Edit tour

Windows Analysis Report
wymvwQ4mC4.exe

Overview

General Information

Sample name:wymvwQ4mC4.exe
renamed because original name is a hash value
Original sample name:da4a4370eb4e97775038824dfc8e9eb85e795ee6db9a182ab8965f25aa533630.exe
Analysis ID:1588330
MD5:4f94fd9f205bbf26710198a0e176b35f
SHA1:7fcd8d18153a9b25e37cce7f15f968ef7d923dfc
SHA256:da4a4370eb4e97775038824dfc8e9eb85e795ee6db9a182ab8965f25aa533630
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • wymvwQ4mC4.exe (PID: 6188 cmdline: "C:\Users\user\Desktop\wymvwQ4mC4.exe" MD5: 4F94FD9F205BBF26710198A0E176B35F)
    • cmd.exe (PID: 7112 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\wymvwQ4mC4.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 764 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{
  "Exfil Mode": "Telegram",
  "Telegram URL": "https://api.telegram.org/bot7622135756:AAEBp5QqV4AX6ez0fgQ6b7e2UfaZs6-XBCw/sendMessage?chat_id=8026328633",
  "Username": "info@ozdenticaret.com.tr",
  "Password": "Ozd.135246",
  "Host": "mail.ozdenticaret.com.tr",
  "Port": "587",
  "Token": "7622135756:AAEBp5QqV4AX6ez0fgQ6b7e2UfaZs6-XBCw",
  "Chat_id": "8026328633",
  "Version": "5.1"
}
SourceRuleDescriptionAuthorStrings
wymvwQ4mC4.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    wymvwQ4mC4.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      wymvwQ4mC4.exeJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        wymvwQ4mC4.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x14801:$a1: get_encryptedPassword
        • 0x14aed:$a2: get_encryptedUsername
        • 0x1460d:$a3: get_timePasswordChanged
        • 0x14708:$a4: get_passwordField
        • 0x14817:$a5: set_encryptedPassword
        • 0x15e87:$a7: get_logins
        • 0x15dea:$a10: KeyLoggerEventArgs
        • 0x15a55:$a11: KeyLoggerEventArgsEventHandler
        wymvwQ4mC4.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1c366:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x1b598:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x1b9cb:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1ca0a:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 2 entries
        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x14601:$a1: get_encryptedPassword
            • 0x148ed:$a2: get_encryptedUsername
            • 0x1440d:$a3: get_timePasswordChanged
            • 0x14508:$a4: get_passwordField
            • 0x14617:$a5: set_encryptedPassword
            • 0x15c87:$a7: get_logins
            • 0x15bea:$a10: KeyLoggerEventArgs
            • 0x15855:$a11: KeyLoggerEventArgsEventHandler
            00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
            • 0x197ac:$x1: $%SMTPDV$
            • 0x18050:$x2: $#TheHashHere%&
            • 0x19754:$x3: %FTPDV$
            • 0x17ff0:$x4: $%TelegramDv$
            • 0x15855:$x5: KeyLoggerEventArgs
            • 0x15bea:$x5: KeyLoggerEventArgs
            • 0x19778:$m2: Clipboard Logs ID
            • 0x199ac:$m2: Screenshot Logs ID
            • 0x19abc:$m2: keystroke Logs ID
            • 0x19d96:$m3: SnakePW
            • 0x19984:$m4: \SnakeKeylogger\
            00000000.00000002.1473316381.0000000002C01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              Click to see the 4 entries
              SourceRuleDescriptionAuthorStrings
              0.0.wymvwQ4mC4.exe.8a0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.0.wymvwQ4mC4.exe.8a0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.wymvwQ4mC4.exe.8a0000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.0.wymvwQ4mC4.exe.8a0000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                    • 0x14801:$a1: get_encryptedPassword
                    • 0x14aed:$a2: get_encryptedUsername
                    • 0x1460d:$a3: get_timePasswordChanged
                    • 0x14708:$a4: get_passwordField
                    • 0x14817:$a5: set_encryptedPassword
                    • 0x15e87:$a7: get_logins
                    • 0x15dea:$a10: KeyLoggerEventArgs
                    • 0x15a55:$a11: KeyLoggerEventArgsEventHandler
                    0.0.wymvwQ4mC4.exe.8a0000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                    • 0x1c366:$a2: \Comodo\Dragon\User Data\Default\Login Data
                    • 0x1b598:$a3: \Google\Chrome\User Data\Default\Login Data
                    • 0x1b9cb:$a4: \Orbitum\User Data\Default\Login Data
                    • 0x1ca0a:$a5: \Kometa\User Data\Default\Login Data
                    Click to see the 2 entries
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T00:06:25.122275+010028033053Unknown Traffic192.168.2.949751104.21.96.1443TCP
                    2025-01-11T00:06:26.224892+010028033053Unknown Traffic192.168.2.949758104.21.96.1443TCP
                    2025-01-11T00:06:27.394012+010028033053Unknown Traffic192.168.2.949768104.21.96.1443TCP
                    2025-01-11T00:06:29.692382+010028033053Unknown Traffic192.168.2.949787104.21.96.1443TCP
                    2025-01-11T00:06:32.435418+010028033053Unknown Traffic192.168.2.949811104.21.96.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T00:06:23.555238+010028032742Potentially Bad Traffic192.168.2.949742193.122.130.080TCP
                    2025-01-11T00:06:24.430291+010028032742Potentially Bad Traffic192.168.2.949742193.122.130.080TCP
                    2025-01-11T00:06:25.649023+010028032742Potentially Bad Traffic192.168.2.949755193.122.130.080TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: wymvwQ4mC4.exeAvira: detected
                    Source: 00000000.00000002.1473316381.0000000002C01000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7622135756:AAEBp5QqV4AX6ez0fgQ6b7e2UfaZs6-XBCw/sendMessage?chat_id=8026328633", "Username": "info@ozdenticaret.com.tr", "Password": "Ozd.135246", "Host": "mail.ozdenticaret.com.tr", "Port": "587", "Token": "7622135756:AAEBp5QqV4AX6ez0fgQ6b7e2UfaZs6-XBCw", "Chat_id": "8026328633", "Version": "5.1"}
                    Source: wymvwQ4mC4.exeVirustotal: Detection: 69%Perma Link
                    Source: wymvwQ4mC4.exeReversingLabs: Detection: 91%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: wymvwQ4mC4.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: wymvwQ4mC4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49744 version: TLS 1.0
                    Source: wymvwQ4mC4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Source: Yara matchFile source: wymvwQ4mC4.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.9:62329 -> 162.159.36.2:53
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                    Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                    Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49755 -> 193.122.130.0:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49742 -> 193.122.130.0:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49758 -> 104.21.96.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49768 -> 104.21.96.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49787 -> 104.21.96.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49751 -> 104.21.96.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49811 -> 104.21.96.1:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49744 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D82000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002CC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D82000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: wymvwQ4mC4.exeString found in binary or memory: http://checkip.dyndns.org/q
                    Source: wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D82000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D82000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: wymvwQ4mC4.exeString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                    Source: wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D82000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811

                    System Summary

                    barindex
                    Source: wymvwQ4mC4.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: wymvwQ4mC4.exe, type: SAMPLEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: wymvwQ4mC4.exe, type: SAMPLEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: wymvwQ4mC4.exe, type: SAMPLEMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: Process Memory Space: wymvwQ4mC4.exe PID: 6188, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: wymvwQ4mC4.exe PID: 6188, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011F61080_2_011F6108
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011FC1920_2_011FC192
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011FB3280_2_011FB328
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011FC4700_2_011FC470
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011FC7520_2_011FC752
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011F98580_2_011F9858
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011F68800_2_011F6880
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011FBBD20_2_011FBBD2
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011FCA320_2_011FCA32
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011F4AD90_2_011F4AD9
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011FBEB00_2_011FBEB0
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeCode function: 0_2_011F35720_2_011F3572
                    Source: wymvwQ4mC4.exe, 00000000.00000002.1472197037.0000000000DAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs wymvwQ4mC4.exe
                    Source: wymvwQ4mC4.exe, 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs wymvwQ4mC4.exe
                    Source: wymvwQ4mC4.exeBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs wymvwQ4mC4.exe
                    Source: wymvwQ4mC4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: wymvwQ4mC4.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: wymvwQ4mC4.exe, type: SAMPLEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: wymvwQ4mC4.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: wymvwQ4mC4.exe, type: SAMPLEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: Process Memory Space: wymvwQ4mC4.exe PID: 6188, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: wymvwQ4mC4.exe PID: 6188, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: classification engineClassification label: mal100.troj.winEXE@6/1@2/2
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wymvwQ4mC4.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03
                    Source: wymvwQ4mC4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: wymvwQ4mC4.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: wymvwQ4mC4.exeVirustotal: Detection: 69%
                    Source: wymvwQ4mC4.exeReversingLabs: Detection: 91%
                    Source: wymvwQ4mC4.exeString found in binary or memory: F-Stopw
                    Source: unknownProcess created: C:\Users\user\Desktop\wymvwQ4mC4.exe "C:\Users\user\Desktop\wymvwQ4mC4.exe"
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\wymvwQ4mC4.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\wymvwQ4mC4.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                    Source: wymvwQ4mC4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: wymvwQ4mC4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\wymvwQ4mC4.exe"
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\wymvwQ4mC4.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeMemory allocated: 11F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeMemory allocated: 2C00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeMemory allocated: 1260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 599610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 599485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 599360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 599235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 599110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 593860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 593735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 593610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeWindow / User API: threadDelayed 1605Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeWindow / User API: threadDelayed 8189Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep count: 32 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 2840Thread sleep count: 1605 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -599610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 2840Thread sleep count: 8189 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -599485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep count: 43 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -599360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -599235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -599110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -598985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -598860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -598735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -598610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -598485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -598360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -598235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -598110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -597985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -597860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -597735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -597610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -597485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -597360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -597235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -597110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -596985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -596860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -596735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -596610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -596485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -596360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -596235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -596110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -595985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -595860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -595735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -595610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -595485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -595360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -595235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -595110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -594985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -594860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -594735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -594610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -594485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -594360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -594235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -594110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -593985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -593860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -593735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exe TID: 6948Thread sleep time: -593610s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 599610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 599485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 599360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 599235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 599110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 598110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 593860Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 593735Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeThread delayed: delay time: 593610Jump to behavior
                    Source: wymvwQ4mC4.exe, 00000000.00000002.1472197037.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\wymvwQ4mC4.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeQueries volume information: C:\Users\user\Desktop\wymvwQ4mC4.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\wymvwQ4mC4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: wymvwQ4mC4.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1473316381.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: wymvwQ4mC4.exe PID: 6188, type: MEMORYSTR
                    Source: Yara matchFile source: wymvwQ4mC4.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: wymvwQ4mC4.exe PID: 6188, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: wymvwQ4mC4.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.wymvwQ4mC4.exe.8a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1473316381.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: wymvwQ4mC4.exe PID: 6188, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter
                    1
                    DLL Side-Loading
                    11
                    Process Injection
                    1
                    Masquerading
                    OS Credential Dumping1
                    Security Software Discovery
                    Remote Services1
                    Archive Collected Data
                    11
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading
                    1
                    Disable or Modify Tools
                    LSASS Memory1
                    Process Discovery
                    Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion
                    Security Account Manager31
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection
                    NTDS1
                    Application Window Discovery
                    Distributed Component Object ModelInput Capture13
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading
                    LSA Secrets1
                    System Network Configuration Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    File Deletion
                    Cached Domain Credentials1
                    File and Directory Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
                    System Information Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588330 Sample: wymvwQ4mC4.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 21 reallyfreegeoip.org 2->21 23 checkip.dyndns.org 2->23 25 checkip.dyndns.com 2->25 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 39 5 other signatures 2->39 8 wymvwQ4mC4.exe 15 4 2->8         started        signatures3 37 Tries to detect the country of the analysis system (by using the IP) 21->37 process4 dnsIp5 27 checkip.dyndns.com 193.122.130.0, 49742, 49755, 49764 ORACLE-BMC-31898US United States 8->27 29 reallyfreegeoip.org 104.21.96.1, 443, 49744, 49751 CLOUDFLARENETUS United States 8->29 19 C:\Users\user\AppData\...\wymvwQ4mC4.exe.log, ASCII 8->19 dropped 41 Self deletion via cmd or bat file 8->41 13 cmd.exe 1 8->13         started        file6 signatures7 process8 process9 15 conhost.exe 13->15         started        17 choice.exe 1 13->17         started       

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    wymvwQ4mC4.exe69%VirustotalBrowse
                    wymvwQ4mC4.exe92%ReversingLabsWin32.Keylogger.NotFound
                    wymvwQ4mC4.exe100%AviraTR/ATRAPS.Gen
                    wymvwQ4mC4.exe100%Joe Sandbox ML
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches

                    Download Network PCAP: filteredfull

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    104.21.96.1
                    truefalse
                      high
                      checkip.dyndns.com
                      193.122.130.0
                      truefalse
                        high
                        checkip.dyndns.org
                        unknown
                        unknownfalse
                          high
                          NameMaliciousAntivirus DetectionReputation
                          http://checkip.dyndns.org/false
                            high
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              high
                              NameSourceMaliciousAntivirus DetectionReputation
                              https://reallyfreegeoip.orgwymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D82000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D09000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://checkip.dyndns.orgwymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D82000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D09000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://checkip.dyndns.comwymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D82000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002CC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://checkip.dyndns.org/qwymvwQ4mC4.exefalse
                                        high
                                        https://reallyfreegeoip.org/xml/8.46.123.189$wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D82000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D09000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://reallyfreegeoip.orgwymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D82000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, wymvwQ4mC4.exe, 00000000.00000002.1473316381.0000000002D66000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://reallyfreegeoip.org/xml/wymvwQ4mC4.exefalse
                                              high
                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs
                                              IPDomainCountryFlagASNASN NameMalicious
                                              104.21.96.1
                                              reallyfreegeoip.orgUnited States
                                              13335CLOUDFLARENETUSfalse
                                              193.122.130.0
                                              checkip.dyndns.comUnited States
                                              31898ORACLE-BMC-31898USfalse
                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1588330
                                              Start date and time:2025-01-11 00:05:26 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 3m 17s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:6
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:wymvwQ4mC4.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:da4a4370eb4e97775038824dfc8e9eb85e795ee6db9a182ab8965f25aa533630.exe
                                              Detection:MAL
                                              Classification:mal100.troj.winEXE@6/1@2/2
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 49
                                              • Number of non-executed functions: 1
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Stop behavior analysis, all processes terminated
                                              • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                                              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target wymvwQ4mC4.exe, PID 6188 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              TimeTypeDescription
                                              18:06:23API Interceptor66x Sleep call for process: wymvwQ4mC4.exe modified
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              104.21.96.1gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                              • www.dejikenkyu.cyou/58m5/
                                              EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                              • www.mffnow.info/0pqe/
                                              zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                              • www.aonline.top/fqlg/
                                              QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                              • www.mzkd6gp5.top/3u0p/
                                              SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                              • pelisplus.so/administrator/index.php
                                              Recibos.exeGet hashmaliciousFormBookBrowse
                                              • www.mffnow.info/1a34/
                                              193.122.130.0C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                              • checkip.dyndns.org/
                                              zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              B3aqD8srjF.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                              • checkip.dyndns.org/
                                              bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              Salary Payment Information Discrepancy_pdf.pif.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                              • checkip.dyndns.org/
                                              RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              reallyfreegeoip.orgH75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.112.1
                                              3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.16.1
                                              2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.32.1
                                              z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.48.1
                                              vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.80.1
                                              czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 104.21.112.1
                                              Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 104.21.96.1
                                              6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.32.1
                                              PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.64.1
                                              7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                              • 104.21.80.1
                                              checkip.dyndns.comH75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                              • 132.226.8.169
                                              WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                              • 158.101.44.242
                                              3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                              • 193.122.6.168
                                              z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                              • 132.226.247.73
                                              vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 193.122.6.168
                                              Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 132.226.247.73
                                              6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 132.226.247.73
                                              PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                              • 158.101.44.242
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSH75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.112.1
                                              Gz2FxKx2cM.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.36.62
                                              cOH7jKmo25.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                              • 104.16.184.241
                                              3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.16.1
                                              2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.32.1
                                              z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.48.1
                                              vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.80.1
                                              Setup.exeGet hashmaliciousLummaCBrowse
                                              • 188.114.96.3
                                              xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.12.205
                                              czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 104.21.112.1
                                              ORACLE-BMC-31898USWGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                              • 158.101.44.242
                                              3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                              • 193.122.6.168
                                              vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 193.122.6.168
                                              PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                              • 158.101.44.242
                                              C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 193.122.130.0
                                              Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 193.122.6.168
                                              b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 158.101.44.242
                                              VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 193.122.130.0
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              54328bd36c14bd82ddaa0c04b25ed9adH75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.96.1
                                              3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.96.1
                                              2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.96.1
                                              z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.96.1
                                              vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.96.1
                                              czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 104.21.96.1
                                              Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 104.21.96.1
                                              6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.96.1
                                              PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.96.1
                                              7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                              • 104.21.96.1
                                              No context
                                              Process:C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1039
                                              Entropy (8bit):5.353332853270839
                                              Encrypted:false
                                              SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                                              MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                                              SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                                              SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                                              SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                                              Malicious:true
                                              Reputation:moderate, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e
                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):5.835724306688762
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                              File name:wymvwQ4mC4.exe
                                              File size:133'120 bytes
                                              MD5:4f94fd9f205bbf26710198a0e176b35f
                                              SHA1:7fcd8d18153a9b25e37cce7f15f968ef7d923dfc
                                              SHA256:da4a4370eb4e97775038824dfc8e9eb85e795ee6db9a182ab8965f25aa533630
                                              SHA512:dda1b8602bc339901b96de775de5d3576428f148cc08b0985eed5caf4b58997a1be7d9114ecc18e9e8487d5ad28b81c4b17810b0e40eb20f4ced1b6520e7098f
                                              SSDEEP:3072:lLIyRktx3CI9jVhNZ5KvRksb5h8m9ywvcGLgbY:DRyxSoKksbbmb
                                              TLSH:5BD3080927E49804E1FFA9730671A116C775BC025A2BDF1D1BC2F86D2A3D6D18E1AF93
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.f..............P.................. ... ....@.. .......................`............@................................
                                              Icon Hash:00928e8e8686b000
                                              Entrypoint:0x42109e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x66972DD9 [Wed Jul 17 02:35:05 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x210480x53.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x108f.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x240000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x1f0a40x1f200a209c4b06ce2397c39ec471a65846f19False0.35761012801204817data5.849477342426767IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x220000x108f0x1200f59392b7fa5e8b22ad0c6b19a0b07c20False0.3663194444444444data4.868462934974607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x240000xc0x2001c7b754aa0adfc020208b6aac243ab1dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0x220a00x394OpenPGP Secret Key0.42358078602620086
                                              RT_MANIFEST0x224340xc5bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3926651912741069
                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Download Network PCAP: filteredfull

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2025-01-11T00:06:23.555238+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949742193.122.130.080TCP
                                              2025-01-11T00:06:24.430291+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949742193.122.130.080TCP
                                              2025-01-11T00:06:25.122275+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949751104.21.96.1443TCP
                                              2025-01-11T00:06:25.649023+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949755193.122.130.080TCP
                                              2025-01-11T00:06:26.224892+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949758104.21.96.1443TCP
                                              2025-01-11T00:06:27.394012+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949768104.21.96.1443TCP
                                              2025-01-11T00:06:29.692382+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949787104.21.96.1443TCP
                                              2025-01-11T00:06:32.435418+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949811104.21.96.1443TCP
                                              • Total Packets: 100
                                              • 443 (HTTPS)
                                              • 80 (HTTP)
                                              • 53 (DNS)
                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 11, 2025 00:06:22.933007002 CET4974280192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:22.938605070 CET8049742193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:22.938900948 CET4974280192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:22.939178944 CET4974280192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:22.946794033 CET8049742193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:23.403635979 CET8049742193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:23.408279896 CET4974280192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:23.414560080 CET8049742193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:23.509605885 CET8049742193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:23.555238008 CET4974280192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:23.571645975 CET49744443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:23.571666002 CET44349744104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:23.571743965 CET49744443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:23.582607985 CET49744443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:23.582622051 CET44349744104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:24.054871082 CET44349744104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:24.054946899 CET49744443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:24.063188076 CET49744443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:24.063226938 CET44349744104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:24.063726902 CET44349744104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:24.117690086 CET49744443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:24.147423029 CET49744443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:24.191337109 CET44349744104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:24.273139000 CET44349744104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:24.273209095 CET44349744104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:24.273260117 CET49744443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:24.281250954 CET49744443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:24.285933018 CET4974280192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:24.290749073 CET8049742193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:24.385783911 CET8049742193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:24.430290937 CET4974280192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:24.437771082 CET49751443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:24.437810898 CET44349751104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:24.437983036 CET49751443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:24.448832989 CET49751443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:24.448856115 CET44349751104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:24.940591097 CET44349751104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:24.943099976 CET49751443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:24.943130016 CET44349751104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:25.122181892 CET44349751104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:25.122267008 CET44349751104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:25.122322083 CET49751443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:25.122961044 CET49751443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:25.127156019 CET4974280192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:25.128473997 CET4975580192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:25.132154942 CET8049742193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:25.132220984 CET4974280192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:25.133373022 CET8049755193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:25.133522034 CET4975580192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:25.133594990 CET4975580192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:25.138873100 CET8049755193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:25.601088047 CET8049755193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:25.602899075 CET49758443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:25.602937937 CET44349758104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:25.603043079 CET49758443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:25.603387117 CET49758443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:25.603403091 CET44349758104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:25.649023056 CET4975580192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:26.073594093 CET44349758104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:26.075376987 CET49758443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:26.075403929 CET44349758104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:26.224898100 CET44349758104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:26.224956989 CET44349758104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:26.225049973 CET49758443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:26.225779057 CET49758443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:26.230694056 CET4976480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:26.235614061 CET8049764193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:26.235711098 CET4976480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:26.235819101 CET4976480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:26.240597010 CET8049764193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:26.736057997 CET8049764193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:26.738482952 CET49768443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:26.738578081 CET44349768104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:26.738660097 CET49768443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:26.739073038 CET49768443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:26.739088058 CET44349768104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:26.791522980 CET4976480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:27.234921932 CET44349768104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:27.236825943 CET49768443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:27.236866951 CET44349768104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:27.394109964 CET44349768104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:27.394243002 CET44349768104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:27.394382000 CET49768443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:27.395735979 CET49768443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:27.400027037 CET4976480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:27.400815964 CET4977480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:27.405155897 CET8049764193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:27.405487061 CET4976480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:27.405608892 CET8049774193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:27.405685902 CET4977480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:27.405788898 CET4977480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:27.410577059 CET8049774193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:27.911876917 CET8049774193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:27.913301945 CET49779443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:27.913341045 CET44349779104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:27.913408995 CET49779443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:27.913733959 CET49779443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:27.913749933 CET44349779104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:27.961457968 CET4977480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:28.367747068 CET44349779104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:28.370302916 CET49779443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:28.370320082 CET44349779104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:28.520988941 CET44349779104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:28.521060944 CET44349779104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:28.521176100 CET49779443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:28.521810055 CET49779443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:28.525849104 CET4977480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:28.526921034 CET4978380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:28.530766010 CET8049774193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:28.530946970 CET4977480192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:28.531793118 CET8049783193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:28.531843901 CET4978380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:28.531963110 CET4978380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:28.536731005 CET8049783193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:29.077838898 CET8049783193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:29.079260111 CET49787443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:29.079317093 CET44349787104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:29.079396963 CET49787443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:29.079685926 CET49787443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:29.079704046 CET44349787104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:29.133356094 CET4978380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:29.535588026 CET44349787104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:29.537477970 CET49787443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:29.537513971 CET44349787104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:29.692400932 CET44349787104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:29.692459106 CET44349787104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:29.692503929 CET49787443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:29.693233013 CET49787443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:29.697823048 CET4978380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:29.699152946 CET4979380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:29.703532934 CET8049783193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:29.703588009 CET4978380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:29.704768896 CET8049793193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:29.704960108 CET4979380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:29.704960108 CET4979380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:29.710575104 CET8049793193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:30.676511049 CET8049793193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:30.678423882 CET49800443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:30.678487062 CET44349800104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:30.678549051 CET49800443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:30.678884029 CET49800443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:30.678910017 CET44349800104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:30.727092028 CET4979380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:31.141225100 CET44349800104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:31.143086910 CET49800443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:31.143112898 CET44349800104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:31.279362917 CET44349800104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:31.279432058 CET44349800104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:31.279495955 CET49800443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:31.280076027 CET49800443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:31.283591032 CET4979380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:31.284957886 CET4980580192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:31.288907051 CET8049793193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:31.289005041 CET4979380192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:31.289863110 CET8049805193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:31.289937019 CET4980580192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:31.290035009 CET4980580192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:31.294785976 CET8049805193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:31.820584059 CET8049805193.122.130.0192.168.2.9
                                              Jan 11, 2025 00:06:31.823335886 CET49811443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:31.823376894 CET44349811104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:31.823436022 CET49811443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:31.824145079 CET49811443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:31.824156046 CET44349811104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:31.867718935 CET4980580192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:32.300605059 CET44349811104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:32.302457094 CET49811443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:32.302474976 CET44349811104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:32.435451031 CET44349811104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:32.435516119 CET44349811104.21.96.1192.168.2.9
                                              Jan 11, 2025 00:06:32.435576916 CET49811443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:32.436216116 CET49811443192.168.2.9104.21.96.1
                                              Jan 11, 2025 00:06:32.644829035 CET4980580192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:06:32.644846916 CET4975580192.168.2.9193.122.130.0
                                              Jan 11, 2025 00:07:04.440989971 CET6232953192.168.2.9162.159.36.2
                                              Jan 11, 2025 00:07:04.445836067 CET5362329162.159.36.2192.168.2.9
                                              Jan 11, 2025 00:07:04.446090937 CET6232953192.168.2.9162.159.36.2
                                              Jan 11, 2025 00:07:04.450932026 CET5362329162.159.36.2192.168.2.9
                                              Jan 11, 2025 00:07:04.903294086 CET6232953192.168.2.9162.159.36.2
                                              Jan 11, 2025 00:07:04.908241987 CET5362329162.159.36.2192.168.2.9
                                              Jan 11, 2025 00:07:04.908315897 CET6232953192.168.2.9162.159.36.2
                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 11, 2025 00:06:22.919953108 CET4939653192.168.2.91.1.1.1
                                              Jan 11, 2025 00:06:22.926883936 CET53493961.1.1.1192.168.2.9
                                              Jan 11, 2025 00:06:23.563100100 CET5414853192.168.2.91.1.1.1
                                              Jan 11, 2025 00:06:23.570611000 CET53541481.1.1.1192.168.2.9
                                              Jan 11, 2025 00:07:04.437423944 CET5353933162.159.36.2192.168.2.9
                                              Jan 11, 2025 00:07:05.182920933 CET53497141.1.1.1192.168.2.9
                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 11, 2025 00:06:22.919953108 CET192.168.2.91.1.1.10xec27Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:23.563100100 CET192.168.2.91.1.1.10x8569Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 11, 2025 00:06:22.926883936 CET1.1.1.1192.168.2.90xec27No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                              Jan 11, 2025 00:06:22.926883936 CET1.1.1.1192.168.2.90xec27No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:22.926883936 CET1.1.1.1192.168.2.90xec27No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:22.926883936 CET1.1.1.1192.168.2.90xec27No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:22.926883936 CET1.1.1.1192.168.2.90xec27No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:22.926883936 CET1.1.1.1192.168.2.90xec27No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:23.570611000 CET1.1.1.1192.168.2.90x8569No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:23.570611000 CET1.1.1.1192.168.2.90x8569No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:23.570611000 CET1.1.1.1192.168.2.90x8569No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:23.570611000 CET1.1.1.1192.168.2.90x8569No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:23.570611000 CET1.1.1.1192.168.2.90x8569No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:23.570611000 CET1.1.1.1192.168.2.90x8569No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:06:23.570611000 CET1.1.1.1192.168.2.90x8569No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                              • reallyfreegeoip.org
                                              • checkip.dyndns.org
                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.949742193.122.130.0806188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:06:22.939178944 CET151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jan 11, 2025 00:06:23.403635979 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:23 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 26a5ca8d0e028ec9dbbabcf6f73a0def
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                              Jan 11, 2025 00:06:23.408279896 CET127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jan 11, 2025 00:06:23.509605885 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:23 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 60ccb3125fe45c69d2b3d7a79b06ddac
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                              Jan 11, 2025 00:06:24.285933018 CET127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jan 11, 2025 00:06:24.385783911 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:24 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: c4537b99b7453a6d302127c506a06d18
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.949755193.122.130.0806188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:06:25.133594990 CET127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jan 11, 2025 00:06:25.601088047 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:25 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 46c7a066031542418e636aa0b29eb4f9
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.949764193.122.130.0806188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:06:26.235819101 CET151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jan 11, 2025 00:06:26.736057997 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:26 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 87e7458f8079074b313f6ecf6d3674e1
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.949774193.122.130.0806188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:06:27.405788898 CET151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jan 11, 2025 00:06:27.911876917 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:27 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 0e15a2d4995773cd671f06bf4b96e257
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.949783193.122.130.0806188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:06:28.531963110 CET151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jan 11, 2025 00:06:29.077838898 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:29 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 66f04fa0547d47c5da17844343878403
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.949793193.122.130.0806188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:06:29.704960108 CET151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jan 11, 2025 00:06:30.676511049 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:30 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 5f03be3bae5ce8b2cc1deb53dadea5a4
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.949805193.122.130.0806188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:06:31.290035009 CET151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jan 11, 2025 00:06:31.820584059 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:31 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 656fadff071267d38bc1f0ef16864b00
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.949744104.21.96.14436188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:06:24 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2025-01-10 23:06:24 UTC855INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:24 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1865173
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HtQ1NoUsDNXuWvzX0vimU%2B22sSBvYDlyfcs2FaOtmkXWrQ4CisYLWAQRxWz0wAAKpCbFyZ%2Bu%2FKLvPrSnqGCMfpVn0bxLYLCZk10nLDr5UiWaG4y7TPMkGKUQSOou3GOCPkTYuUb6"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 9000513d49f572a4-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=2017&min_rtt=1996&rtt_var=764&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1462925&cwnd=212&unsent_bytes=0&cid=fb1ffbffd9352583&ts=230&x=0"
                                              2025-01-10 23:06:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.949751104.21.96.14436188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:06:24 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2025-01-10 23:06:25 UTC855INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:25 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1865174
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t8ct0S049naRaDbE4CNlEDr742qMvScjO%2FK4QZ9mfLe9pVa7zOhs0qlN6if9%2BSL53piY3WBKI%2F6MC9i72qbABiRIJvpp08NbVLaJSeHV0EI6Y6Jz0DbX2O0VV1uLpwL2qqfRxZpQ"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 900051428ba9c32e-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1722&min_rtt=1714&rtt_var=660&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1637689&cwnd=178&unsent_bytes=0&cid=237b6341ea63fbb5&ts=190&x=0"
                                              2025-01-10 23:06:25 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.949758104.21.96.14436188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:06:26 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2025-01-10 23:06:26 UTC857INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:26 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1865175
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9mvJ41W1p1CpIzBCtnudLu8L5u2GCzZgrt%2FJAt1hZ4%2B8YCXsoQ6coA2ZLJjvZmrwpEqbrz5tAw%2BLarEMMprpkxvJJRxJcz6gOMAHahJWsOA6F%2BLQgLjtPSjz2dL7yNcMXxo5tJ4V"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 900051498eb872a4-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1956&min_rtt=1949&rtt_var=745&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1454907&cwnd=212&unsent_bytes=0&cid=d62aba272aa1c1b8&ts=155&x=0"
                                              2025-01-10 23:06:26 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.949768104.21.96.14436188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:06:27 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2025-01-10 23:06:27 UTC855INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:27 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1865176
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W0Pr9eQYvtVUqUkX1HLYxKjKc8iRcWqigXdjtRqa66q%2BxPywG0Sl44MKzwqqcG5vUIjYmiojQntASeBr6hQfjB9eAQG5Q6TMQzr8%2BoBIWugkiJXguyhR94qoyWo8%2FPIl4m5GznSc"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 90005150cf6572a4-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1966&rtt_var=741&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1474003&cwnd=212&unsent_bytes=0&cid=e344a5cea0eb99a7&ts=165&x=0"
                                              2025-01-10 23:06:27 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.949779104.21.96.14436188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:06:28 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2025-01-10 23:06:28 UTC859INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:28 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1865177
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LMWEJub6jn8%2B4OQA8R9vPihDvz4wzhJWgd7BikV%2FikngzmvSGhKlpocVjg5T0LPxnkNqDZuwHV6e0IAGc7Qx%2Fpm3zDYxFtrOnpZyENdEZP8S%2F5bKh536UpD2%2B5CY8NCPUtyo4C6C"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 90005157ef6572a4-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=2024&min_rtt=2010&rtt_var=763&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1452736&cwnd=212&unsent_bytes=0&cid=554a9b555da99e64&ts=157&x=0"
                                              2025-01-10 23:06:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.949787104.21.96.14436188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:06:29 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2025-01-10 23:06:29 UTC857INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:29 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1865178
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zV7vvn%2FD3Z2x1eioBPW4lxYeXOmOHOtIqLlWuGA%2FSqQcGbEuqz1OO46NUUA7mxk%2Fn7uqdtRMjQBFLQG8LbMvCBUzx5yIJeVtcyQCfXZXSk3BWKoYV8HmHBdSGBdS7Ja07bC%2Fc4oi"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 9000515f2e05c32e-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1583&rtt_var=608&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1778319&cwnd=178&unsent_bytes=0&cid=118250bef055ff34&ts=163&x=0"
                                              2025-01-10 23:06:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.949800104.21.96.14436188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:06:31 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2025-01-10 23:06:31 UTC861INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:31 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1865180
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zv48x7o4epKKhxbOjyy8R0Wc6%2BOOKZB1THMl0uN%2Bv9BGn5%2FvcwBVrdtlqRNj2Mz8lWYKOTKMEvsNx7yYCjlVHJ%2F%2FazfXP%2B0hIAe644OW95bEfn17GsErtTZ93jvfyyR0lbOceWnj"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 90005169188142c0-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1707&min_rtt=1704&rtt_var=645&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1689814&cwnd=212&unsent_bytes=0&cid=1fa39a139e1d050a&ts=143&x=0"
                                              2025-01-10 23:06:31 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.949811104.21.96.14436188C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:06:32 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2025-01-10 23:06:32 UTC857INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:06:32 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1865181
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B%2BBuCMabWtMlkRJeqzNZqWVEyUs%2Bm6mHhbcJmpEFCD3Nw5CGyb3%2BxajpUmZU237aoommsiLlcluv2IEwOpEnVNrkIAuB9p0S3DCWsRlmqsCrf72p7nC223yQnrQ66jULkaknm%2FfT"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 900051705ebac32e-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1700&min_rtt=1699&rtt_var=640&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1707602&cwnd=178&unsent_bytes=0&cid=01b3290cfeaac8a8&ts=137&x=0"
                                              2025-01-10 23:06:32 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              01020304050s020406080100

                                              Click to jump to process

                                              01020304050s0.001020MB

                                              Click to jump to process

                                              • File
                                              • Registry
                                              • Network

                                              Click to dive into process behavior distribution

                                              Target ID:0
                                              Start time:18:06:21
                                              Start date:10/01/2025
                                              Path:C:\Users\user\Desktop\wymvwQ4mC4.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\wymvwQ4mC4.exe"
                                              Imagebase:0x8a0000
                                              File size:133'120 bytes
                                              MD5 hash:4F94FD9F205BBF26710198A0E176B35F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.1371482742.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1473316381.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true
                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                              Target ID:2
                                              Start time:18:06:31
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\wymvwQ4mC4.exe"
                                              Imagebase:0xc50000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:3
                                              Start time:18:06:31
                                              Start date:10/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff70f010000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:4
                                              Start time:18:06:31
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\choice.exe
                                              Wow64 process (32bit):true
                                              Commandline:choice /C Y /N /D Y /T 3
                                              Imagebase:0x390000
                                              File size:28'160 bytes
                                              MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Executed Functions

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3fd2f2678ee91f13af65db7f81c5d52275df40358cea67046fd02a832bb54f9b
                                              • Instruction ID: 6a97d23a2e8df58893fab534c7425234a8226a3eef0db9bb96159e09f473eab7
                                              • Opcode Fuzzy Hash: 3fd2f2678ee91f13af65db7f81c5d52275df40358cea67046fd02a832bb54f9b
                                              • Instruction Fuzzy Hash: 7F72B334A00609DFCB19DF68D894AAEBBF2FF88304F158559E609DB3A1D734E941CB90
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2539fa155be81bc8aff33917a03fc3ea5fe509ac27f7e1c4ba5b9621296eed5a
                                              • Instruction ID: c8e878214343ce058e6f67c3f9893bc09f3238f2caa363a33c425eadc974aab7
                                              • Opcode Fuzzy Hash: 2539fa155be81bc8aff33917a03fc3ea5fe509ac27f7e1c4ba5b9621296eed5a
                                              • Instruction Fuzzy Hash: C6125D71A006199FDB18DFA9C854BAEBBF6BF88700F14852DE545AB391DB349C42CB90
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b12156a7a5b86d451d0e9da14462590d4caba592d10efef3b993fb08916235eb
                                              • Instruction ID: 7777298fc4a8af9465c5950453d0da7a6ad672b9badf9f6052e7098d44d77f84
                                              • Opcode Fuzzy Hash: b12156a7a5b86d451d0e9da14462590d4caba592d10efef3b993fb08916235eb
                                              • Instruction Fuzzy Hash: 5BE1E475A04618CFDB18DFA9C984A9DBBB2FF89310F158069E919AB361DB30EC41CF54
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 125fb03b8fad22abdda2aba06cd523ba3f584a0e45ffe0ff406d2eafcc6c594b
                                              • Instruction ID: bf29dc6394103335b351f042f6166964590a79d8e2cb88e3a050d5c1e88f95a7
                                              • Opcode Fuzzy Hash: 125fb03b8fad22abdda2aba06cd523ba3f584a0e45ffe0ff406d2eafcc6c594b
                                              • Instruction Fuzzy Hash: E4D13C71A00219DFDB19CFA9D984AADBBB2FF88300F198069E645EB261D734ED41CB50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7bf96320362f036d7e2acde548d0d0cefc724783cb44927e4dd78a3d6ef35c26
                                              • Instruction ID: 1b9c0fbeea22eabc1263a88e069ef18581ab1f9bed95933dafbabaa614c723aa
                                              • Opcode Fuzzy Hash: 7bf96320362f036d7e2acde548d0d0cefc724783cb44927e4dd78a3d6ef35c26
                                              • Instruction Fuzzy Hash: 6B81D474E00218DFEB18DFAAD984B9DBBF2BF88300F148069E559AB365DB309941DF50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f7a8b1805e985b3a083b24f874f2c2b3ea33716affccbe3e09ce948b26e59f05
                                              • Instruction ID: 02e0ae6084ca242fa609694e75a1b0220a1a44ce11de3510ccc8ba73981ef05c
                                              • Opcode Fuzzy Hash: f7a8b1805e985b3a083b24f874f2c2b3ea33716affccbe3e09ce948b26e59f05
                                              • Instruction Fuzzy Hash: 1981C274E00218CFDB18DFAAD984B9DBBF2BF89304F148069D519AB365DB309982DF51
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cbe8201a223d433bac72a387caa7dbfa18ac795600afc7b89fdc3b5ff0946f53
                                              • Instruction ID: d128589a0fb30bb22c59b7ca2efb722c78505f7b3e1e2ce943c9e7bc7bdc391f
                                              • Opcode Fuzzy Hash: cbe8201a223d433bac72a387caa7dbfa18ac795600afc7b89fdc3b5ff0946f53
                                              • Instruction Fuzzy Hash: B681C174E00218CFDB18DFAAD984B9DBBF2BF88310F148169E519AB365DB30A941DF51
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c999d0ac1e1e7eaadbb9c1bad90e82d8572b8ec8e3c28d5aedc04030c5ceda35
                                              • Instruction ID: c142e6ae352c5564e1f465405350edf6d574b17abf6db342f167c60f3870292a
                                              • Opcode Fuzzy Hash: c999d0ac1e1e7eaadbb9c1bad90e82d8572b8ec8e3c28d5aedc04030c5ceda35
                                              • Instruction Fuzzy Hash: 9681BF74E00218CFEB18DFAAD984B9DBBF2BF89304F148069E519AB365DB309941CF51
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7d9edc5fc5e7010576ba9431dc6c516b661778badc78481e010609c333c94548
                                              • Instruction ID: 52ecef0c88c24e05ee8f60e6de619c37908b76a648d0f3a5c4fc2b9d18b000eb
                                              • Opcode Fuzzy Hash: 7d9edc5fc5e7010576ba9431dc6c516b661778badc78481e010609c333c94548
                                              • Instruction Fuzzy Hash: B181B074E00218CFEB18DFAAD984B9DBBF2BF88300F148069E519AB365DB349941DF51
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 10b9dd22792321c428043c910f027d2f09dfd053f972e6fa7f9c0dd83f683db2
                                              • Instruction ID: 259df46d09c63339de578ab4aee8e704df9ac54f82ff3e7457d65649395d5aee
                                              • Opcode Fuzzy Hash: 10b9dd22792321c428043c910f027d2f09dfd053f972e6fa7f9c0dd83f683db2
                                              • Instruction Fuzzy Hash: 2C81C474E00218DFDB18DFAAD984B9EBBF2BF88300F149069D559AB365DB349941CF11
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5be2d21044ba35b3defdd95080afa4a1ed6d594d07ee010181e9011333becf49
                                              • Instruction ID: f71082c6948a9399e7e0c166c397ea44b4df8face7784420ec5f1ea457f8294d
                                              • Opcode Fuzzy Hash: 5be2d21044ba35b3defdd95080afa4a1ed6d594d07ee010181e9011333becf49
                                              • Instruction Fuzzy Hash: 2181CF74E04218CFEB18DFAAD984B9DBBF2BF89304F148069E509AB365DB309941CF15
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d2d50518523d4f402cfb26f67b53eb3b0df8d77cd46f6c18f34a5f24f4d6759
                                              • Instruction ID: ddd6d25453fa1adeacd000560c8bab62317969b8ad01c6b337339105917fa887
                                              • Opcode Fuzzy Hash: 4d2d50518523d4f402cfb26f67b53eb3b0df8d77cd46f6c18f34a5f24f4d6759
                                              • Instruction Fuzzy Hash: B8520034A00619CFEB14EBE4D860BAEB772FB88301F1081A9D14A6B3A4DF369D55DF51
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c6fd93a978b02431c1c665ddf2b9372e1c4df38f9c4733acf08c824eae00500
                                              • Instruction ID: b3eb97b54e54d4f559f713c76192186fe1606c73f78b85213c51dd1662e17fcc
                                              • Opcode Fuzzy Hash: 3c6fd93a978b02431c1c665ddf2b9372e1c4df38f9c4733acf08c824eae00500
                                              • Instruction Fuzzy Hash: 51128A30A00209DFDB19DFA9D894A9EBBF2FF88314F158559EA05DB2A1DB30ED41CB50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1eac9aa88b2e9b9da521205a29a5e9e75cc2ebb8cbe3ba4c877741a52cee5f06
                                              • Instruction ID: 67ccf6c1b8777e1dca66882b9d38328aa568df74a8da3965f86820b16f5986a3
                                              • Opcode Fuzzy Hash: 1eac9aa88b2e9b9da521205a29a5e9e75cc2ebb8cbe3ba4c877741a52cee5f06
                                              • Instruction Fuzzy Hash: D7F13375A00519CFCB08CFADD584A9DBBF6FF88310B1A8469E619AB361DB35EC41CB50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fedd3532ec6d41d72ed7601102380d349ed3e113a2ff7e856e3baf6324f5840c
                                              • Instruction ID: a7619786cf44b2cf7f0dee35a15e7d184aaa3d749f4c7e58d86c70fb16b6979b
                                              • Opcode Fuzzy Hash: fedd3532ec6d41d72ed7601102380d349ed3e113a2ff7e856e3baf6324f5840c
                                              • Instruction Fuzzy Hash: F122B674A00259CFCB55EF64E898B9DBBB6BF48304F1186AAE849E7358DB305D85CF40
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd914535a738880c061b8a5ac393fa0ff64d530cb03b7132de15e90ab68329be
                                              • Instruction ID: b9c4e054ab5a97c98cd8b9c14b96d48024f39ba774e3371cc656f7f2a08a301e
                                              • Opcode Fuzzy Hash: bd914535a738880c061b8a5ac393fa0ff64d530cb03b7132de15e90ab68329be
                                              • Instruction Fuzzy Hash: CE22B674A00259CFCB55EF64E898B9DBBB6BF48304F1186AAE849E7358DB305D85CF40
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b18cecc2277c1c415f5b658458aa4d464b4f4ec9272019ed409c0d530b1cda30
                                              • Instruction ID: f0e819a7fcc2b16d1ed2968025e18e764188952729093d8777d41666b3a31761
                                              • Opcode Fuzzy Hash: b18cecc2277c1c415f5b658458aa4d464b4f4ec9272019ed409c0d530b1cda30
                                              • Instruction Fuzzy Hash: B7B13A703105058FEB1D9A2DC959B397A96EF85B41F19446EE702DF3A2EB38CC428752
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: acda42df667e2b58a917fa4e4cd4f837109e38c08e4cf947e01bf03c0038f02e
                                              • Instruction ID: 25bac2656c4060531a9abf54338ad8b361e87df455e150d38862229a7f5f34fe
                                              • Opcode Fuzzy Hash: acda42df667e2b58a917fa4e4cd4f837109e38c08e4cf947e01bf03c0038f02e
                                              • Instruction Fuzzy Hash: 31B1DD317046058FEB5A9F68C894B2E7BA3BB89210F15852DE646CB391DF78CC42D7A1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 32b27cb6b90f5a5fe7e6aede4553e40575a6700f921f1f41fd4e283a24ec97f1
                                              • Instruction ID: 88fad14f210f6ebdca6a462d9bd0316792e7a99e10f90f98c14e9147aaf8c358
                                              • Opcode Fuzzy Hash: 32b27cb6b90f5a5fe7e6aede4553e40575a6700f921f1f41fd4e283a24ec97f1
                                              • Instruction Fuzzy Hash: F6B13134200389EBE70AFBE1F558B6537A7F788308F128424A9069379D8F35BC66DE15
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa95ce4be408690cbce2e90fd2c01aaeba74bfdb1a40c0a1de3b9bfb7e1da426
                                              • Instruction ID: 39fc83dc1fa2c3d867f212e8b0f122aedfdd2d0e57b0070bb1f767d75f641f9c
                                              • Opcode Fuzzy Hash: aa95ce4be408690cbce2e90fd2c01aaeba74bfdb1a40c0a1de3b9bfb7e1da426
                                              • Instruction Fuzzy Hash: BAB13134200389EBE70AFBE1F558B6537A7F788308F128424A9065379D8F36BC66DE15
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ac41bc12b207e207ef1f1af7b1ddb416a177a6eecc01f13ec52c5a7eaa0ed619
                                              • Instruction ID: 57b919d76a195ce5e509bc4a0b29030db7cfcfc85fe149f1a2598970cd772ad4
                                              • Opcode Fuzzy Hash: ac41bc12b207e207ef1f1af7b1ddb416a177a6eecc01f13ec52c5a7eaa0ed619
                                              • Instruction Fuzzy Hash: AC81A030A01515CFDB5CDFADC884A6DBBB7BF89210B15816DD606EB362DB31E841CB51
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cae93e9548fbc2c199e272ac461bbb7c220b67c6ec70efe101b2544c0acedb99
                                              • Instruction ID: 28a90ea01fbab234185dfcb91618f97a9767cdce64439c0f2bab13fcef8ce4e5
                                              • Opcode Fuzzy Hash: cae93e9548fbc2c199e272ac461bbb7c220b67c6ec70efe101b2544c0acedb99
                                              • Instruction Fuzzy Hash: 55713B347006458FDB59DF2CC898AAD7BE6AF49710F1940A9EA06CB3B1DB74DC41CB91
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b5dbe2ed19a2438780bb689ca60c20518bc095f6ed341ac9b10d45262911e0a
                                              • Instruction ID: f78142fd8f07e1719912042d6b8dd67c570adb09cc51e2da4f8bc27f138b90fb
                                              • Opcode Fuzzy Hash: 3b5dbe2ed19a2438780bb689ca60c20518bc095f6ed341ac9b10d45262911e0a
                                              • Instruction Fuzzy Hash: 2F51CD32031A029FD3212F31A6BE16EBFA1FB5F3177446D05B58E99819DF79544ACB20
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 49c298921b39f3a99b79612f305256a3169c5dec60ef99bb521ea5acf0411aeb
                                              • Instruction ID: a19da96e8671cbeb26abb5dda019de516cdaddadd8bbece2edc23cadb64b226b
                                              • Opcode Fuzzy Hash: 49c298921b39f3a99b79612f305256a3169c5dec60ef99bb521ea5acf0411aeb
                                              • Instruction Fuzzy Hash: 9551BC72031A029FC2212B31A6BE16FBFA5FB5F3177446D01B58E99819DF79544ACB20
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8138157d975fba6dcefa9d9aa88a7c405765c53cfd93c327b613dcdccbed6e32
                                              • Instruction ID: 4ac2e9ba51335ace937175db3bddab6283fb8b8e04368c43f2ede40a3a3cc77d
                                              • Opcode Fuzzy Hash: 8138157d975fba6dcefa9d9aa88a7c405765c53cfd93c327b613dcdccbed6e32
                                              • Instruction Fuzzy Hash: 84519274E01208DFDB58DFA9D994A9DBBF2FF89300F249169E815AB364DB31A801CF50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 63202d47dd79fb95a2e2fdcfa8022aa30cb4baa408ceabaaa40e477db0b4f010
                                              • Instruction ID: d2d2a2dfcacb27d5f28aff58fd55cd99c5e127ab6eab7e81be78c87cfefb4187
                                              • Opcode Fuzzy Hash: 63202d47dd79fb95a2e2fdcfa8022aa30cb4baa408ceabaaa40e477db0b4f010
                                              • Instruction Fuzzy Hash: 1851A274E01258CFCB48DFB9E59499DBBB6FF89304B209469E905AB364DB31AC41CF50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d601a7a3a7a51bcfcb41936c83cc969a3140b3c781e8ba67c8eb461fbd15eecd
                                              • Instruction ID: 6bafa3d3043d84e5a287794cad5392c64d074d25472ed9763bb8dc18a2b42e67
                                              • Opcode Fuzzy Hash: d601a7a3a7a51bcfcb41936c83cc969a3140b3c781e8ba67c8eb461fbd15eecd
                                              • Instruction Fuzzy Hash: 6F41C231A0024DDFCF1ADFA8C844B9DBFB2AF49318F048559FA15AB291D334D954CBA0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc74deab8d26cb0fe1f344f2a5a09683297e30b8dc1eabd33089e61555eb5867
                                              • Instruction ID: 389129236aef63396410db217c968813f82a174141a6a8a7d809861e35079479
                                              • Opcode Fuzzy Hash: cc74deab8d26cb0fe1f344f2a5a09683297e30b8dc1eabd33089e61555eb5867
                                              • Instruction Fuzzy Hash: 2441E3357006049FCB099BA8E9557AE7BF7BFC8611F14856DE606E7391CE399C02CB90
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c21e940e40719bfde1dd2aa007a6c7d5451955f0ab39d8ac46dbbb55df468e9f
                                              • Instruction ID: 08acc730a912ed65758bd955ce47a1e2367f87f3b0559ebd8ff204eb35e2c819
                                              • Opcode Fuzzy Hash: c21e940e40719bfde1dd2aa007a6c7d5451955f0ab39d8ac46dbbb55df468e9f
                                              • Instruction Fuzzy Hash: 4941CE31A00208DFDF19DF68C908BAEBBB6EB84304F05842EE515DB242DB79DD45CBA1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b95ca75957ead498ef81d009acc201674652021036ecd7989d5e02399cbea75a
                                              • Instruction ID: 19a24e02f39f0f12c586d77f81199b58539542b5ec299cbfcb14467fca70eba8
                                              • Opcode Fuzzy Hash: b95ca75957ead498ef81d009acc201674652021036ecd7989d5e02399cbea75a
                                              • Instruction Fuzzy Hash: CD31F8757207158BEF1D99BA989827E6ADABFC4650F14403DEA26D3390DF74CC01C661
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1b5fe2358de44f6c66bab4541df2a1913a1a8e86f7f87395e59ce8ea36de73b
                                              • Instruction ID: 16e5675be6ec6ec124df2b34378e7ba522bda67e43a93c660cdcc69d9cc949f8
                                              • Opcode Fuzzy Hash: d1b5fe2358de44f6c66bab4541df2a1913a1a8e86f7f87395e59ce8ea36de73b
                                              • Instruction Fuzzy Hash: 6131A73130415A9FDB09AFA8D454AAF3FB2FB98710F004418FA558B692DF38DC62DB91
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aae60a0d83840a4d81ea7c0027f880c24fd85b3faf18b311ddb8d9b451cb0579
                                              • Instruction ID: 65ff694d84a482b782aeae5873f12d5aa9f8799363aac743643c6a4982108302
                                              • Opcode Fuzzy Hash: aae60a0d83840a4d81ea7c0027f880c24fd85b3faf18b311ddb8d9b451cb0579
                                              • Instruction Fuzzy Hash: 5421A139320A004BFB1E166D88A8A7E36979FC8B14F14417DE702CB7D6EF25CC429391
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe238699b7da0826775e205b8be6c271babb397607c772b05e9f1db86ff78024
                                              • Instruction ID: 6b44d08c667851acaadd476407722c162ac439c3a97991d8b65280194a50561f
                                              • Opcode Fuzzy Hash: fe238699b7da0826775e205b8be6c271babb397607c772b05e9f1db86ff78024
                                              • Instruction Fuzzy Hash: DE31B870B005058FCB08DF6DD884AAEBBB6FF84750B158128E619D73A1DB34ED02CB90
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e55e19a6589d65274cc63de4fb081f0c1f9c46b84e81ce2e4abd722a624fa63
                                              • Instruction ID: 475fd3beddc43d08276cf7d4d304556ecda6a0e42fc0ba77f5a441e11d2955d8
                                              • Opcode Fuzzy Hash: 4e55e19a6589d65274cc63de4fb081f0c1f9c46b84e81ce2e4abd722a624fa63
                                              • Instruction Fuzzy Hash: 9D315971C042089ECF05EFE8E9186ECBBB4FF0A305F119619E544B7255E7306A5ACB50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e01dcec466cc4d92da4fc92db0edddf4bf2d4e962aa28fcb5428c5ee9dc11b17
                                              • Instruction ID: 3b9e37aa793c9320382ff7ac5ab07e542e90abe2973cc2653d963f8f47633937
                                              • Opcode Fuzzy Hash: e01dcec466cc4d92da4fc92db0edddf4bf2d4e962aa28fcb5428c5ee9dc11b17
                                              • Instruction Fuzzy Hash: BD21A435A00114AFCF18DF78D4509BE7BA6EB99750B21C41DE90A9B340DB35EE46CBE1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 231288ab266ae571d9dc67520933ff6bec47b843b3dd180fadc7dec766325ee9
                                              • Instruction ID: 33090502aa4beb3195ccd67f74e5e77ab7c307e56f808e7f531f12ba17a454e9
                                              • Opcode Fuzzy Hash: 231288ab266ae571d9dc67520933ff6bec47b843b3dd180fadc7dec766325ee9
                                              • Instruction Fuzzy Hash: 38219A75C08609DFDB16EFA8D4851EEBFF0BF49304F08416ED605A7215EB315A85CBA2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b9eab70ac2adbd246365b2f4e94e159b25b4b7bbc545708449465bdca29f90b
                                              • Instruction ID: 036110a699fd4d5838f9dba75aa092903eccd898c7c4147be34278f2a4d7296f
                                              • Opcode Fuzzy Hash: 3b9eab70ac2adbd246365b2f4e94e159b25b4b7bbc545708449465bdca29f90b
                                              • Instruction Fuzzy Hash: 2321C335300A119BD71D9A29D49452FBBA3FBC9751B05816DEA06CB345DF34EC02CBD0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24b7849a468055ac0f7ad10eac7376896fdca23332247787812fd827637d00ae
                                              • Instruction ID: 40a6f2979f294d30016fb72cd857073f7f83474f471e74265a3e533d7f7b7a8b
                                              • Opcode Fuzzy Hash: 24b7849a468055ac0f7ad10eac7376896fdca23332247787812fd827637d00ae
                                              • Instruction Fuzzy Hash: 992127749012088FDF08EBB4D850AEDB7B2FF8A300F109568D405B3364DB399A42CF68
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2023f65a50b4a07da3887016cd85dea4503032d34615a9a37385f85a9455cf17
                                              • Instruction ID: 09983af28e98875a14e347b9b57ba298b5ba8ddcb55c76cf1ffe85312934de91
                                              • Opcode Fuzzy Hash: 2023f65a50b4a07da3887016cd85dea4503032d34615a9a37385f85a9455cf17
                                              • Instruction Fuzzy Hash: B931B478E01348CFCB48EFA8E58499DBBB6FF49305B214469E819AB324DB31AC05CF50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 49a042d61357a73242b64841775b7bbe76a39c7c254cee8599c8b211303a014f
                                              • Instruction ID: 7ca05bedbc07b8de787acc10df3d7fb6da4397da5d0051db23cfc853db4d3d9d
                                              • Opcode Fuzzy Hash: 49a042d61357a73242b64841775b7bbe76a39c7c254cee8599c8b211303a014f
                                              • Instruction Fuzzy Hash: 5F21C3327081159FDB19AE68E445B6F3BA2EB98710F004028FA45CB282CB38DD52CBE0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19257235f4ce60b96878fcea5481468268efb1b2b8fb2b7e7ca43a9327499b39
                                              • Instruction ID: 3607544625e8ade9e15707661815a32a4a1f6156614de6d367c2525615060f94
                                              • Opcode Fuzzy Hash: 19257235f4ce60b96878fcea5481468268efb1b2b8fb2b7e7ca43a9327499b39
                                              • Instruction Fuzzy Hash: 9121E474A412088FDF08EBB4D954AEEB7B2FF8A704F109528D41973364DB399942CF69
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e6185fb8bd3383c1dfd4d131f35c4b0a29f81a2f86a23a4f672a4cf45d65bfc8
                                              • Instruction ID: ba6ea32fb4c34e163832fda8a07f9037d7e38e86ead147499386d635f3d12d8c
                                              • Opcode Fuzzy Hash: e6185fb8bd3383c1dfd4d131f35c4b0a29f81a2f86a23a4f672a4cf45d65bfc8
                                              • Instruction Fuzzy Hash: E121CFB4C106098FCB44EFA8D9856EEBFF0BF09301F10816AD905B2214EB345A46CFA1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aac902f979458fa89380da118d02e861bad09f4543a26c72672dc3900d34dff5
                                              • Instruction ID: 49cca26b7697870b5b2f804294ecd10cf90a3edd12d63a3cf2654dd13fd317cd
                                              • Opcode Fuzzy Hash: aac902f979458fa89380da118d02e861bad09f4543a26c72672dc3900d34dff5
                                              • Instruction Fuzzy Hash: CC01B5727001156BDB459E55E810BEF7FA7DBD8660F18802DF655D7280CA79C812DBA0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d24e5d1a5e9cb6acf48bc8f6274b8a6fcd627ddfd12fc7cfab8a5c5bc6b328e5
                                              • Instruction ID: d7848c0729f63b846fc141eb917b31583a748b9c7a2cb4fa8c3fab5dede437cd
                                              • Opcode Fuzzy Hash: d24e5d1a5e9cb6acf48bc8f6274b8a6fcd627ddfd12fc7cfab8a5c5bc6b328e5
                                              • Instruction Fuzzy Hash: 23E04F32D202299BCB00DBA9D8459EEBF78FF96710F405915E52023000EBB02559C6A1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55a851494bfc4c7a210a8aae277925cc24195b41d540807b65526cd089379f2e
                                              • Instruction ID: bba9d96c405148bfcb18c9dd1c0137657cd8e2bec0e6b545df3e698778d81f31
                                              • Opcode Fuzzy Hash: 55a851494bfc4c7a210a8aae277925cc24195b41d540807b65526cd089379f2e
                                              • Instruction Fuzzy Hash: 9CD05B31D2022A57CB00E7A5DC044EFFB38EED6721B504626D51437140FB702659C6F1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                              • Instruction ID: 673487d13b6267efe35d7ef50f08cca45dd6a041e773dbecd05e22346e7344c6
                                              • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                              • Instruction Fuzzy Hash: 9EC0123710C1242A9629104E7C409A7674CC2C13B4915013BF61C9721055529C4041B5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 864834ec827a116fc3c8cc5a36c3c30588a99a0a6cccaf04235cee33878e2c97
                                              • Instruction ID: 61335ec72afa4be4ef7606ed89e7a3ffaf5c2d6765015ff4b18ab4d9abfa7b47
                                              • Opcode Fuzzy Hash: 864834ec827a116fc3c8cc5a36c3c30588a99a0a6cccaf04235cee33878e2c97
                                              • Instruction Fuzzy Hash: 8CD0677AB11009AFCF059F98E8419DDF7B6FB9C221B048116F925A7260C6319961DB60
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3bef64b91072708b4f3427076713e066fcec3409bb3d9433e4e7d4c909f92c8f
                                              • Instruction ID: 14d7d76e8ec414729f8147fd7ece995cac784e48859bd299deca50b3243c5201
                                              • Opcode Fuzzy Hash: 3bef64b91072708b4f3427076713e066fcec3409bb3d9433e4e7d4c909f92c8f
                                              • Instruction Fuzzy Hash: 99D0A57050C3C187EB06F3B0EE719553F3165C1618F5C45D5D4808D55BE9756C5DC351
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 280fc5d9a7b112f4f8409dc792c1c1924b653df92a09d89abc342bcbe60af280
                                              • Instruction ID: a2b03da17c2737dbe5cceb9530c5d85bb45bf892baab48c0f517428b34d9f0b4
                                              • Opcode Fuzzy Hash: 280fc5d9a7b112f4f8409dc792c1c1924b653df92a09d89abc342bcbe60af280
                                              • Instruction Fuzzy Hash: A5C0807021834AC7ED05F7B1FB55659332A77C0504F44C650F00949119DE78BC9547D1

                                              Non-executed Functions

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1473053317.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11f0000_wymvwQ4mC4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 64a5904502af3124cc24b17defe2746ed2a471abe2c14d19eff40b5747e18059
                                              • Instruction ID: 549c65f812dcefe47591b28d86a98f2023a1db3d31371d01159061ca73187a80
                                              • Opcode Fuzzy Hash: 64a5904502af3124cc24b17defe2746ed2a471abe2c14d19eff40b5747e18059
                                              • Instruction Fuzzy Hash: E2A1B231F003589BDB1CDB7998546AEBBB6BFC4710B45862DE542E7388CF399802CB91