Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tVuAoupHhZ.exe

Overview

General Information

Sample name:tVuAoupHhZ.exe
renamed because original name is a hash value
Original sample name:cb84dc0df43c3fe063e43f547dd9678ffa8c054ba955f98bf35c9a8581be5c87.exe
Analysis ID:1588345
MD5:4634e3e6584b3f6f79c63b718dcd858c
SHA1:2a540ad0f78d989a4a32521354aaa7ec65a83a9e
SHA256:cb84dc0df43c3fe063e43f547dd9678ffa8c054ba955f98bf35c9a8581be5c87
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • tVuAoupHhZ.exe (PID: 1276 cmdline: "C:\Users\user\Desktop\tVuAoupHhZ.exe" MD5: 4634E3E6584B3F6F79C63B718DCD858C)
    • cmd.exe (PID: 2876 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\tVuAoupHhZ.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 7064 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "clienti@damaz.it", "Password": "348cli", "Host": "mail.damaz.it", "Port": "587", "Version": "5.1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
tVuAoupHhZ.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    tVuAoupHhZ.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      tVuAoupHhZ.exeJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        tVuAoupHhZ.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x14b67:$a1: get_encryptedPassword
        • 0x14e53:$a2: get_encryptedUsername
        • 0x14973:$a3: get_timePasswordChanged
        • 0x14a6e:$a4: get_passwordField
        • 0x14b7d:$a5: set_encryptedPassword
        • 0x16245:$a7: get_logins
        • 0x161a8:$a10: KeyLoggerEventArgs
        • 0x15e13:$a11: KeyLoggerEventArgsEventHandler
        tVuAoupHhZ.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1c52d:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x1b75f:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x1bb92:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1cbd1:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 2 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x14967:$a1: get_encryptedPassword
              • 0x14c53:$a2: get_encryptedUsername
              • 0x14773:$a3: get_timePasswordChanged
              • 0x1486e:$a4: get_passwordField
              • 0x1497d:$a5: set_encryptedPassword
              • 0x16045:$a7: get_logins
              • 0x15fa8:$a10: KeyLoggerEventArgs
              • 0x15c13:$a11: KeyLoggerEventArgsEventHandler
              00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
              • 0x182d0:$x1: $%SMTPDV$
              • 0x18336:$x2: $#TheHashHere%&
              • 0x1992f:$x3: %FTPDV$
              • 0x19a23:$x4: $%TelegramDv$
              • 0x15c13:$x5: KeyLoggerEventArgs
              • 0x15fa8:$x5: KeyLoggerEventArgs
              • 0x19953:$m2: Clipboard Logs ID
              • 0x19b73:$m2: Screenshot Logs ID
              • 0x19c83:$m2: keystroke Logs ID
              • 0x19f5d:$m3: SnakePW
              • 0x19b4b:$m4: \SnakeKeylogger\
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.tVuAoupHhZ.exe.830000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.0.tVuAoupHhZ.exe.830000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.tVuAoupHhZ.exe.830000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.0.tVuAoupHhZ.exe.830000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                    • 0x14b67:$a1: get_encryptedPassword
                    • 0x14e53:$a2: get_encryptedUsername
                    • 0x14973:$a3: get_timePasswordChanged
                    • 0x14a6e:$a4: get_passwordField
                    • 0x14b7d:$a5: set_encryptedPassword
                    • 0x16245:$a7: get_logins
                    • 0x161a8:$a10: KeyLoggerEventArgs
                    • 0x15e13:$a11: KeyLoggerEventArgsEventHandler
                    0.0.tVuAoupHhZ.exe.830000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                    • 0x1c52d:$a2: \Comodo\Dragon\User Data\Default\Login Data
                    • 0x1b75f:$a3: \Google\Chrome\User Data\Default\Login Data
                    • 0x1bb92:$a4: \Orbitum\User Data\Default\Login Data
                    • 0x1cbd1:$a5: \Kometa\User Data\Default\Login Data
                    Click to see the 2 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T00:50:32.674639+010028033053Unknown Traffic192.168.2.549706104.21.32.1443TCP
                    2025-01-11T00:50:35.309466+010028033053Unknown Traffic192.168.2.549710104.21.32.1443TCP
                    2025-01-11T00:50:36.493350+010028033053Unknown Traffic192.168.2.549712104.21.32.1443TCP
                    2025-01-11T00:50:37.643911+010028033053Unknown Traffic192.168.2.549714104.21.32.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T00:50:30.039653+010028032742Potentially Bad Traffic192.168.2.549704193.122.130.080TCP
                    2025-01-11T00:50:30.242747+010028032742Potentially Bad Traffic192.168.2.549704193.122.130.080TCP
                    2025-01-11T00:50:32.070914+010028032742Potentially Bad Traffic192.168.2.549704193.122.130.080TCP
                    2025-01-11T00:50:33.448230+010028032742Potentially Bad Traffic192.168.2.549707193.122.130.080TCP
                    2025-01-11T00:50:34.742778+010028032742Potentially Bad Traffic192.168.2.549709193.122.130.080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: tVuAoupHhZ.exeAvira: detected
                    Found malware configuration
                    Source: 00000000.00000002.2238928111.0000000002B91000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "clienti@damaz.it", "Password": "348cli", "Host": "mail.damaz.it", "Port": "587", "Version": "5.1"}
                    Multi AV Scanner detection for submitted file
                    Source: tVuAoupHhZ.exeVirustotal: Detection: 66%Perma Link
                    Source: tVuAoupHhZ.exeReversingLabs: Detection: 91%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: tVuAoupHhZ.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: tVuAoupHhZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.0
                    Source: tVuAoupHhZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: tVuAoupHhZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                    Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 193.122.130.0:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 193.122.130.0:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 193.122.130.0:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 104.21.32.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.32.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49712 -> 104.21.32.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49714 -> 104.21.32.1:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: tVuAoupHhZ.exeString found in binary or memory: http://checkip.dyndns.org/q
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: tVuAoupHhZ.exeString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: tVuAoupHhZ.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: tVuAoupHhZ.exe, type: SAMPLEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: tVuAoupHhZ.exe, type: SAMPLEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: tVuAoupHhZ.exe, type: SAMPLEMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: Process Memory Space: tVuAoupHhZ.exe PID: 1276, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: tVuAoupHhZ.exe PID: 1276, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_0299C1D20_2_0299C1D2
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_029951C50_2_029951C5
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_0299A1E80_2_0299A1E8
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_029976800_2_02997680
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_0299C7900_2_0299C790
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_0299C4B20_2_0299C4B2
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_02994AD90_2_02994AD9
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_0299CA700_2_0299CA70
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_02996F090_2_02996F09
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_0299BD280_2_0299BD28
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_0299CD520_2_0299CD52
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_0299523C0_2_0299523C
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_029935720_2_02993572
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeCode function: 0_2_0299BEF00_2_0299BEF0
                    Source: tVuAoupHhZ.exe, 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs tVuAoupHhZ.exe
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2238214578.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs tVuAoupHhZ.exe
                    Source: tVuAoupHhZ.exeBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs tVuAoupHhZ.exe
                    Source: tVuAoupHhZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: tVuAoupHhZ.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: tVuAoupHhZ.exe, type: SAMPLEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: tVuAoupHhZ.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: tVuAoupHhZ.exe, type: SAMPLEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: Process Memory Space: tVuAoupHhZ.exe PID: 1276, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: tVuAoupHhZ.exe PID: 1276, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: classification engineClassification label: mal100.troj.winEXE@6/1@2/2
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tVuAoupHhZ.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_03
                    Source: tVuAoupHhZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: tVuAoupHhZ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: tVuAoupHhZ.exeVirustotal: Detection: 66%
                    Source: tVuAoupHhZ.exeReversingLabs: Detection: 91%
                    Source: tVuAoupHhZ.exeString found in binary or memory: F-Stopw
                    Source: unknownProcess created: C:\Users\user\Desktop\tVuAoupHhZ.exe "C:\Users\user\Desktop\tVuAoupHhZ.exe"
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\tVuAoupHhZ.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\tVuAoupHhZ.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                    Source: tVuAoupHhZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: tVuAoupHhZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Self deletion via cmd or bat file
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\tVuAoupHhZ.exe"
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\tVuAoupHhZ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599874Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599655Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599537Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599353Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599247Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599124Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599015Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598905Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598796Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598687Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598575Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598468Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598359Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598249Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598140Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598031Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597921Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597812Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597703Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597593Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597484Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597374Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597265Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597156Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597046Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596937Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596820Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596718Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596609Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596496Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596390Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596281Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596170Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596062Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595953Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595843Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595734Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595625Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595515Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595406Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595296Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595187Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595077Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594968Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594859Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594749Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594640Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594531Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594421Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeWindow / User API: threadDelayed 1820Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeWindow / User API: threadDelayed 8017Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -599874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 6600Thread sleep count: 1820 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 6600Thread sleep count: 8017 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -599655s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -599537s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -599353s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -599247s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -599124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -599015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -598905s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -598796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -598687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -598575s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -598468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -598359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -598249s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -598140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -598031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -597921s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -597812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -597703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -597593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -597484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -597374s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -597265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -597156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -597046s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -596937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -596820s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -596718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -596609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -596496s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -596390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -596281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -596170s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -596062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -595953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -595843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -595734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -595625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -595515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -595406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -595296s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -595187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -595077s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -594968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -594859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -594749s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -594640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -594531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exe TID: 5972Thread sleep time: -594421s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599874Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599655Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599537Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599353Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599247Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599124Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 599015Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598905Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598796Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598687Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598575Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598468Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598359Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598249Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598140Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 598031Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597921Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597812Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597703Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597593Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597484Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597374Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597265Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597156Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 597046Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596937Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596820Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596718Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596609Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596496Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596390Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596281Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596170Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 596062Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595953Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595843Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595734Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595625Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595515Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595406Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595296Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595187Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 595077Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594968Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594859Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594749Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594640Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594531Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeThread delayed: delay time: 594421Jump to behavior
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2240301996.0000000006277000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: tVuAoupHhZ.exe, 00000000.00000002.2238214578.0000000000D13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\tVuAoupHhZ.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeQueries volume information: C:\Users\user\Desktop\tVuAoupHhZ.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\tVuAoupHhZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: tVuAoupHhZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2238928111.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: tVuAoupHhZ.exe PID: 1276, type: MEMORYSTR
                    Source: Yara matchFile source: tVuAoupHhZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: tVuAoupHhZ.exe PID: 1276, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: tVuAoupHhZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.tVuAoupHhZ.exe.830000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2238928111.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: tVuAoupHhZ.exe PID: 1276, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    File Deletion                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    tVuAoupHhZ.exe67%VirustotalBrowse
                    tVuAoupHhZ.exe92%ReversingLabsWin32.Keylogger.NotFound
                    tVuAoupHhZ.exe100%AviraTR/ATRAPS.Gen
                    tVuAoupHhZ.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		104.21.32.1
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		193.122.130.0
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://checkip.dyndns.org/false
                            		high
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://reallyfreegeoip.orgtVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.orgtVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://checkip.dyndns.comtVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://checkip.dyndns.org/qtVuAoupHhZ.exefalse
                                        		high
                                        https://reallyfreegeoip.org/xml/8.46.123.189$tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://reallyfreegeoip.orgtVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, tVuAoupHhZ.exe, 00000000.00000002.2238928111.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://reallyfreegeoip.org/xml/tVuAoupHhZ.exefalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              104.21.32.1
                                              		reallyfreegeoip.orgUnited States
                                              		13335CLOUDFLARENETUSfalse
                                              193.122.130.0
                                              		checkip.dyndns.comUnited States
                                              		31898ORACLE-BMC-31898USfalse

                                              General Information

                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1588345
                                              Start date and time:2025-01-11 00:49:27 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 4m 42s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:7
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:tVuAoupHhZ.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:cb84dc0df43c3fe063e43f547dd9678ffa8c054ba955f98bf35c9a8581be5c87.exe
                                              Detection:MAL
                                              Classification:mal100.troj.winEXE@6/1@2/2
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 55
                                              • Number of non-executed functions: 2
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target tVuAoupHhZ.exe, PID 1276 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              18:50:31API Interceptor73x Sleep call for process: tVuAoupHhZ.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              104.21.32.125IvlOVEB1.exeGet hashmaliciousFormBookBrowse
                                              • www.masterqq.pro/3vdc/
                                              QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                              • www.mzkd6gp5.top/3u0p/
                                              SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                              • redroomaudio.com/administrator/index.php
                                              193.122.130.0WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • checkip.dyndns.org/
                                              wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                              • checkip.dyndns.org/
                                              zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              B3aqD8srjF.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                              • checkip.dyndns.org/
                                              bd9Gvqt6AK.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              reallyfreegeoip.orgTjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 104.21.80.1
                                              Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.16.1
                                              WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 104.21.16.1
                                              wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 104.21.96.1
                                              H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.112.1
                                              3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.16.1
                                              2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.32.1
                                              z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.48.1
                                              vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.80.1
                                              czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 104.21.112.1
                                              checkip.dyndns.comTjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 132.226.247.73
                                              Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 132.226.247.73
                                              WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 193.122.130.0
                                              wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 193.122.130.0
                                              H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                              • 132.226.8.169
                                              WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                              • 158.101.44.242
                                              3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                              • 193.122.6.168
                                              z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                              • 132.226.247.73
                                              vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ORACLE-BMC-31898USphish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                              • 192.29.202.93
                                              https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                              • 192.29.202.93
                                              https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                              • 192.29.202.93
                                              WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 193.122.130.0
                                              wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 193.122.130.0
                                              WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                              • 158.101.44.242
                                              3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                              • 193.122.6.168
                                              vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 193.122.6.168
                                              CLOUDFLARENETUSTjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 104.21.80.1
                                              phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                              • 172.66.0.227
                                              https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                              • 172.66.0.227
                                              https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                              • 172.66.0.227
                                              https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
                                              • 188.114.96.3
                                              25IvlOVEB1.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.32.1
                                              Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.16.1
                                              WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 104.21.16.1
                                              wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 104.21.96.1
                                              H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.112.1

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              54328bd36c14bd82ddaa0c04b25ed9adTjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 104.21.32.1
                                              Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.32.1
                                              WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 104.21.32.1
                                              wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 104.21.32.1
                                              H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.32.1
                                              3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.32.1
                                              2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.32.1
                                              z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.32.1
                                              vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.21.32.1
                                              czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 104.21.32.1

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tVuAoupHhZ.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1039
                                              Entropy (8bit):5.353332853270839
                                              Encrypted:false
                                              SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                                              MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                                              SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                                              SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                                              SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                                              Malicious:true
                                              Reputation:moderate, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):5.827429319739148
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                              File name:tVuAoupHhZ.exe
                                              File size:134'144 bytes
                                              MD5:4634e3e6584b3f6f79c63b718dcd858c
                                              SHA1:2a540ad0f78d989a4a32521354aaa7ec65a83a9e
                                              SHA256:cb84dc0df43c3fe063e43f547dd9678ffa8c054ba955f98bf35c9a8581be5c87
                                              SHA512:3e5246d594069ba469cf26dc8002e0020a874b2f0ceac25d31b5dcdbf6aca46901c7409a227460c3ff532cebfdd3f0009ad898b76cf5e97c5024761a0b1fdf52
                                              SSDEEP:3072:nq/6fidzVhevEzfPUilnb51D5sLCwvxpJgbY:q2i5ckbD8Cb
                                              TLSH:76D3080927E49814E1FFAA730670A111C779B8431A6ADE1D1BC2F86D2B7D6D1CE06F93
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.f..............P.............>.... ... ....@.. .......................`............@................................

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x42143e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x66972DD9 [Wed Jul 17 02:35:05 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x213e40x57.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x108f.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x240000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x1f4440x1f600c7526c70c8d9ac73e17221a18802f8e0False0.3557566608565737data5.84047926916259IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x220000x108f0x1200f59392b7fa5e8b22ad0c6b19a0b07c20False0.3663194444444444data4.868462934974607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x240000xc0x2006890ec35b658cdac6b1695e39bbdb5d4False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0x220a00x394OpenPGP Secret Key0.42358078602620086
                                              RT_MANIFEST0x224340xc5bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3926651912741069

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2025-01-11T00:50:30.039653+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704193.122.130.080TCP
                                              2025-01-11T00:50:30.242747+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704193.122.130.080TCP
                                              2025-01-11T00:50:32.070914+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704193.122.130.080TCP
                                              2025-01-11T00:50:32.674639+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549706104.21.32.1443TCP
                                              2025-01-11T00:50:33.448230+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549707193.122.130.080TCP
                                              2025-01-11T00:50:34.742778+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549709193.122.130.080TCP
                                              2025-01-11T00:50:35.309466+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549710104.21.32.1443TCP
                                              2025-01-11T00:50:36.493350+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549712104.21.32.1443TCP
                                              2025-01-11T00:50:37.643911+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549714104.21.32.1443TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 11, 2025 00:50:23.801529884 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:23.806397915 CET8049704193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:23.806555033 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:23.807720900 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:23.837852001 CET8049704193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:26.879671097 CET8049704193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:26.884701014 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:26.891093016 CET8049704193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:29.987149000 CET8049704193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:30.039653063 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:30.093719006 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:30.100155115 CET8049704193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:30.196466923 CET8049704193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:30.242747068 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:30.245855093 CET49705443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:30.245898962 CET44349705104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:30.245975018 CET49705443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:30.252974987 CET49705443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:30.253007889 CET44349705104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:30.722625017 CET44349705104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:30.722700119 CET49705443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:30.728159904 CET49705443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:30.728193045 CET44349705104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:30.728672981 CET44349705104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:30.774456024 CET49705443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:30.780864000 CET49705443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:30.827337027 CET44349705104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:30.901397943 CET44349705104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:30.901483059 CET44349705104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:30.901550055 CET49705443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:30.906349897 CET49705443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:30.910008907 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:30.914940119 CET8049704193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:32.016899109 CET8049704193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:32.020181894 CET49706443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:32.020227909 CET44349706104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:32.020320892 CET49706443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:32.020796061 CET49706443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:32.020813942 CET44349706104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:32.070914030 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:32.479476929 CET44349706104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:32.524005890 CET49706443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:32.564136028 CET49706443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:32.564156055 CET44349706104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:32.674660921 CET44349706104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:32.674730062 CET44349706104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:32.674776077 CET49706443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:32.681898117 CET49706443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:32.762005091 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:32.763292074 CET4970780192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:32.768567085 CET8049704193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:32.768634081 CET4970480192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:32.769476891 CET8049707193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:32.769551039 CET4970780192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:32.771907091 CET4970780192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:32.778390884 CET8049707193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:33.397109985 CET8049707193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:33.398320913 CET49708443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:33.398377895 CET44349708104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:33.398446083 CET49708443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:33.398689985 CET49708443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:33.398699999 CET44349708104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:33.448230028 CET4970780192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:33.878880024 CET44349708104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:33.880676985 CET49708443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:33.880709887 CET44349708104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:34.035839081 CET44349708104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:34.035907030 CET44349708104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:34.036072969 CET49708443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:34.036401987 CET49708443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:34.039509058 CET4970780192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:34.040960073 CET4970980192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:34.047030926 CET8049707193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:34.047446012 CET4970780192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:34.047847986 CET8049709193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:34.047924995 CET4970980192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:34.048089981 CET4970980192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:34.055234909 CET8049709193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:34.700704098 CET8049709193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:34.701958895 CET49710443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:34.701992035 CET44349710104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:34.702063084 CET49710443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:34.702287912 CET49710443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:34.702295065 CET44349710104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:34.742778063 CET4970980192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:35.164118052 CET44349710104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:35.178666115 CET49710443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:35.178706884 CET44349710104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:35.309488058 CET44349710104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:35.309556007 CET44349710104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:35.309628963 CET49710443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:35.310087919 CET49710443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:35.314620972 CET4971180192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:35.320105076 CET8049711193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:35.320204020 CET4971180192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:35.320323944 CET4971180192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:35.327541113 CET8049711193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:35.904844999 CET8049711193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:35.906336069 CET49712443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:35.906373024 CET44349712104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:35.906440020 CET49712443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:35.906747103 CET49712443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:35.906755924 CET44349712104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:35.945904970 CET4971180192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:36.365320921 CET44349712104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:36.367296934 CET49712443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:36.367336035 CET44349712104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:36.493393898 CET44349712104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:36.493463993 CET44349712104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:36.493514061 CET49712443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:36.494441032 CET49712443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:36.499862909 CET4971180192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:36.500521898 CET4971380192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:36.507380962 CET8049711193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:36.507399082 CET8049713193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:36.507436037 CET4971180192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:36.507482052 CET4971380192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:36.507569075 CET4971380192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:36.514467955 CET8049713193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:37.025933027 CET8049713193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:37.027127981 CET49714443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:37.027185917 CET44349714104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:37.027266979 CET49714443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:37.027508974 CET49714443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:37.027523041 CET44349714104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:37.070866108 CET4971380192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:37.509485960 CET44349714104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:37.511899948 CET49714443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:37.511935949 CET44349714104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:37.643999100 CET44349714104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:37.644160986 CET44349714104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:37.644227982 CET49714443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:37.644526958 CET49714443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:37.647525072 CET4971380192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:37.648788929 CET4971580192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:37.652448893 CET8049713193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:37.652513981 CET4971380192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:37.653553963 CET8049715193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:37.653623104 CET4971580192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:37.653752089 CET4971580192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:37.658488989 CET8049715193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:39.137031078 CET8049715193.122.130.0192.168.2.5
                                              Jan 11, 2025 00:50:39.138554096 CET49716443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:39.138617992 CET44349716104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:39.138712883 CET49716443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:39.138976097 CET49716443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:39.138992071 CET44349716104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:39.180291891 CET4971580192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:39.635081053 CET44349716104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:39.643476963 CET49716443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:39.643502951 CET44349716104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:39.787791014 CET44349716104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:39.787863970 CET44349716104.21.32.1192.168.2.5
                                              Jan 11, 2025 00:50:39.787919044 CET49716443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:39.788352966 CET49716443192.168.2.5104.21.32.1
                                              Jan 11, 2025 00:50:39.903863907 CET4971580192.168.2.5193.122.130.0
                                              Jan 11, 2025 00:50:39.904448032 CET4970980192.168.2.5193.122.130.0

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 11, 2025 00:50:23.787868977 CET5718153192.168.2.51.1.1.1
                                              Jan 11, 2025 00:50:23.794985056 CET53571811.1.1.1192.168.2.5
                                              Jan 11, 2025 00:50:30.236125946 CET5372453192.168.2.51.1.1.1
                                              Jan 11, 2025 00:50:30.245155096 CET53537241.1.1.1192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 11, 2025 00:50:23.787868977 CET192.168.2.51.1.1.10xe8aeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:30.236125946 CET192.168.2.51.1.1.10xc280Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 11, 2025 00:50:23.794985056 CET1.1.1.1192.168.2.50xe8aeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                              Jan 11, 2025 00:50:23.794985056 CET1.1.1.1192.168.2.50xe8aeNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:23.794985056 CET1.1.1.1192.168.2.50xe8aeNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:23.794985056 CET1.1.1.1192.168.2.50xe8aeNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:23.794985056 CET1.1.1.1192.168.2.50xe8aeNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:23.794985056 CET1.1.1.1192.168.2.50xe8aeNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:30.245155096 CET1.1.1.1192.168.2.50xc280No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:30.245155096 CET1.1.1.1192.168.2.50xc280No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:30.245155096 CET1.1.1.1192.168.2.50xc280No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:30.245155096 CET1.1.1.1192.168.2.50xc280No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:30.245155096 CET1.1.1.1192.168.2.50xc280No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:30.245155096 CET1.1.1.1192.168.2.50xc280No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                              Jan 11, 2025 00:50:30.245155096 CET1.1.1.1192.168.2.50xc280No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • reallyfreegeoip.org
                                              • checkip.dyndns.org

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.549704193.122.130.0801276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:50:23.807720900 CET151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jan 11, 2025 00:50:26.879671097 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:26 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 5ecc972f4baf630c8a1e855edd591095
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                              Jan 11, 2025 00:50:26.884701014 CET127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jan 11, 2025 00:50:29.987149000 CET745INHTTP/1.1 504 Gateway Time-out
                                              Date: Fri, 10 Jan 2025 23:50:29 GMT
                                              Content-Type: text/html
                                              Content-Length: 557
                                              Connection: keep-alive
                                              X-Request-ID: b2ba13bc10bc3582341a4dc01f5c8b2c
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                              Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                              Jan 11, 2025 00:50:30.093719006 CET127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jan 11, 2025 00:50:30.196466923 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:30 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: b5b7eeed30a039d938b9d80346880a4d
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                              Jan 11, 2025 00:50:30.910008907 CET127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jan 11, 2025 00:50:32.016899109 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:31 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: bb51d36bc759a46cbd54b56c4513f05b
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.549707193.122.130.0801276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:50:32.771907091 CET127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jan 11, 2025 00:50:33.397109985 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:33 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 1408eb018f51854ecd074eaf13f39c6d
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.549709193.122.130.0801276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:50:34.048089981 CET127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jan 11, 2025 00:50:34.700704098 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:34 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 24530a062a60c9f022f71af51ddefe95
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.549711193.122.130.0801276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:50:35.320323944 CET151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jan 11, 2025 00:50:35.904844999 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:35 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 1e3eaf138e07fe4ebf86b455e75d6d81
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.549713193.122.130.0801276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:50:36.507569075 CET151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jan 11, 2025 00:50:37.025933027 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:36 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: bb6c5d2dd66869b8458626e20cbc5558
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.549715193.122.130.0801276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              Jan 11, 2025 00:50:37.653752089 CET151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jan 11, 2025 00:50:39.137031078 CET321INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:39 GMT
                                              Content-Type: text/html
                                              Content-Length: 104
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 35d0005661f2ddcecd309a0dced5cb8b
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.549705104.21.32.14431276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:50:30 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2025-01-10 23:50:30 UTC859INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:30 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1867819
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h42INMm79wiW2%2FPD4o5EJPZzsjmqs4pYSZE59enc%2BNH2Cqfu6HrHw5gOYQNi2AB2WNgM7KgqjTH05I7cAm3%2BEALXZ0swpCmYCiWMJ7gp%2FhX6TpERfKIpkpyip%2BygLSnU3UEw6Wqd"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 900091dabc488cda-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1768&min_rtt=1765&rtt_var=664&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1654390&cwnd=243&unsent_bytes=0&cid=a851d8d75b7ca77a&ts=195&x=0"
                                              2025-01-10 23:50:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.549706104.21.32.14431276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:50:32 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2025-01-10 23:50:32 UTC857INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:32 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1867821
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rBzakafIf822CH%2FIKitjohfIUD3R2VcM6AAD%2F3HucCr%2B0GHcizlNlLWpq8hGAvWsT4TdDjfMbGfFUqfoRW6CSg%2BgZpIkcB3co8dSoclwM7I5trbd0PkWvd4OhKzDHAx0QuqEPAlp"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 900091e5dcdc41a6-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1588&rtt_var=598&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1823860&cwnd=241&unsent_bytes=0&cid=c761b17fc1eabc3c&ts=199&x=0"
                                              2025-01-10 23:50:32 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.549708104.21.32.14431276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:50:33 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2025-01-10 23:50:34 UTC863INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:33 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1867823
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O0DJ9P6b6BU6sCICPoQ3%2B4Ay%2F%2FVCxENj4ayP4cqkS3ju3pJBes6Rigf7V1jTA%2BIAm2mp8bvvLio7St6Ar%2F5P7cjOeCrb3PR%2BKtmGa6M8FoAZNyq9ms3jbUzgI99qVy3gGiUVY7%2F0"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 900091ee5e981875-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1660&rtt_var=634&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1708601&cwnd=153&unsent_bytes=0&cid=ec87cffed8d90182&ts=164&x=0"
                                              2025-01-10 23:50:34 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.549710104.21.32.14431276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:50:35 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2025-01-10 23:50:35 UTC861INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:35 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1867824
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k%2B3irgUNEUIra4CJ0AxrmcRU2FKp4s1DyxLZr%2FnRUMTYd%2F3ytTTjI2rq%2FF3Yr919qNf7YxssMiVujF3tck8dl7BNVWqfCI%2FtnMY24GTGhhTyny9Ardhw2wUG9eQ10j%2BL46Wi08uN"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 900091f65e0fc327-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1627&rtt_var=619&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1755862&cwnd=189&unsent_bytes=0&cid=9e996c523e9b0560&ts=154&x=0"
                                              2025-01-10 23:50:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.549712104.21.32.14431276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:50:36 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2025-01-10 23:50:36 UTC859INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:36 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1867825
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XFlxZTNBQraFB07iloyIFW%2F5vhydcx%2BZd8d885Yb73nOxwEE%2FuzocmJsRVgDAys6fiN%2B4SZMWFRGg5qCD4cSvKwWJT1QIKtOWphLIRm%2FZsIwH7N9W6R3PiC7lQoXtYdtxK2PIj2X"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 900091fdbb8dc327-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1613&rtt_var=622&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1810291&cwnd=189&unsent_bytes=0&cid=8539e2d5bb8180ca&ts=134&x=0"
                                              2025-01-10 23:50:36 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.549714104.21.32.14431276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:50:37 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2025-01-10 23:50:37 UTC853INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:37 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1867826
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3WFr9LtYNiDIF9PHCFdXpEeWlfNPlvd8wf8lAwZo2XpQqF7oWsaJYxiMS6tk%2FuXF2aqxgrP%2FBFriozxl95M0AmlDVteMaW7VVKaLE3EfwJUfdWIVQgsbWFPYSnRjfBRUQxYcHSSU"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 90009204e86372b9-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1795&rtt_var=689&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1569048&cwnd=217&unsent_bytes=0&cid=72cd533136410892&ts=141&x=0"
                                              2025-01-10 23:50:37 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.549716104.21.32.14431276C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-10 23:50:39 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2025-01-10 23:50:39 UTC854INHTTP/1.1 200 OK
                                              Date: Fri, 10 Jan 2025 23:50:39 GMT
                                              Content-Type: text/xml
                                              Content-Length: 362
                                              Connection: close
                                              Age: 1867828
                                              Cache-Control: max-age=31536000
                                              cf-cache-status: HIT
                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N5Fh%2B2kRUAjIub1bfqdfZzhq3L5SzvomREDnK3meo6gf697VI5rBd%2B1aoCS6V4iunr9SC192zPKF3V7jHHp9TsSTy1wb4nlkXezxuJhHUbrDr97v9RKqfdBSwtyifalpt2HJf5tN"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 900092124aca8cda-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=8742&min_rtt=1816&rtt_var=4961&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1607929&cwnd=243&unsent_bytes=0&cid=70f71278c2625b75&ts=161&x=0"
                                              2025-01-10 23:50:39 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:18:50:22
                                              Start date:10/01/2025
                                              Path:C:\Users\user\Desktop\tVuAoupHhZ.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\tVuAoupHhZ.exe"
                                              Imagebase:0x830000
                                              File size:134'144 bytes
                                              MD5 hash:4634E3E6584B3F6F79C63B718DCD858C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2238928111.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.2073909707.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2238928111.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:18:50:39
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\tVuAoupHhZ.exe"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:18:50:39
                                              Start date:10/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:18:50:39
                                              Start date:10/01/2025
                                              Path:C:\Windows\SysWOW64\choice.exe
                                              Wow64 process (32bit):true
                                              Commandline:choice /C Y /N /D Y /T 3
                                              Imagebase:0x3a0000
                                              File size:28'160 bytes
                                              MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 029951C5 Relevance: 6.8, Strings: 5, Instructions: 530COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                • API String ID: 0-1229222154
                                                • Opcode ID: 7cdcf570f1cc13a4e4a30fe738817839746cd0e64f968434ed9878b1ff5e0c41
                                                • Instruction ID: ab679b8c4fc81619dd1f89a8d4fc4fc9e397e97b65eb9262a55c433c6e1641c9
                                                • Opcode Fuzzy Hash: 7cdcf570f1cc13a4e4a30fe738817839746cd0e64f968434ed9878b1ff5e0c41
                                                • Instruction Fuzzy Hash: 8891F674E00218DFDB19CFA9D984A9DBBF2BF89310F55C069E818AB365DB349981CF10
                                                Function 0299BD28 Relevance: 6.6, Strings: 5, Instructions: 348COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                • API String ID: 0-1229222154
                                                • Opcode ID: 104b59e4d7073eb51ad8befded96925639b38142c44004422dde69cb2bff47b2
                                                • Instruction ID: 541eb53aa246f3439d8e8b273bfc0363519ba10f49cae25141af7f50bae85478
                                                • Opcode Fuzzy Hash: 104b59e4d7073eb51ad8befded96925639b38142c44004422dde69cb2bff47b2
                                                • Instruction Fuzzy Hash: 31E11974E00218CFDF14CFADD994A9DBBBABF88314F158069E919AB361D734A841CF90
                                                Function 0299CA70 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                • API String ID: 0-1229222154
                                                • Opcode ID: 8f2e9028084e33ca2a06ae5863935dfe2d0bed4d99a0c7d56b7205f591378e67
                                                • Instruction ID: 233cba834d77f07499f757a6bc016b4e238d78b42236ae5d60aabb4c9b3da1cf
                                                • Opcode Fuzzy Hash: 8f2e9028084e33ca2a06ae5863935dfe2d0bed4d99a0c7d56b7205f591378e67
                                                • Instruction Fuzzy Hash: 3581C474E00218DFDB18DFA9D984A9DBBF2BF88310F14C46AE819AB365DB349941CF10
                                                Function 02994AD9 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                • API String ID: 0-1229222154
                                                • Opcode ID: b07db4acc0ba3c0b623853b3468197b0ccffeee12caeb1c99b2837b1b8edaf1f
                                                • Instruction ID: 1d959fbb9fb53281e35483b50ac4396849861ed6b04e4d67c40f9c60428e90be
                                                • Opcode Fuzzy Hash: b07db4acc0ba3c0b623853b3468197b0ccffeee12caeb1c99b2837b1b8edaf1f
                                                • Instruction Fuzzy Hash: 3181C574E00218DFDB18DFA9D984A9DBBF2BF88310F14D469E819AB365DB349981CF10
                                                Function 0299C1D2 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                • API String ID: 0-1229222154
                                                • Opcode ID: 6a18f509236dfbe389656badccf9c68d276bead8d8a60f9094eb4c1448b91482
                                                • Instruction ID: 015a8e1bb7735c42ee6e5af43e52be8732688d89c7fca9a9399cf1ac57f83620
                                                • Opcode Fuzzy Hash: 6a18f509236dfbe389656badccf9c68d276bead8d8a60f9094eb4c1448b91482
                                                • Instruction Fuzzy Hash: 3181C674E00218DFDB18DFAAD984A9DBBF2BF89314F14C06AD819AB365DB349941CF50
                                                Function 0299C790 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                • API String ID: 0-1229222154
                                                • Opcode ID: d58090eb0edcbf030b41025203e00eed5b6a175ab95e58e41fb769a528afbc58
                                                • Instruction ID: 05ca6627414e7ecca344f3d1d796e3706d271e87c92be9af243c47d80fbc2695
                                                • Opcode Fuzzy Hash: d58090eb0edcbf030b41025203e00eed5b6a175ab95e58e41fb769a528afbc58
                                                • Instruction Fuzzy Hash: BF81B574E00218DFDB18DFAAD984A9DBBF2BF88310F14C46AD419AB365DB309981CF50
                                                Function 0299C4B2 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                • API String ID: 0-1229222154
                                                • Opcode ID: bb076801871f087f18bf238a4a34f3504660f01266d4375f7b504de119a3e6b8
                                                • Instruction ID: 6e878174385bfd7e35738bf3cc9ed033350543f05d3e7b69e6fb5cfd303b22aa
                                                • Opcode Fuzzy Hash: bb076801871f087f18bf238a4a34f3504660f01266d4375f7b504de119a3e6b8
                                                • Instruction Fuzzy Hash: 8A81B474E00218DFDB18DFA9D984A9DBBF2BF88310F14D46AE819AB365DB349941CF10
                                                Function 0299CD52 Relevance: 6.4, Strings: 5, Instructions: 183COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                • API String ID: 0-1229222154
                                                • Opcode ID: 7e145ec5a5f3933490ddf175ea0cab5e83a99664095430f532db995c6d65b8ae
                                                • Instruction ID: 02cdf2c6c428e6f48fc0169c6eee9dcb0626107726435ddcd7bb84f27cd95dd4
                                                • Opcode Fuzzy Hash: 7e145ec5a5f3933490ddf175ea0cab5e83a99664095430f532db995c6d65b8ae
                                                • Instruction Fuzzy Hash: F381A574E01218DFDB18DFA9D984A9DBBF6BF88310F14C46AE819AB365DB349941CF10
                                                Function 02997680 Relevance: 5.3, Strings: 4, Instructions: 337COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (o]q$(o]q$,aq$,aq
                                                • API String ID: 0-1947289240
                                                • Opcode ID: fbb38b9774199c2c018d2f5f7d2706dddfe5e78326e8c55b1960e0049f90ebfc
                                                • Instruction ID: e533dd1ebcd96fcf26314046527f47f8cd254afbf85236e172536fccd27b4e36
                                                • Opcode Fuzzy Hash: fbb38b9774199c2c018d2f5f7d2706dddfe5e78326e8c55b1960e0049f90ebfc
                                                • Instruction Fuzzy Hash: 51D103B0A11109DFCF14CFADC884AEEFBB6BF88364F158465E405AB2A5DB31E941CB51
                                                Function 0299523C Relevance: 4.2, Strings: 3, Instructions: 486COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0o@p$PH]q$PH]q
                                                • API String ID: 0-2023588385
                                                • Opcode ID: 8eb5aab05e9d6a1048b67bf7fbec5a94eb0795995991f16055b0d8a55e340bf6
                                                • Instruction ID: b1e4bacb6e331c4785abae028635485b980fd2ba2710ec20a6f0ee2d3e4d6f50
                                                • Opcode Fuzzy Hash: 8eb5aab05e9d6a1048b67bf7fbec5a94eb0795995991f16055b0d8a55e340bf6
                                                • Instruction Fuzzy Hash: DC61C674E00258DFDB18DFAAD984A9EBBF2BF89310F14C469D818AB365DB349941CF50
                                                Function 0299BEF0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0o@p$PH]q$PH]q
                                                • API String ID: 0-2023588385
                                                • Opcode ID: c7eb01d10c274bcd847976e73b3e4eba29287b4e37571d804cc62fc7a6caf744
                                                • Instruction ID: 32d0225d1b616a910ba1b4a248da68b7929572f7412c01e7dfa5aa7ec340e039
                                                • Opcode Fuzzy Hash: c7eb01d10c274bcd847976e73b3e4eba29287b4e37571d804cc62fc7a6caf744
                                                • Instruction Fuzzy Hash: 8D61B674E006189FDF18DFAAD944A9EBBF2BF88314F14C46AE418AB365DB349941CF50
                                                Function 0299A1E8 Relevance: 3.4, Strings: 2, Instructions: 907COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (o]q$4']q
                                                • API String ID: 0-176817397
                                                • Opcode ID: cee2e24b9e80f845d6a899a06b78a393fe7050298487e64f99aacd3d88cf5442
                                                • Instruction ID: a3b90845e1e5e902e5ba17cea5d29fdd1f74ca2d7a8f772f0ffc91bcf5fffaac
                                                • Opcode Fuzzy Hash: cee2e24b9e80f845d6a899a06b78a393fe7050298487e64f99aacd3d88cf5442
                                                • Instruction Fuzzy Hash: BE825A71A00209DFCF15CF6CC984AAEBBF6FF88324F158959E8099B2A1D735E951CB50
                                                Function 02996F09 Relevance: 3.0, Strings: 2, Instructions: 513COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (o]q$Haq
                                                • API String ID: 0-903699183
                                                • Opcode ID: a078fbbaf2a25325711f2a2885dda4fa1bfe6e821045c975aa52f3f3b6b33ade
                                                • Instruction ID: aa08bd013b0e0cff60281f856b27b5c37d5bc2f8ca1d942889568a9cb4069331
                                                • Opcode Fuzzy Hash: a078fbbaf2a25325711f2a2885dda4fa1bfe6e821045c975aa52f3f3b6b33ade
                                                • Instruction Fuzzy Hash: 7912AF70A102199FDB18DFA9C844BAEBBF6FF88314F148569E805DB394DF349941CB90
                                                Function 02997C58 Relevance: 10.6, Strings: 8, Instructions: 588COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
                                                • API String ID: 0-1435242062
                                                • Opcode ID: cc5f6271aca1552bbb6e6467b20573f503d2e80f959858cd21e380a2e9cb820c
                                                • Instruction ID: c696f03d5ffb39709ac93be43aaee11a2e0dc18d540ea1ad3de9282a209d0e31
                                                • Opcode Fuzzy Hash: cc5f6271aca1552bbb6e6467b20573f503d2e80f959858cd21e380a2e9cb820c
                                                • Instruction Fuzzy Hash: 82324A30A006059FCF14CF6DD884AAEBBFABF89324B1485A9E415DB3A1DB35ED41CB50
                                                Function 029964A8 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Haq$Haq
                                                • API String ID: 0-4016896955
                                                • Opcode ID: c4208e0a2d2a975a4de167c9c53cec0cf1f026565feb07c4ea7980c07344a401
                                                • Instruction ID: 7cf278093bdc1c04e861ec3501aae944c65ca4b0fde55c7c689e6718d3408458
                                                • Opcode Fuzzy Hash: c4208e0a2d2a975a4de167c9c53cec0cf1f026565feb07c4ea7980c07344a401
                                                • Instruction Fuzzy Hash: 40B1EA317002119FCF199F2DC858B7A7BEABF89364F048969E906CB394DB38C841CB91
                                                Function 02996A08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ,aq$,aq
                                                • API String ID: 0-2990736959
                                                • Opcode ID: 687c3b6c60ee56567b22276d58f97523dee2aef0f1cc65e82e3eb841d005b7ec
                                                • Instruction ID: c346a311fe8b0e711adb52662a68690490c69c191d7950c3d08b9cd4919046c9
                                                • Opcode Fuzzy Hash: 687c3b6c60ee56567b22276d58f97523dee2aef0f1cc65e82e3eb841d005b7ec
                                                • Instruction Fuzzy Hash: AC819034B015098FCF14DF6DC484A6AB7BAFF89328B158569E505E7364EB31E841CBA0
                                                Function 02999D90 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$4']q
                                                • API String ID: 0-3120983240
                                                • Opcode ID: be7c9f7398b3703a52df6d04842f7f295b3fcad9b4faec9258f6135efb2e7c37
                                                • Instruction ID: 98f351f87d743d57650658934362868112ac504a060bc629862dfd31cde4b981
                                                • Opcode Fuzzy Hash: be7c9f7398b3703a52df6d04842f7f295b3fcad9b4faec9258f6135efb2e7c37
                                                • Instruction Fuzzy Hash: ED5170307002059FEB149AADC944B6E7BEEEF88361F14886AE908CB295DB75DC41CB51
                                                Function 02993428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Xaq$Xaq
                                                • API String ID: 0-1488805882
                                                • Opcode ID: 59a4790e7a2dcf382dbe00c7df3a22041d758a39eb2cbb51e4b255a5eaefeb45
                                                • Instruction ID: f2e1d8abadd4e60940691d7bf6affe2d88d29194f80e23bb003a89279270d283
                                                • Opcode Fuzzy Hash: 59a4790e7a2dcf382dbe00c7df3a22041d758a39eb2cbb51e4b255a5eaefeb45
                                                • Instruction Fuzzy Hash: 7F312531B003258BDF1D8E6E4A9427EA6DEBBC9264F044879D81EC3384DB74CC458299
                                                Function 02999058 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $]q$$]q
                                                • API String ID: 0-127220927
                                                • Opcode ID: 1fc08324b111dae6319c09fdba6e6055b6b2611d081632dabcdbee8d62b677d4
                                                • Instruction ID: a68e5014ab0370176488c46be70091b8f739c1fc73092c97883f49b3aa545c67
                                                • Opcode Fuzzy Hash: 1fc08324b111dae6319c09fdba6e6055b6b2611d081632dabcdbee8d62b677d4
                                                • Instruction Fuzzy Hash: D131A4303441118FEF259B3DDC9877E77A9FB85664B15485ED426CB391DB29CC80CB92
                                                Function 02990C8F Relevance: 1.7, Strings: 1, Instructions: 404COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR]q
                                                • API String ID: 0-3081347316
                                                • Opcode ID: 6c877d03239b9d9e17c89a63a1b30740aa6c8b05087667640ad59a84b0c01c14
                                                • Instruction ID: ce3c5bcfd923403711036eb859fd9a8aea42d8a912d5d12fdfb0bd267014296c
                                                • Opcode Fuzzy Hash: 6c877d03239b9d9e17c89a63a1b30740aa6c8b05087667640ad59a84b0c01c14
                                                • Instruction Fuzzy Hash: 1C22FF78D00219DFCB54EF64EA84A9DBBB6FF48304F1085A6D819AB758DB345E49CF40
                                                Function 02990CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LR]q
                                                • API String ID: 0-3081347316
                                                • Opcode ID: 0438f49aff9f32c728cc2557ed7b8f27b1267701b76e10bae0e88d02d9a63dcb
                                                • Instruction ID: fbfda37af0bb90e968b247d321ce873628b449fc5751f055785abbcd52249920
                                                • Opcode Fuzzy Hash: 0438f49aff9f32c728cc2557ed7b8f27b1267701b76e10bae0e88d02d9a63dcb
                                                • Instruction Fuzzy Hash: 9322FF78D00219DFCB54EF64EA84A9DBBB6FF48304F1085A6D819AB758DB346E85CF40
                                                Function 0299B052 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (o]q
                                                • API String ID: 0-794736227
                                                • Opcode ID: d405d8892f8d1c86986da7b0158e940a5b4e259c72ce501c66478559abe22a35
                                                • Instruction ID: 78493e2564a928cddb224aff66ceaff29982d79eae2201fc0952d00f0075f3e3
                                                • Opcode Fuzzy Hash: d405d8892f8d1c86986da7b0158e940a5b4e259c72ce501c66478559abe22a35
                                                • Instruction Fuzzy Hash: F641C532B002149FCB189F69D85876E7BFAFBC8610F144469D516E7390DE399C01CBA4
                                                Function 02998238 Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e30b163685be3b8c8d0b4eeaf1aa06e0af027d7166378b595c756b2fbd1ec888
                                                • Instruction ID: d85446d3d614e0813503d5fa01f249ac0505ac56056695fa2b72a7c48eff8f68
                                                • Opcode Fuzzy Hash: e30b163685be3b8c8d0b4eeaf1aa06e0af027d7166378b595c756b2fbd1ec888
                                                • Instruction Fuzzy Hash: 047119347006058FCF14DF2DC899A6E7BEABF4A264B5904AAE906DB3B1DB74DC41CB50
                                                Function 0299D36A Relevance: .2, Instructions: 178COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ec1df37beea062bf22cd762ee7b8fa9f24add0f6bd95cc0d5b6f8a523e8f1ba
                                                • Instruction ID: 80094114d11cd5a6d4eafae75e56e44472f19af364b9b65a23cf3a3fd67d0ff9
                                                • Opcode Fuzzy Hash: 5ec1df37beea062bf22cd762ee7b8fa9f24add0f6bd95cc0d5b6f8a523e8f1ba
                                                • Instruction Fuzzy Hash: A651F670AA5343CFC3543F26E5AC13A7BA5FB0F3977456D20E12E86098DB3950A4CB21
                                                Function 0299D378 Relevance: .2, Instructions: 167COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 802061e61b602856e1675db4cc6ba465f892d119e29453c62786ad73b6e6a0bb
                                                • Instruction ID: 88b22ade1c4860365d3e1008e7e04e702a76f81148e3644a2d2628b41eee5cf6
                                                • Opcode Fuzzy Hash: 802061e61b602856e1675db4cc6ba465f892d119e29453c62786ad73b6e6a0bb
                                                • Instruction Fuzzy Hash: 3151C270AA5343CFC3543F22A5AC13A7BA1FB0F7A73456D20E12E86098DB3910A4CB12
                                                Function 0299D032 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3549b276856ff67e263150668bf1f3e86545ada58b752e657e1e0882245a2fc5
                                                • Instruction ID: 177823a6e5dcbcd451c15004b17f67a661738ac8201401417e91ac5aadf8184f
                                                • Opcode Fuzzy Hash: 3549b276856ff67e263150668bf1f3e86545ada58b752e657e1e0882245a2fc5
                                                • Instruction Fuzzy Hash: 2D519374E01218DFDB58DFA9D98499DBBF2FF89310F208169E819AB364DB31A901CF50
                                                Function 02993908 Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 418493ab4207308c7f82cbb50e7b3f21e11a645f3f2547f05694e3664be9043e
                                                • Instruction ID: 59d0e28743b484702e6dae342dbe211cd99612d31f4fa9d05b669fd2bb62af22
                                                • Opcode Fuzzy Hash: 418493ab4207308c7f82cbb50e7b3f21e11a645f3f2547f05694e3664be9043e
                                                • Instruction Fuzzy Hash: 4B519874E01208DFCB08DFA9D59099DBBF2FF8D314B209469E419AB364DB31A945CF50
                                                Function 0299A463 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2745efe18b51f221ea760893788bf69dc394b0c7012c973edbc687a9626153e8
                                                • Instruction ID: efba715b29ac7c66a71170c4054a82076af024f8021d6465cf376bbe2b565d03
                                                • Opcode Fuzzy Hash: 2745efe18b51f221ea760893788bf69dc394b0c7012c973edbc687a9626153e8
                                                • Instruction Fuzzy Hash: 30415F31A04249DFCF11CFA8C848B9EBFB6EF49364F048555E819AB395D335E960CBA1
                                                Function 02997530 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b04fe690bb52187f7476089d1f086a280fea1efac2dee334c5792f162d8a98a1
                                                • Instruction ID: 67ca086ba4ff0c851d033b711ccc245b01f317f3623fa4efa7582ad37a8658f4
                                                • Opcode Fuzzy Hash: b04fe690bb52187f7476089d1f086a280fea1efac2dee334c5792f162d8a98a1
                                                • Instruction Fuzzy Hash: CA41C271A00209DFDF14CFA8C904BAABBFAFB44314F04886AE415DB291DB75DD55CB91
                                                Function 029957C8 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f096140d9f1311f5f2cbff98c61ecc1aa455ae8a9c3143b45010e734d4f6a576
                                                • Instruction ID: 42acd9915263af38f2e03de3ce200671114ca45ae8d6f99859ad65ae3976c2a1
                                                • Opcode Fuzzy Hash: f096140d9f1311f5f2cbff98c61ecc1aa455ae8a9c3143b45010e734d4f6a576
                                                • Instruction Fuzzy Hash: D1319331A1010A9FCF069F69D458AAF3BA6FF48354F444415F915DB290CB38CC61DB90
                                                Function 02999CD9 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d375794eef57f8afb591080d2fb76ea8db513e18ff45cee9e826adbba329458c
                                                • Instruction ID: 8e4fe65bebe0364d7b36b0d918cf420e1079d2f69b2a9b10b48aef29e3b03207
                                                • Opcode Fuzzy Hash: d375794eef57f8afb591080d2fb76ea8db513e18ff45cee9e826adbba329458c
                                                • Instruction Fuzzy Hash: 4E31CD30600245DFDB11DF2CC884AABBBF9EF49360F5488AAE844DB215D731FA11CBA1
                                                Function 029984E0 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bfc4e3ed1599bef0c57dff9509c797d4cc9a169ad412edf6dccc2fc1d62e7afe
                                                • Instruction ID: c832a39f3c4a73bcab4382c166b3236586ddc97426973ff53aa67f22fa0c5935
                                                • Opcode Fuzzy Hash: bfc4e3ed1599bef0c57dff9509c797d4cc9a169ad412edf6dccc2fc1d62e7afe
                                                • Instruction Fuzzy Hash: FF219D313102014BDF14572D8898B7E369BAFC6668F1444BDD906CB3A4EF29CC46D782
                                                Function 02992060 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e3fd88c8f1afb8c3357211a0c926bb3738035ac116cb579e62e991a88784bef7
                                                • Instruction ID: 1301578d8b156f46da3496ee1f72e988d54054395bc33ed76764939e75a0f2b3
                                                • Opcode Fuzzy Hash: e3fd88c8f1afb8c3357211a0c926bb3738035ac116cb579e62e991a88784bef7
                                                • Instruction Fuzzy Hash: BE21A135E00115AFCF24DF68D840AAE77AAEB9D264F10C419DC0A9B344DB35EA46CBD2
                                                Function 0299D5B9 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 816dfb8c438b5db9683e8ba05bd33684691edb97c2ceae229b9e9eb6cb4609d1
                                                • Instruction ID: 98b8a2a176da2178e929b854955154ece1bbbfb42ff7c8ce88c3f932e01ab35e
                                                • Opcode Fuzzy Hash: 816dfb8c438b5db9683e8ba05bd33684691edb97c2ceae229b9e9eb6cb4609d1
                                                • Instruction Fuzzy Hash: 1E212630C11219DEDF11EFE8D9446EDBBB4FF4A314F009629E41877254EB30AA5ACB91
                                                Function 02996870 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9559a59a3929e099e982acbbf77cf8cad10b38e7a1575edd7fea9f32533f1d77
                                                • Instruction ID: bdec20b0b78ff90633781f95490646d7d14221e9a8e0fd8b406d005520f00a2a
                                                • Opcode Fuzzy Hash: 9559a59a3929e099e982acbbf77cf8cad10b38e7a1575edd7fea9f32533f1d77
                                                • Instruction Fuzzy Hash: 3E21D535B006129FCB19AB2AC45892EB7AAFFC47697154579E91ADB390CF34DC02CBD0
                                                Function 029957B8 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9988bd5288b8f167cb92c185c9b4093bd17009a253ae065fe1219c73b0b01952
                                                • Instruction ID: 40086595e334f2cce44bcbed720d65575f5aac2f71ba742d49a20e1e7f172f0b
                                                • Opcode Fuzzy Hash: 9988bd5288b8f167cb92c185c9b4093bd17009a253ae065fe1219c73b0b01952
                                                • Instruction Fuzzy Hash: AE212732A101199FCF05AF69D448BAB3BAAFB48328F444065F915CB384CB38CD55CBE0
                                                Function 0299215C Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c69db10d7e58b2dcc72d9d94ae4cf91b5b478f1fb5cb1dbecdd438169633f4f4
                                                • Instruction ID: 930ff1dadbcb1aa413757ccf5ed0a418761fb2666eb57370518156f97c936959
                                                • Opcode Fuzzy Hash: c69db10d7e58b2dcc72d9d94ae4cf91b5b478f1fb5cb1dbecdd438169633f4f4
                                                • Instruction Fuzzy Hash: 87115E31E0424DAFCF019BBC9C115DEBB35FF89320B248757D566B7191EA31291AC791
                                                Function 0299D6B7 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 49cf93ec3424acd4640995fad9b8e4fb70cc9413f8c0f6b1553a6a6c980b55d4
                                                • Instruction ID: 66bde73529ba6ba26476db1d306d8386056c202e2bb18f278443efd9565efb68
                                                • Opcode Fuzzy Hash: 49cf93ec3424acd4640995fad9b8e4fb70cc9413f8c0f6b1553a6a6c980b55d4
                                                • Instruction Fuzzy Hash: 83210434A012189FCF08DFB4E990AEEB7B2FB8A304F109529D41577394CB399942CA65
                                                Function 029939ED Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3fce64e97d1e215534693ff602d3cafec46707bbbb04893672616298a5cb39a5
                                                • Instruction ID: a770eb6e9cd7e37c9cd6aa85db6d502a399669899045bb4c8266392f18e16335
                                                • Opcode Fuzzy Hash: 3fce64e97d1e215534693ff602d3cafec46707bbbb04893672616298a5cb39a5
                                                • Instruction Fuzzy Hash: 2F31A674E15209DFCF44DFA8E6948ADBBB2FF49315B20846AE809AB364D735AD05CF40
                                                Function 029984D1 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f28cc48c5eb0ba11b020b2afe7444b3efd8caaee818f22b6d68542e37497a0d4
                                                • Instruction ID: ccda8f7cde198fa45a27903c347c7be6cb18a14d88d7736caf3b9fb115b17bb0
                                                • Opcode Fuzzy Hash: f28cc48c5eb0ba11b020b2afe7444b3efd8caaee818f22b6d68542e37497a0d4
                                                • Instruction Fuzzy Hash: B51170313501119FDF145B2DC998B7E369FBFC5668B1845ADE902CB2A4EF28C848D683
                                                Function 029998C1 Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73955a27929f60bf983988a02fa39ef79e305062e5a781e255dfaf7a6c54d6d0
                                                • Instruction ID: 2eb8be7b6050acefd2851956ed03a5bad8b91a6ac68d328e75f4e15a29fcb391
                                                • Opcode Fuzzy Hash: 73955a27929f60bf983988a02fa39ef79e305062e5a781e255dfaf7a6c54d6d0
                                                • Instruction Fuzzy Hash: B9219C30E011599FDF05CFAAD658AEEBFBAAF48304F18806AE451E7294DB359901DF50
                                                Function 0299D6C8 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c8ab3be0f9143453ad804498f5bba24b7375c9c3898e0530e05871c2a409d6a
                                                • Instruction ID: 77666b2dd6f4212c038f6fd831f172de17ac19fc6914768041153bc7a3740397
                                                • Opcode Fuzzy Hash: 1c8ab3be0f9143453ad804498f5bba24b7375c9c3898e0530e05871c2a409d6a
                                                • Instruction Fuzzy Hash: B821C434A11208DFCF08EFB4D554AEDB7B2FB89304F10A529D41577394CB39A941CE69
                                                Function 02991F61 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0fef15cbba9eff7fa12917fe2a51b279814c51226e2cc64a2d2ec5da6ffe3f57
                                                • Instruction ID: e697fd7287a789d1ccedfd6c0afbe529cb7c385c6fb7d99f483c5e52b2a2e4a6
                                                • Opcode Fuzzy Hash: 0fef15cbba9eff7fa12917fe2a51b279814c51226e2cc64a2d2ec5da6ffe3f57
                                                • Instruction Fuzzy Hash: D121F2B4D0520A8FCB00EFA8D8455EEBFF1BB19300F00456AD809B3354EB345A95CBA1
                                                Function 02991F08 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03c58241283d7e7605e474fa639dc62da4af8ce7de509d3dc35f670f16ea1a35
                                                • Instruction ID: 6631a7ce236af1069d393cb0ffdb9011da60addce7be0b77ddebb4843db547c6
                                                • Opcode Fuzzy Hash: 03c58241283d7e7605e474fa639dc62da4af8ce7de509d3dc35f670f16ea1a35
                                                • Instruction Fuzzy Hash: 5D212274C0460E8FCB00EFA8D4485EEBFB5FF49354F14456AD849B7264EB305A95CBA1
                                                Function 02996009 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 80191cb0c038fe857a0c54bbe1415ae24f59d19ef454cb62fb6a6b315428ec85
                                                • Instruction ID: f3c2d895baac7f45708d56f99170a3e66d07a3004412251cf1ab4e3253a74ff4
                                                • Opcode Fuzzy Hash: 80191cb0c038fe857a0c54bbe1415ae24f59d19ef454cb62fb6a6b315428ec85
                                                • Instruction Fuzzy Hash: ED018433B001157BDF169E599C14BFF3AAFEBC86A0F18812AF515E7280DB7AC9118794
                                                Function 0299AD40 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ce1a274172933cf074b21448dd797541dfc2ebe63e785ba74f1e80dd586c034
                                                • Instruction ID: fecee793b65d103b0ec87bbc1c9e58ae9e5c1df567ec4c1d98af0b2ae760d93c
                                                • Opcode Fuzzy Hash: 6ce1a274172933cf074b21448dd797541dfc2ebe63e785ba74f1e80dd586c034
                                                • Instruction Fuzzy Hash: 3AF096357406105F9F155A2FD858A2A77DDEFC5A773158479E505CB375DF20CC028790
                                                Function 02992010 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4717f9ae0812c8e3949b53235c1ae58f81e962b4c01c071d96b29688cac52616
                                                • Instruction ID: c38cf50d89e0859ab7cd5aebe286db63bad9658e7fa3073aa7ad7cbd5a75f0b4
                                                • Opcode Fuzzy Hash: 4717f9ae0812c8e3949b53235c1ae58f81e962b4c01c071d96b29688cac52616
                                                • Instruction Fuzzy Hash: 4EE0D831D1039A9FCB119AA5DC014DFBB34EDA3210B454157D1643B241E760290A87B1
                                                Function 02994EE8 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 222b68fb0b70cc4edd623ae4f561d0e1ca1f610be0c451045e2cd54e3ee71b40
                                                • Instruction ID: 020420b4bdb82d539d6bb5b0c1b356b1f3b8c13a2e6ba0831e87cc0577179e21
                                                • Opcode Fuzzy Hash: 222b68fb0b70cc4edd623ae4f561d0e1ca1f610be0c451045e2cd54e3ee71b40
                                                • Instruction Fuzzy Hash: 18F01570D4020AAFDF40EFB8C80A7AFBBB5AB08244F604979E005F3240EB7886418FD0
                                                Function 02994F98 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f08798c9554d68568dee2238a6da82ab2a1034795ce65bb348557a1075079a51
                                                • Instruction ID: 72f70d4ce4de2e701fd084ca209d51f56c5ec6415747e350e7091db25431c5f0
                                                • Opcode Fuzzy Hash: f08798c9554d68568dee2238a6da82ab2a1034795ce65bb348557a1075079a51
                                                • Instruction Fuzzy Hash: AAE08C3331052127E6555A6CE848BFB138EDFC8660F004678F801DB398EF2CAE5683D1
                                                Function 02994EF8 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9f8c0176d8c0cf224e9904340d571a60b92f5bb97ab5215f1f2d9c5815c58d9
                                                • Instruction ID: dbdb75ba6322bc674570a67563dca7cc8c5239b2847e4d7de10c517138586a8b
                                                • Opcode Fuzzy Hash: e9f8c0176d8c0cf224e9904340d571a60b92f5bb97ab5215f1f2d9c5815c58d9
                                                • Instruction Fuzzy Hash: 2CE0C270D4020A9FDF40EFB884097AEBBF5AB48350F60486AC115E3240EB7486418F81
                                                Function 02992020 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f633d6a8dc6fe0afbd81b18d982659e9524849f9eaf433fd881978d879202327
                                                • Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
                                                • Opcode Fuzzy Hash: f633d6a8dc6fe0afbd81b18d982659e9524849f9eaf433fd881978d879202327
                                                • Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1
                                                Function 02996CA9 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b4470ec2535b49152c4d3a32ca3961d419d11cadedc9cfd274adb2636cef9e6
                                                • Instruction ID: 87158e22972a666c2938a10dc8baacfaf5cbe20988b6fd3d4e527e7a07939171
                                                • Opcode Fuzzy Hash: 3b4470ec2535b49152c4d3a32ca3961d419d11cadedc9cfd274adb2636cef9e6
                                                • Instruction Fuzzy Hash: 28D05E328A42050BCA08A721EE06FA732AEAB80209F404620B4064A5A9DF7C9A1886E0
                                                Function 0299B10D Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ec11f5a55c165b5c46ab27b8aa5ef1587207e6b649d382f64c18645eea42667
                                                • Instruction ID: af1703af98c2c182643448b3b72c4d96a792000ea53971dd28eb0f84bc9f21bf
                                                • Opcode Fuzzy Hash: 1ec11f5a55c165b5c46ab27b8aa5ef1587207e6b649d382f64c18645eea42667
                                                • Instruction Fuzzy Hash: 21D0673AB400189FCB049F99E8448DDBBB6FB98221B048516E915E7261C6319961DB54
                                                Function 02996CB8 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9fea582bb00ca6cf8bd9806a47159b25cd27e8c675d0c3a6ba5c8598367a2394
                                                • Instruction ID: 9c5d5c0c7a79cb863c9bfb49b33c64c9e9d6a663ea2d0aa00dd5727c0ee820c0
                                                • Opcode Fuzzy Hash: 9fea582bb00ca6cf8bd9806a47159b25cd27e8c675d0c3a6ba5c8598367a2394
                                                • Instruction Fuzzy Hash: FFC012308743094FC64DFB65FB46D15376EBBC0608F504521E0060B56DDF78584C86A0
                                                Function 02999A50 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22ecbdc694ed64630cd37779dcac7e7e2b04223e1774f7aa7f84956b962578ac
                                                • Instruction ID: 1e2d13e1f224c904b6a144c71b93aa73d0588719b2e40bf7cbe39b8b4dc644ed
                                                • Opcode Fuzzy Hash: 22ecbdc694ed64630cd37779dcac7e7e2b04223e1774f7aa7f84956b962578ac
                                                • Instruction Fuzzy Hash: A5B092276820109BEA008100EE0DB7F5B0CD3C1351F649173B0A4C1A88C02D8F2287B2

                                                Non-executed Functions

                                                Function 02993572 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Xaq$$]q
                                                • API String ID: 0-1280934391
                                                • Opcode ID: acbc2ad4cb14c3270d77f2bc593253a3f83b29c605c223aec8e00aa0f21052ed
                                                • Instruction ID: 471ff85f96511e3ed509503e47e47c6f86cc396431860f11bdc1c4af7dc2c4eb
                                                • Opcode Fuzzy Hash: acbc2ad4cb14c3270d77f2bc593253a3f83b29c605c223aec8e00aa0f21052ed
                                                • Instruction Fuzzy Hash: 7CA19174B042589BDF189F79845427EBBA7BFC8720B048969E846E7388CE35C847C795
                                                Function 02996E88 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2238732708.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2990000_tVuAoupHhZ.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \;]q$\;]q$\;]q$\;]q
                                                • API String ID: 0-2351511683
                                                • Opcode ID: eb4fc90dd4910a22a08144d0080c7529e4d6ae873dab4347b3f6ee138186c8eb
                                                • Instruction ID: 12b424500ebac0d3222574d5987ff5ca04dbbc0e1ce1c129d6b4a530137c64ad
                                                • Opcode Fuzzy Hash: eb4fc90dd4910a22a08144d0080c7529e4d6ae873dab4347b3f6ee138186c8eb
                                                • Instruction Fuzzy Hash: 47018F317401148FCF648FADC494A2577EEAF88A74725457AE502CB3B4DB31EC61C790