode Fuzzy Hash: 2e0b341da3606b3255eb84448a55d711ac8dee202f0b4205f5c544bd9f6cdac3
                                                  • Instruction Fuzzy Hash: E3419A31A042599FCF11CFA8D848BADBBB2FF49314F14859AE881DB2A1D335ED15DB60
                                                  Function 008C4DC8 Relevance: .1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b3bec825f4cc5363934bf9da94e02198fd9421755a088c7eca1051f2f31a4a10
                                                  • Instruction ID: 7cc2712d9c233f18d213f1ca49668cf54b585b2b8b044690665abbac31d60376
                                                  • Opcode Fuzzy Hash: b3bec825f4cc5363934bf9da94e02198fd9421755a088c7eca1051f2f31a4a10
                                                  • Instruction Fuzzy Hash: 223190316001099FCB069F68D864EAF7BB2FF88310F114428F915CB251CB75DD65EBA5
                                                  Function 008C76D0 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac9a9a3de24c5d6dde6940965cb4dc77a878ed9a874751f9fc6969403ce372cc
                                                  • Instruction ID: 24f9a82ea033c23f4381611e9693ec655d1ce34a4c0f82c48160774daeec64ef
                                                  • Opcode Fuzzy Hash: ac9a9a3de24c5d6dde6940965cb4dc77a878ed9a874751f9fc6969403ce372cc
                                                  • Instruction Fuzzy Hash: F221CF343086188BEB1616399894F7927B7FFD8719718407DDA02CB795EE39CC42AA81
                                                  Function 008CA809 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e00ae0b8ace967c1ab8ad80ec12e35aef5cc85466a808d047bc3fcdee60e6344
                                                  • Instruction ID: 8f8f55f1e5841d913fbe34f139b60f2bd88e06d5d6e86939b51df2726412a263
                                                  • Opcode Fuzzy Hash: e00ae0b8ace967c1ab8ad80ec12e35aef5cc85466a808d047bc3fcdee60e6344
                                                  • Instruction Fuzzy Hash: 96318171A005098FCB08CF6DD885AAEBBB2FF89354B158159E525D73A1CB34DD06CB91
                                                  Function 008C76E0 Relevance: .1, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 924ed454980f8e53d4445085bdcdfd3898ffc034445d4b2351c086b4f51de373
                                                  • Instruction ID: d838b15a58a5c6eef9e7d3229f7ea8e90b83ddd74e341c528882b994d0ddd8af
                                                  • Opcode Fuzzy Hash: 924ed454980f8e53d4445085bdcdfd3898ffc034445d4b2351c086b4f51de373
                                                  • Instruction Fuzzy Hash: 0C21B3343086184BEB1516398894F7A36A7FFD8719F28807CD502CB794EE79CC41AB84
                                                  Function 008C5A63 Relevance: .1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc94eeec06e50128386046c022c7622b849152e37a401529386639630ed92e31
                                                  • Instruction ID: a5483973fa58da0459b5475745db3b87d77407117bb310b75e69f43ee69e1953
                                                  • Opcode Fuzzy Hash: bc94eeec06e50128386046c022c7622b849152e37a401529386639630ed92e31
                                                  • Instruction Fuzzy Hash: 3721C135700A218FCB169A29D494A6FBBB2FF89361715866DE806CB355CF30EC06CB80
                                                  Function 008C2060 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b93d700895ce652149a38cf2c7333e8a7745c22aa20b078524da4d47448027b4
                                                  • Instruction ID: 6352aadeb7ae3c25386ce86f25de311353891e540dac67b8f659b41750803410
                                                  • Opcode Fuzzy Hash: b93d700895ce652149a38cf2c7333e8a7745c22aa20b078524da4d47448027b4
                                                  • Instruction Fuzzy Hash: 6F21B275A006049FCB14EB68C450EAE7BB5FB98360F20C52ED919CB294DA31EE46CBD1
                                                  Function 0086D404 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615567180.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_86d000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ab5eb15cfbf2f3a81eed45103dfd9080481dcdf00975fc3e9174d9f2c71a899c
                                                  • Instruction ID: d6a1f495c9a2b125dcfbd53d4a6cdc33096c53a15e87dfa87d033bae929a47bf
                                                  • Opcode Fuzzy Hash: ab5eb15cfbf2f3a81eed45103dfd9080481dcdf00975fc3e9174d9f2c71a899c
                                                  • Instruction Fuzzy Hash: 462125B2A04344DFDB15DF10D8C0B26BB65FB98324F25C169E9098F246C736EC56CBA6
                                                  Function 008CD218 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 58f439461a143d1250351d459c5db012d1422c2806ac6f7962573a3c52ac7ec6
                                                  • Instruction ID: 1ca764ce72d2afe2f3c1e0d18e9ac27f38ff09116a336b2abb68682c0c4bce51
                                                  • Opcode Fuzzy Hash: 58f439461a143d1250351d459c5db012d1422c2806ac6f7962573a3c52ac7ec6
                                                  • Instruction Fuzzy Hash: 542118749422089FDF09DFB4E851AEDB7B2FB89301F105429D801B7364DB359946CF65
                                                  Function 008C1F08 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d63399d2b0da3b9c2abdace2a063cd935d03e3fca11c7b7bf5d56c60f1622a68
                                                  • Instruction ID: 72f0bfa8e5f39c3c2c2c47e6addef2d3aeb93bf105d475226381f988ce052623
                                                  • Opcode Fuzzy Hash: d63399d2b0da3b9c2abdace2a063cd935d03e3fca11c7b7bf5d56c60f1622a68
                                                  • Instruction Fuzzy Hash: E72189B0C04609CFCB51EFA4C4986EDBFF0FF5A311F54456ED805A6255EB309A49CBA2
                                                  Function 008CD123 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed1a95d7bc0336884bacb7b227bee4a2d0aff7cc99529fd94bb55a13577c5e64
                                                  • Instruction ID: 8a476e318fccb843e0abb763fdaeb32474ac7395a1d525971a31471d9fab6b6d
                                                  • Opcode Fuzzy Hash: ed1a95d7bc0336884bacb7b227bee4a2d0aff7cc99529fd94bb55a13577c5e64
                                                  • Instruction Fuzzy Hash: 9421EB31C10619DECB11EFE8D844AECFBB4FF4A315F149529D504B7254EB70AA59CB50
                                                  Function 008C215C Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb8389dc003d8c4904ff37fb042c266380e82332f06404072a4d1bc1909171c8
                                                  • Instruction ID: 4aa69266bc073a7aefb80cfe7b79c4bf0e6250ddcd36601bbc38fba2e52dc536
                                                  • Opcode Fuzzy Hash: cb8389dc003d8c4904ff37fb042c266380e82332f06404072a4d1bc1909171c8
                                                  • Instruction Fuzzy Hash: 51115275E452595FCF01DBB8AC009DEB734FF85320B248757D526B7091E6316506C791
                                                  Function 008C39ED Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2a96ac5db685c43ed29fc5f9b73eabf3a1ad890436b9032362254d6fad68ff6b
                                                  • Instruction ID: 03e552c5b6aa3582bd4104cedbae5d4e9b9570769050947e1ab8d7838237d77c
                                                  • Opcode Fuzzy Hash: 2a96ac5db685c43ed29fc5f9b73eabf3a1ad890436b9032362254d6fad68ff6b
                                                  • Instruction Fuzzy Hash: C63194B8E01308DFCB44DFA8E59499DBBB2FF49305B618469E809AB364D731AD49DF40
                                                  Function 008C4DBB Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b01c7a3c2697fdcf8fc48b6255fa2fefa5946214a9d32d29980f9bb6fae4a35
                                                  • Instruction ID: f0171b2a83d857dbea7a9a640615bba1e5b4347bce135c1a43fd650b5b52173a
                                                  • Opcode Fuzzy Hash: 3b01c7a3c2697fdcf8fc48b6255fa2fefa5946214a9d32d29980f9bb6fae4a35
                                                  • Instruction Fuzzy Hash: 8A21CF316041498FDB129F68E464FAB7BA2FF98314F114429F805CB251CB34CD96DB95
                                                  Function 008CD228 Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 75f664989093c073dfe0aec6c6f71311ab0cd6cef2389ace46014a02d5619591
                                                  • Instruction ID: 1330c04d9014802984f92fd7589df471d3d2838bbc437d2f1ffed4dae93f00a7
                                                  • Opcode Fuzzy Hash: 75f664989093c073dfe0aec6c6f71311ab0cd6cef2389ace46014a02d5619591
                                                  • Instruction Fuzzy Hash: D021F4749012088FCB08EFB4E854AEEB7B2FB89301F10542AD405B73A4DB36A949CF65
                                                  Function 008C5A70 Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec1c9df446a85c3cb8e9a4abafce358fc1ff475f07d1e13aaa6cb1f406fadebb
                                                  • Instruction ID: 754f8ebd844e02d450588bf1e7091f366dd24ea8e397b638fdec5ec6f26c5509
                                                  • Opcode Fuzzy Hash: ec1c9df446a85c3cb8e9a4abafce358fc1ff475f07d1e13aaa6cb1f406fadebb
                                                  • Instruction Fuzzy Hash: 2E118E35740A219FCB1A9A2AC4A4A3EB7A6FF88761715456CE906CB350DF30EC428BD4
                                                  Function 0086D3FF Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615567180.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_86d000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                                  • Instruction ID: 60a708f642e88d7ebf7350b439ac90a778c3fb6bb1bfab8033e442756f9eb1fe
                                                  • Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
                                                  • Instruction Fuzzy Hash: 6B11B176904280DFCB16CF10D5C4B16BF72FB94324F28C5A9DC494B656C33AE856CBA1
                                                  Function 008C1F61 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2dda6b23366eb0b66f42e57d04da82ffd7c787e0478455a7a11445f365246cf9
                                                  • Instruction ID: f37e2a060764792a91fb60f7af74c14e6f7330ef125accf179287561b69bf5d8
                                                  • Opcode Fuzzy Hash: 2dda6b23366eb0b66f42e57d04da82ffd7c787e0478455a7a11445f365246cf9
                                                  • Instruction Fuzzy Hash: 0121EFB4C052098FCB41EFA8D8485EEBFF4FF09301F10556AD805B7264EB305A59CBA5
                                                  Function 008C5607 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6cdae67ac13b82e5c5cf0949c9012154cef995c4b80164955a96e13ba4c0f638
                                                  • Instruction ID: 51b90c488596597019d3f600e232ca5410dedd9ad39bcfe787548f00ae7dfdc4
                                                  • Opcode Fuzzy Hash: 6cdae67ac13b82e5c5cf0949c9012154cef995c4b80164955a96e13ba4c0f638
                                                  • Instruction Fuzzy Hash: 57019271B001146FCB068E589810BEE3BA7EBC8751F28802AF915D7280DA71D9559795
                                                  Function 008C2010 Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c9c53359ed650806f0d67c476db92476ca89a8844daa35080448747fd677e121
                                                  • Instruction ID: 395f6aa820aaa31d67b2d12a5391f9e5ffa1e8a2bfc49b3c5c13f8d6e81696b2
                                                  • Opcode Fuzzy Hash: c9c53359ed650806f0d67c476db92476ca89a8844daa35080448747fd677e121
                                                  • Instruction Fuzzy Hash: 09E0D831D243964FC722A7B4A8584FEBF70ADD7320B1546ABD0A06B446EB30156AC791
                                                  Function 008C2020 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4b7b1b7e470c426161026a97edb0a25007a2a1753545dbe83264577eec41b59
                                                  • Instruction ID: 5173bff55ec8661dcf84086ce029f384702e65dc4f64c9eecc6a0c168bdb71ed
                                                  • Opcode Fuzzy Hash: e4b7b1b7e470c426161026a97edb0a25007a2a1753545dbe83264577eec41b59
                                                  • Instruction Fuzzy Hash: 76D01231D2032A978B10A6A5DC044EEBB38EE95221B504626D51437144EB70665986A1
                                                  Function 008C8258 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                  • Instruction ID: 424aabe94c3d3ee2485083fa33323e6a4a0327aa14ef1962270f123a77eb900b
                                                  • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                  • Instruction Fuzzy Hash: DBC0123324C1286A9624104E7C44EA3675CD3C17B4925013BF51CD320058529C4001A4
                                                  Function 008CA70D Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d2e48f083cca5bb0663c18d4a3be405d8f76820716d99606aeaef47be837ea8c
                                                  • Instruction ID: 46d5d9bde28b73d7dcf867261e4cd9c33b0561eb599840837444ffb4404ed7d0
                                                  • Opcode Fuzzy Hash: d2e48f083cca5bb0663c18d4a3be405d8f76820716d99606aeaef47be837ea8c
                                                  • Instruction Fuzzy Hash: EFD0173BF000089FCB008F88E8408DDB7B6FB8C222B008116E911A3260C6319821DB50
                                                  Function 008C5EA8 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 55ca6b3ce31f0371d0190803ef8deec3745e17a6c91d623583d3752fa925e5f9
                                                  • Instruction ID: 133611e2dbb9735414869bdf974e4e8fc333d785b91c3dca3e610ea57dc71898
                                                  • Opcode Fuzzy Hash: 55ca6b3ce31f0371d0190803ef8deec3745e17a6c91d623583d3752fa925e5f9
                                                  • Instruction Fuzzy Hash: 01D02B709043820FCB12F330F5A28983B26EA83104B548195FC828911BEABE498F9B72
                                                  Function 008C5EB8 Relevance: .0, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d57a903c7f88bf965d31259b738b75d5111f9dec3cb81eabd214e7bf0ac1089d
                                                  • Instruction ID: 66227afc70ac50cdb0db8cb41d249559eabe98a71f5fc41c89467d6f44bb904d
                                                  • Opcode Fuzzy Hash: d57a903c7f88bf965d31259b738b75d5111f9dec3cb81eabd214e7bf0ac1089d
                                                  • Instruction Fuzzy Hash: 67C012705103094FD541F771EA45A15331EF6C5600F808510F04A4552DEFB85A8A5AA6

                                                  Non-executed Functions

                                                  Function 008C3573 Relevance: 2.8, Strings: 2, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Xq$$q
                                                  • API String ID: 0-855381642
                                                  • Opcode ID: a2f7f3a587c3df0c039d7452aad3c02a99163e41a38a3669d43b049e80d01e5f
                                                  • Instruction ID: 592a081e78152e041e437cab1cc669c0bf757c68c04062be34416656a94ab825
                                                  • Opcode Fuzzy Hash: a2f7f3a587c3df0c039d7452aad3c02a99163e41a38a3669d43b049e80d01e5f
                                                  • Instruction Fuzzy Hash: A4915934F002589BDB98EB78985476EBAB6FF88710B14842EA406E7384CE34DD069B91
                                                  Function 008C21E2 Relevance: 5.1, Strings: 4, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Xq$Xq$Xq$Xq
                                                  • API String ID: 0-3965792415
                                                  • Opcode ID: f30e0bf889c108efb43305926b6c93c0215572f88dc90dc2f6b63148914608c1
                                                  • Instruction ID: 5b47096505b3f167088b09ebb32ea902baeef3343c0717b3e88d754ec515ba6a
                                                  • Opcode Fuzzy Hash: f30e0bf889c108efb43305926b6c93c0215572f88dc90dc2f6b63148914608c1
                                                  • Instruction Fuzzy Hash: 2E519270E043298BDF659B688855BAEB7B6FF89300F1445ADC40AE7391DB70CD85CB92
                                                  Function 008C6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1615854657.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_8c0000_Ddj3E3qerh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: \;q$\;q$\;q$\;q
                                                  • API String ID: 0-2933265366
                                                  • Opcode ID: 43754d738145ad85a467ebce741084a14520cbdf741c6168eb39e85f2d07a7b3
                                                  • Instruction ID: c6ea2c35426e4aff6a387e403bdf73917484c0eba8afa09fdf53ac5543b48d06
                                                  • Opcode Fuzzy Hash: 43754d738145ad85a467ebce741084a14520cbdf741c6168eb39e85f2d07a7b3
                                                  • Instruction Fuzzy Hash: 67015E317049188F8B248E2DC454F2573B6FF89765729427EE502FB2A0EA71DC628B51