Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VCU262Y2QB.exe

Overview

General Information

Sample name:VCU262Y2QB.exe
renamed because original name is a hash value
Original sample name:2b8887e80909f776f73b07b6870c4f3f3be8697560e693a4786707d76aae4c01.exe
Analysis ID:1588357
MD5:c4407cbd68725778ecd99dc7638be000
SHA1:0a232725a5857010de9eb61837fe6bbb3a6e151f
SHA256:2b8887e80909f776f73b07b6870c4f3f3be8697560e693a4786707d76aae4c01
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VCU262Y2QB.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\VCU262Y2QB.exe" MD5: C4407CBD68725778ECD99DC7638BE000)
    • VCU262Y2QB.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\VCU262Y2QB.exe" MD5: C4407CBD68725778ECD99DC7638BE000)
      • cmd.exe (PID: 824 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 6448 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "info@gzdled.com.tr", "Password": "Gozdeled1048", "Host": "mail.gzdled.com.tr", "Port": "587", "Token": "8043217727:AAHet_KMDJubZguJgq0Cp7yrQCzgcnbbXpU", "Chat_id": "6247294228", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1491f:$a1: get_encryptedPassword
      • 0x14c0b:$a2: get_encryptedUsername
      • 0x1472b:$a3: get_timePasswordChanged
      • 0x14826:$a4: get_passwordField
      • 0x14935:$a5: set_encryptedPassword
      • 0x15fd0:$a7: get_logins
      • 0x15f33:$a10: KeyLoggerEventArgs
      • 0x15b9e:$a11: KeyLoggerEventArgsEventHandler
      00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x182f8:$x1: $%SMTPDV$
      • 0x1835e:$x2: $#TheHashHere%&
      • 0x19a4c:$x3: %FTPDV$
      • 0x19b40:$x4: $%TelegramDv$
      • 0x15b9e:$x5: KeyLoggerEventArgs
      • 0x15f33:$x5: KeyLoggerEventArgs
      • 0x19a70:$m2: Clipboard Logs ID
      • 0x19c90:$m2: Screenshot Logs ID
      • 0x19da0:$m2: keystroke Logs ID
      • 0x1a07a:$m3: SnakePW
      • 0x19c68:$m4: \SnakeKeylogger\
      00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.VCU262Y2QB.exe.34b8718.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.VCU262Y2QB.exe.34b8718.3.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.VCU262Y2QB.exe.34b8718.3.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12d1f:$a1: get_encryptedPassword
            • 0x1300b:$a2: get_encryptedUsername
            • 0x12b2b:$a3: get_timePasswordChanged
            • 0x12c26:$a4: get_passwordField
            • 0x12d35:$a5: set_encryptedPassword
            • 0x143d0:$a7: get_logins
            • 0x14333:$a10: KeyLoggerEventArgs
            • 0x13f9e:$a11: KeyLoggerEventArgsEventHandler
            0.2.VCU262Y2QB.exe.34b8718.3.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a84a:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x19a7c:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19eaf:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1aeee:$a5: \Kometa\User Data\Default\Login Data
            2.2.VCU262Y2QB.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 34 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-11T01:16:07.676712+010028033053Unknown Traffic192.168.2.1249716104.21.16.1443TCP
              2025-01-11T01:16:15.170686+010028033053Unknown Traffic192.168.2.1249721104.21.16.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-11T01:16:02.502862+010028032742Potentially Bad Traffic192.168.2.1249710158.101.44.24280TCP
              2025-01-11T01:16:05.512800+010028032742Potentially Bad Traffic192.168.2.1249710158.101.44.24280TCP
              2025-01-11T01:16:06.971618+010028032742Potentially Bad Traffic192.168.2.1249710158.101.44.24280TCP
              2025-01-11T01:16:11.174849+010028032742Potentially Bad Traffic192.168.2.1249717158.101.44.24280TCP
              2025-01-11T01:16:14.581011+010028032742Potentially Bad Traffic192.168.2.1249720158.101.44.24280TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "info@gzdled.com.tr", "Password": "Gozdeled1048", "Host": "mail.gzdled.com.tr", "Port": "587", "Token": "8043217727:AAHet_KMDJubZguJgq0Cp7yrQCzgcnbbXpU", "Chat_id": "6247294228", "Version": "5.1"}
              Multi AV Scanner detection for submitted file
              Source: VCU262Y2QB.exeReversingLabs: Detection: 68%
              Source: VCU262Y2QB.exeVirustotal: Detection: 71%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: VCU262Y2QB.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: VCU262Y2QB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.12:49713 version: TLS 1.0
              Source: VCU262Y2QB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: VCU262Y2QB.exe, 00000000.00000002.3936703735.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000000.00000002.3939604873.0000000004DE0000.00000004.08000000.00040000.00000000.sdmp

              Networking

              barindex
              Yara detected Generic Downloader
              Source: Yara matchFile source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.3428078.4.raw.unpack, type: UNPACKEDPE
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
              Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49720 -> 158.101.44.242:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49717 -> 158.101.44.242:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49710 -> 158.101.44.242:80
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49716 -> 104.21.16.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49721 -> 104.21.16.1:443
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.12:49713 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003204000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003256000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: VCU262Y2QB.exe, 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.000000000322C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: VCU262Y2QB.exeString found in binary or memory: https://github.com/0xd4d/dnSpy/wiki/Debugging-Unity-Games
              Source: VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003256000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: VCU262Y2QB.exe, 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
              Source: VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003256000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
              Source: VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189x
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.VCU262Y2QB.exe.3428078.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.VCU262Y2QB.exe.3428078.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.VCU262Y2QB.exe.3428078.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: VCU262Y2QB.exe PID: 6760, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: VCU262Y2QB.exe PID: 6760, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: VCU262Y2QB.exe PID: 6828, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: VCU262Y2QB.exe PID: 6828, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 0_2_00A4D3640_2_00A4D364
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 0_2_081794F80_2_081794F8
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F4C1E92_2_02F4C1E9
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F461202_2_02F46120
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F4C7A82_2_02F4C7A8
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F4B7402_2_02F4B740
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F4C4C92_2_02F4C4C9
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F44A8F2_2_02F44A8F
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F4CA882_2_02F4CA88
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F468982_2_02F46898
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F498682_2_02F49868
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F4BEA72_2_02F4BEA7
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F4CD692_2_02F4CD69
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F435702_2_02F43570
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 2_2_02F4BF082_2_02F4BF08
              Source: VCU262Y2QB.exe, 00000000.00000002.3936703735.00000000023D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs VCU262Y2QB.exe
              Source: VCU262Y2QB.exe, 00000000.00000002.3936703735.00000000023D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs VCU262Y2QB.exe
              Source: VCU262Y2QB.exe, 00000000.00000002.3939363854.0000000004D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs VCU262Y2QB.exe
              Source: VCU262Y2QB.exe, 00000000.00000002.3939604873.0000000004DE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs VCU262Y2QB.exe
              Source: VCU262Y2QB.exe, 00000000.00000002.3935496193.000000000063E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs VCU262Y2QB.exe
              Source: VCU262Y2QB.exe, 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs VCU262Y2QB.exe
              Source: VCU262Y2QB.exe, 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs VCU262Y2QB.exe
              Source: VCU262Y2QB.exe, 00000000.00000000.2671986070.000000000011A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInochia.exe0 vs VCU262Y2QB.exe
              Source: VCU262Y2QB.exe, 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs VCU262Y2QB.exe
              Source: VCU262Y2QB.exeBinary or memory string: OriginalFilenameInochia.exe0 vs VCU262Y2QB.exe
              Source: VCU262Y2QB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.VCU262Y2QB.exe.3428078.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.VCU262Y2QB.exe.3428078.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.VCU262Y2QB.exe.3428078.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: VCU262Y2QB.exe PID: 6760, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: VCU262Y2QB.exe PID: 6760, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: VCU262Y2QB.exe PID: 6828, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: VCU262Y2QB.exe PID: 6828, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: classification engineClassification label: mal92.troj.winEXE@8/0@2/2
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1752:120:WilError_03
              Source: VCU262Y2QB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: VCU262Y2QB.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: VCU262Y2QB.exeReversingLabs: Detection: 68%
              Source: VCU262Y2QB.exeVirustotal: Detection: 71%
              Source: unknownProcess created: C:\Users\user\Desktop\VCU262Y2QB.exe "C:\Users\user\Desktop\VCU262Y2QB.exe"
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Users\user\Desktop\VCU262Y2QB.exe "C:\Users\user\Desktop\VCU262Y2QB.exe"
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Users\user\Desktop\VCU262Y2QB.exe "C:\Users\user\Desktop\VCU262Y2QB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: VCU262Y2QB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: VCU262Y2QB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: VCU262Y2QB.exe, 00000000.00000002.3936703735.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000000.00000002.3939604873.0000000004DE0000.00000004.08000000.00040000.00000000.sdmp
              Source: VCU262Y2QB.exeStatic PE information: 0x81AF2B24 [Sun Dec 12 04:25:08 2038 UTC]
              Source: VCU262Y2QB.exeStatic PE information: section name: .text entropy: 7.348087930069703

              Hooking and other Techniques for Hiding and Protection

              barindex
              Self deletion via cmd or bat file
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: A40000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: 23D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: 43D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: 2F00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 599734Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 599066Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598921Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598809Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598703Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598594Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598484Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598375Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598266Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598141Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598000Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597890Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597779Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597672Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597547Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597438Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597313Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597203Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597094Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596969Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596850Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596749Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596640Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596531Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596418Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596306Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596182Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596069Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595813Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595688Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595578Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595469Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595344Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595234Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595125Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595016Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594906Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594797Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594687Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594577Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594469Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594344Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594234Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594125Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594016Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593905Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593776Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593672Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593563Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593438Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593313Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeWindow / User API: threadDelayed 2779Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeWindow / User API: threadDelayed 7051Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep count: 41 > 30Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -37815825351104557s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7092Thread sleep count: 2779 > 30Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -599734s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7092Thread sleep count: 7051 > 30Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -599066s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -598921s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -598809s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -598703s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -598594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -598484s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -598375s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -598266s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -598141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -598000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -597890s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -597779s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -597672s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -597547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -597438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -597313s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -597203s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -597094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -596969s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -596850s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -596749s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -596640s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -596531s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -596418s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -596306s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -596182s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -596069s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -595813s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -595688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -595578s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -595469s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -595344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -595234s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -595125s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -595016s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -594906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -594797s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -594687s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -594577s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -594469s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -594344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -594234s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -594125s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -594016s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -593905s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -593776s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -593672s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -593563s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -593438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7084Thread sleep time: -593313s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 599734Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 599066Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598921Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598809Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598703Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598594Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598484Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598375Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598266Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598141Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 598000Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597890Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597779Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597672Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597547Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597438Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597313Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597203Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 597094Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596969Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596850Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596749Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596640Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596531Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596418Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596306Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596182Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 596069Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595813Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595688Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595578Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595469Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595344Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595234Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595125Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 595016Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594906Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594797Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594687Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594577Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594469Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594344Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594234Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594125Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 594016Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593905Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593776Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593672Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593563Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593438Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 593313Jump to behavior
              Source: VCU262Y2QB.exe, 00000002.00000002.2925140498.0000000001296000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
              Source: VCU262Y2QB.exeBinary or memory string: ResumeVirtualMachine
              Source: VCU262Y2QB.exeBinary or memory string: iqEMUhZ
              Source: VCU262Y2QB.exeBinary or memory string: InitializeVirtualMachine
              Source: VCU262Y2QB.exe, 00000002.00000002.2928239279.0000000006970000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
              Source: VCU262Y2QB.exeBinary or memory string: get_VirtualMachine
              Source: VCU262Y2QB.exeBinary or memory string: get_MonoVirtualMachine
              Source: VCU262Y2QB.exeBinary or memory string: VirtualMachineManager
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Users\user\Desktop\VCU262Y2QB.exe "C:\Users\user\Desktop\VCU262Y2QB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Users\user\Desktop\VCU262Y2QB.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Users\user\Desktop\VCU262Y2QB.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VCU262Y2QB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.3428078.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2926305512.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 6760, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 6828, type: MEMORYSTR
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.3428078.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 6760, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 6828, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34b8718.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34d9348.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34d9348.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.34b8718.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.VCU262Y2QB.exe.3428078.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2926305512.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 6760, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 6828, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading              		11
              Process Injection              		1
              Disable or Modify Tools              		OS Credential Dumping1
              Query Registry              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Obfuscated Files or Information              		NTDS31
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Timestomp              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              File Deletion              		Proc Filesystem12
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              VCU262Y2QB.exe68%ReversingLabsWin32.Spyware.Snakekeylogger
              VCU262Y2QB.exe72%VirustotalBrowse
              VCU262Y2QB.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		104.21.16.1
              		truefalse
                		high
                checkip.dyndns.com
                		158.101.44.242
                		truefalse
                  		high
                  checkip.dyndns.org
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://checkip.dyndns.org/false
                      		high
                      https://reallyfreegeoip.org/xml/8.46.123.189false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.orgVCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003256000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189xVCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/0xd4d/dnSpy/wiki/Debugging-Unity-GamesVCU262Y2QB.exefalse
                              		high
                              http://checkip.dyndns.orgVCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003204000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003256000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.comVCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://checkip.dyndns.org/qVCU262Y2QB.exe, 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                      		high
                                      https://reallyfreegeoip.org/xml/8.46.123.189$VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003256000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://reallyfreegeoip.orgVCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.000000000322C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://reallyfreegeoip.org/xml/VCU262Y2QB.exe, 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000002.00000002.2926305512.0000000003213000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.21.16.1
                                            		reallyfreegeoip.orgUnited States
                                            		13335CLOUDFLARENETUSfalse
                                            158.101.44.242
                                            		checkip.dyndns.comUnited States
                                            		31898ORACLE-BMC-31898USfalse

                                            General Information

                                            Joe Sandbox version:42.0.0 Malachite
                                            Analysis ID:1588357
                                            Start date and time:2025-01-11 01:14:26 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 5m 57s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:9
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:VCU262Y2QB.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:2b8887e80909f776f73b07b6870c4f3f3be8697560e693a4786707d76aae4c01.exe
                                            Detection:MAL
                                            Classification:mal92.troj.winEXE@8/0@2/2
                                            EGA Information:
                                            • Successful, ratio: 50%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 71
                                            • Number of non-executed functions: 1
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 2.23.242.162, 52.149.20.212, 13.107.246.45
                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target VCU262Y2QB.exe, PID 6828 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            19:16:05API Interceptor138x Sleep call for process: VCU262Y2QB.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            104.21.16.1NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                            • www.kkpmoneysocial.top/86am/
                                            JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                            158.101.44.242WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                            • checkip.dyndns.org/
                                            3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                            • checkip.dyndns.org/
                                            vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • checkip.dyndns.org/
                                            PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                            • checkip.dyndns.org/
                                            b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                            • checkip.dyndns.org/
                                            SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                            • checkip.dyndns.org/
                                            4UQ5wnI389.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                            • checkip.dyndns.org/
                                            jxy62Zm6c4.exeGet hashmaliciousMassLogger RATBrowse
                                            • checkip.dyndns.org/
                                            MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                            • checkip.dyndns.org/
                                            RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            • checkip.dyndns.org/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            checkip.dyndns.comh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 193.122.6.168
                                            tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 193.122.130.0
                                            TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 132.226.247.73
                                            Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 132.226.247.73
                                            WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                            • 193.122.130.0
                                            wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 193.122.130.0
                                            H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                            • 132.226.8.169
                                            WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                            • 158.101.44.242
                                            3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                            • 158.101.44.242
                                            2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                            • 193.122.6.168
                                            reallyfreegeoip.orgh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.96.1
                                            tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.32.1
                                            TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.80.1
                                            Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 104.21.16.1
                                            WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                            • 104.21.16.1
                                            wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.96.1
                                            H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                            • 104.21.112.1
                                            3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                            • 104.21.16.1
                                            2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                            • 104.21.32.1
                                            z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                            • 104.21.48.1

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUShttp://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
                                            • 188.114.97.3
                                            h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.96.1
                                            http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
                                            • 104.17.25.14
                                            http://txto.eu.org/Get hashmaliciousUnknownBrowse
                                            • 104.21.16.1
                                            ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.32.1
                                            TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.80.1
                                            phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                            • 172.66.0.227
                                            https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                            • 172.66.0.227
                                            https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                            • 172.66.0.227
                                            ORACLE-BMC-31898USh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 193.122.6.168
                                            tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 193.122.130.0
                                            phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                            • 192.29.202.93
                                            https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                            • 192.29.202.93
                                            https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                            • 192.29.202.93
                                            WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                            • 193.122.130.0
                                            wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 193.122.130.0
                                            WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                            • 158.101.44.242
                                            3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                            • 158.101.44.242
                                            2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                            • 193.122.6.168

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            54328bd36c14bd82ddaa0c04b25ed9adh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.16.1
                                            tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.16.1
                                            TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.16.1
                                            Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 104.21.16.1
                                            WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                            • 104.21.16.1
                                            wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 104.21.16.1
                                            H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                            • 104.21.16.1
                                            3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                            • 104.21.16.1
                                            2NJzy3tiny.exeGet hashmaliciousMassLogger RATBrowse
                                            • 104.21.16.1
                                            z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                            • 104.21.16.1

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            No created / dropped files found

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.337433815181913
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:VCU262Y2QB.exe
                                            File size:553'472 bytes
                                            MD5:c4407cbd68725778ecd99dc7638be000
                                            SHA1:0a232725a5857010de9eb61837fe6bbb3a6e151f
                                            SHA256:2b8887e80909f776f73b07b6870c4f3f3be8697560e693a4786707d76aae4c01
                                            SHA512:4ba0d5c953ce0ee4c984f36360c60fa4212d77633ec24b8bbff91ead5dbbd853272c9c6b4700e0db6865bc6678bd356c039a7623d134ff44068e107b3ad80376
                                            SSDEEP:12288:YiU+RfWk1Sm5bpviLs+fMKqirYo4A4OPoTo84RPlA24:Yi3fWxIbZiLsSPWotf
                                            TLSH:B0C4BF2972E8E317D5AF0B3AF43411005B7ABE93B19AEF0D5C44A5EF0D53BD199122A3
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$+................0..h............... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4887de
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x81AF2B24 [Sun Dec 12 04:25:08 2038 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x887900x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x596.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x867e40x8680063fda6f3138ba46403304e0b8af4d0a3False0.6022867536013011data7.348087930069703IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x8a0000x5960x600bb337337fd525b603631f27b8432eb2eFalse0.41015625data4.03984594780929IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x8c0000xc0x200ea0438b2ffa5d5203b31ad259aa8633bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0x8a0a00x30cdata0.4230769230769231
                                            RT_MANIFEST0x8a3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2025-01-11T01:16:02.502862+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1249710158.101.44.24280TCP
                                            2025-01-11T01:16:05.512800+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1249710158.101.44.24280TCP
                                            2025-01-11T01:16:06.971618+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1249710158.101.44.24280TCP
                                            2025-01-11T01:16:07.676712+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1249716104.21.16.1443TCP
                                            2025-01-11T01:16:11.174849+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1249717158.101.44.24280TCP
                                            2025-01-11T01:16:14.581011+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1249720158.101.44.24280TCP
                                            2025-01-11T01:16:15.170686+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1249721104.21.16.1443TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 11, 2025 01:16:00.586738110 CET4971080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:00.593197107 CET8049710158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:00.593290091 CET4971080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:00.593540907 CET4971080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:00.599878073 CET8049710158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:01.547848940 CET8049710158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:01.555723906 CET4971080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:01.560568094 CET8049710158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:02.456558943 CET8049710158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:02.502861977 CET4971080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:02.506635904 CET49713443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:02.506674051 CET44349713104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:02.506792068 CET49713443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:02.513675928 CET49713443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:02.513705969 CET44349713104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:02.974597931 CET44349713104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:02.974680901 CET49713443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:03.113687038 CET49713443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:03.113740921 CET44349713104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:03.114151001 CET44349713104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:03.159312010 CET49713443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:03.220719099 CET49713443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:03.263326883 CET44349713104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:03.336007118 CET44349713104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:03.336071014 CET44349713104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:03.336179018 CET49713443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:03.341748953 CET49713443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:03.344970942 CET4971080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:03.349802971 CET8049710158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:05.501965046 CET8049710158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:05.512799978 CET4971080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:05.517672062 CET8049710158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:06.921073914 CET8049710158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:06.935237885 CET49716443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:06.935260057 CET44349716104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:06.935332060 CET49716443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:06.935592890 CET49716443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:06.935605049 CET44349716104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:06.971617937 CET4971080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:07.410878897 CET44349716104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:07.455996037 CET49716443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:07.562263966 CET49716443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:07.562273979 CET44349716104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:07.676706076 CET44349716104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:07.676774979 CET44349716104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:07.676846027 CET49716443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:07.708126068 CET49716443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:07.994405031 CET4971080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:07.995775938 CET4971780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:07.999492884 CET8049710158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:07.999553919 CET4971080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:08.000602007 CET8049717158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:08.000684023 CET4971780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:08.000806093 CET4971780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:08.005563974 CET8049717158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:11.124875069 CET8049717158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:11.142447948 CET49719443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:11.142491102 CET44349719104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:11.142556906 CET49719443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:11.146064997 CET49719443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:11.146085024 CET44349719104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:11.174849033 CET4971780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:11.618767977 CET44349719104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:11.620455980 CET49719443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:11.620476961 CET44349719104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:11.747899055 CET44349719104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:11.747972965 CET44349719104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:11.748022079 CET49719443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:11.748425961 CET49719443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:11.751631021 CET4971780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:11.752770901 CET4972080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:11.756671906 CET8049717158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:11.756720066 CET4971780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:11.757632017 CET8049720158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:11.757725000 CET4972080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:11.757834911 CET4972080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:11.762813091 CET8049720158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:14.536998987 CET8049720158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:14.538244009 CET49721443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:14.538270950 CET44349721104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:14.538357973 CET49721443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:14.538603067 CET49721443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:14.538609028 CET44349721104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:14.581011057 CET4972080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:15.016558886 CET44349721104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:15.018378019 CET49721443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:15.018388033 CET44349721104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:15.170711994 CET44349721104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:15.170778036 CET44349721104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:15.170994997 CET49721443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:15.172804117 CET49721443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:15.177850008 CET4972380192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:15.182701111 CET8049723158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:15.182774067 CET4972380192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:15.182893038 CET4972380192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:15.187715054 CET8049723158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:17.763827085 CET8049723158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:17.768522978 CET4972780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:17.773319960 CET8049727158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:17.773400068 CET4972780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:17.773529053 CET4972780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:17.778315067 CET8049727158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:17.815378904 CET4972380192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:20.570597887 CET8049727158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:20.574697971 CET49728443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:20.574743986 CET44349728104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:20.574795961 CET49728443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:20.575320005 CET49728443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:20.575336933 CET44349728104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:20.575669050 CET4972380192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:20.580749989 CET8049723158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:20.580816031 CET4972380192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:20.612260103 CET4972780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:21.054590940 CET44349728104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:21.064265966 CET49728443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:21.064300060 CET44349728104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:21.187195063 CET44349728104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:21.187351942 CET44349728104.21.16.1192.168.2.12
                                            Jan 11, 2025 01:16:21.187439919 CET49728443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:21.188113928 CET49728443192.168.2.12104.21.16.1
                                            Jan 11, 2025 01:16:21.192423105 CET4972780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:21.193037033 CET4972980192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:21.199079037 CET8049727158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:21.199140072 CET4972780192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:21.199433088 CET8049729158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:21.199502945 CET4972980192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:21.199685097 CET4972980192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:21.204435110 CET8049729158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:23.769712925 CET8049729158.101.44.242192.168.2.12
                                            Jan 11, 2025 01:16:23.815471888 CET4972980192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:23.993812084 CET4972080192.168.2.12158.101.44.242
                                            Jan 11, 2025 01:16:23.993956089 CET4972980192.168.2.12158.101.44.242

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 11, 2025 01:16:00.473233938 CET5902353192.168.2.121.1.1.1
                                            Jan 11, 2025 01:16:00.480349064 CET53590231.1.1.1192.168.2.12
                                            Jan 11, 2025 01:16:02.498317003 CET5057453192.168.2.121.1.1.1
                                            Jan 11, 2025 01:16:02.505886078 CET53505741.1.1.1192.168.2.12

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jan 11, 2025 01:16:00.473233938 CET192.168.2.121.1.1.10x346eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:02.498317003 CET192.168.2.121.1.1.10xaf1bStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jan 11, 2025 01:16:00.480349064 CET1.1.1.1192.168.2.120x346eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                            Jan 11, 2025 01:16:00.480349064 CET1.1.1.1192.168.2.120x346eNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:00.480349064 CET1.1.1.1192.168.2.120x346eNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:00.480349064 CET1.1.1.1192.168.2.120x346eNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:00.480349064 CET1.1.1.1192.168.2.120x346eNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:00.480349064 CET1.1.1.1192.168.2.120x346eNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:02.505886078 CET1.1.1.1192.168.2.120xaf1bNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:02.505886078 CET1.1.1.1192.168.2.120xaf1bNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:02.505886078 CET1.1.1.1192.168.2.120xaf1bNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:02.505886078 CET1.1.1.1192.168.2.120xaf1bNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:02.505886078 CET1.1.1.1192.168.2.120xaf1bNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:02.505886078 CET1.1.1.1192.168.2.120xaf1bNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                            Jan 11, 2025 01:16:02.505886078 CET1.1.1.1192.168.2.120xaf1bNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • reallyfreegeoip.org
                                            • checkip.dyndns.org

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.1249710158.101.44.242806828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 11, 2025 01:16:00.593540907 CET151OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                            Host: checkip.dyndns.org
                                            Connection: Keep-Alive
                                            Jan 11, 2025 01:16:01.547848940 CET321INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:01 GMT
                                            Content-Type: text/html
                                            Content-Length: 104
                                            Connection: keep-alive
                                            Cache-Control: no-cache
                                            Pragma: no-cache
                                            X-Request-ID: a8cce52d69575bf519550a33fb77e127
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                            Jan 11, 2025 01:16:01.555723906 CET127OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                            Host: checkip.dyndns.org
                                            Jan 11, 2025 01:16:02.456558943 CET321INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:02 GMT
                                            Content-Type: text/html
                                            Content-Length: 104
                                            Connection: keep-alive
                                            Cache-Control: no-cache
                                            Pragma: no-cache
                                            X-Request-ID: 946f467aef6a94102d8f51ddef1df8f1
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                            Jan 11, 2025 01:16:03.344970942 CET127OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                            Host: checkip.dyndns.org
                                            Jan 11, 2025 01:16:05.501965046 CET730INHTTP/1.1 502 Bad Gateway
                                            Date: Sat, 11 Jan 2025 00:16:05 GMT
                                            Content-Type: text/html
                                            Content-Length: 547
                                            Connection: keep-alive
                                            X-Request-ID: 1d3158cc9c2def8f66b1fd73e5f98a3f
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                            Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                            Jan 11, 2025 01:16:05.512799978 CET127OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                            Host: checkip.dyndns.org
                                            Jan 11, 2025 01:16:06.921073914 CET321INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:06 GMT
                                            Content-Type: text/html
                                            Content-Length: 104
                                            Connection: keep-alive
                                            Cache-Control: no-cache
                                            Pragma: no-cache
                                            X-Request-ID: 4a2a5c218f1bdfabc3a4f89aabbcb15f
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.1249717158.101.44.242806828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 11, 2025 01:16:08.000806093 CET127OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                            Host: checkip.dyndns.org
                                            Jan 11, 2025 01:16:11.124875069 CET321INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:11 GMT
                                            Content-Type: text/html
                                            Content-Length: 104
                                            Connection: keep-alive
                                            Cache-Control: no-cache
                                            Pragma: no-cache
                                            X-Request-ID: 2c2b38c74f357063ba55cc17922033f4
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.1249720158.101.44.242806828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 11, 2025 01:16:11.757834911 CET127OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                            Host: checkip.dyndns.org
                                            Jan 11, 2025 01:16:14.536998987 CET321INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:14 GMT
                                            Content-Type: text/html
                                            Content-Length: 104
                                            Connection: keep-alive
                                            Cache-Control: no-cache
                                            Pragma: no-cache
                                            X-Request-ID: 04f4a3db5d1533b0d6bfdf1ceeeef37a
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.1249723158.101.44.242806828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 11, 2025 01:16:15.182893038 CET151OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                            Host: checkip.dyndns.org
                                            Connection: Keep-Alive
                                            Jan 11, 2025 01:16:17.763827085 CET730INHTTP/1.1 502 Bad Gateway
                                            Date: Sat, 11 Jan 2025 00:16:17 GMT
                                            Content-Type: text/html
                                            Content-Length: 547
                                            Connection: keep-alive
                                            X-Request-ID: 9c1f934dd3d480c1b4d3da95fd80823e
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                            Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.1249727158.101.44.242806828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 11, 2025 01:16:17.773529053 CET151OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                            Host: checkip.dyndns.org
                                            Connection: Keep-Alive
                                            Jan 11, 2025 01:16:20.570597887 CET321INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:20 GMT
                                            Content-Type: text/html
                                            Content-Length: 104
                                            Connection: keep-alive
                                            Cache-Control: no-cache
                                            Pragma: no-cache
                                            X-Request-ID: ceb7af79ffcd544c8806c15336a92180
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.1249729158.101.44.242806828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            Jan 11, 2025 01:16:21.199685097 CET151OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                            Host: checkip.dyndns.org
                                            Connection: Keep-Alive
                                            Jan 11, 2025 01:16:23.769712925 CET730INHTTP/1.1 502 Bad Gateway
                                            Date: Sat, 11 Jan 2025 00:16:23 GMT
                                            Content-Type: text/html
                                            Content-Length: 547
                                            Connection: keep-alive
                                            X-Request-ID: f7c8a3030a3745e5b13c1c3dfcacaf86
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                            Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.1249713104.21.16.14436828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            2025-01-11 00:16:03 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                            Host: reallyfreegeoip.org
                                            Connection: Keep-Alive
                                            2025-01-11 00:16:03 UTC851INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:03 GMT
                                            Content-Type: text/xml
                                            Content-Length: 362
                                            Connection: close
                                            Age: 1869352
                                            Cache-Control: max-age=31536000
                                            cf-cache-status: HIT
                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wrItRlGoRiC5Gi4FyKbiUfu5tDLHAmf3EvJmXFmL7umZSpoI7NzpfxVK0nm2wHQMTxosFgsysxYeL4e%2FQW8Hdp8RSIZOTEjDKNmRfo5SAxmy6jteZzVi2Yq1Tl0f7BSt2GDl39gA"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 9000b7447c648ce0-EWR
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1811&rtt_var=696&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1554845&cwnd=215&unsent_bytes=0&cid=5047d3f49f43645f&ts=373&x=0"
                                            2025-01-11 00:16:03 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.1249716104.21.16.14436828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            2025-01-11 00:16:07 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                            Host: reallyfreegeoip.org
                                            2025-01-11 00:16:07 UTC853INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:07 GMT
                                            Content-Type: text/xml
                                            Content-Length: 362
                                            Connection: close
                                            Age: 1869356
                                            Cache-Control: max-age=31536000
                                            cf-cache-status: HIT
                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Id8O9PHshT4loZx47oYsRHSM1wdlcheQLeG3Y7XZSq9SBMtSiVb%2B91HnyEulkuVO98nzXVrpKHqFkhpLgiBhUXu2PIh2F24rfDlkAUaakVPwkoAwlJ7xZ%2BBavMFAj4VZu5Lhk6zK"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 9000b75f9d7c1899-EWR
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1620&rtt_var=622&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1739130&cwnd=153&unsent_bytes=0&cid=36ea5aa2bffaad9c&ts=271&x=0"
                                            2025-01-11 00:16:07 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.1249719104.21.16.14436828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            2025-01-11 00:16:11 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                            Host: reallyfreegeoip.org
                                            Connection: Keep-Alive
                                            2025-01-11 00:16:11 UTC855INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:11 GMT
                                            Content-Type: text/xml
                                            Content-Length: 362
                                            Connection: close
                                            Age: 1869360
                                            Cache-Control: max-age=31536000
                                            cf-cache-status: HIT
                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wVI2fCSX8qoV1Mg%2Fdx9gvzjQJWsowa2g4AY48e07C6Z2ajV70mwQK5Sv8yctLNg%2BEyYQdx5cgdlY6qyDVBXGpdaH7ppKBNLNqCp9pSSG%2FqwZUIQP5ATdklPYtmzlI9X9j0ibqruT"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 9000b7790d551899-EWR
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=1652&min_rtt=1625&rtt_var=628&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1796923&cwnd=153&unsent_bytes=0&cid=e014aeb08cf9da9e&ts=132&x=0"
                                            2025-01-11 00:16:11 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.1249721104.21.16.14436828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            2025-01-11 00:16:15 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                            Host: reallyfreegeoip.org
                                            2025-01-11 00:16:15 UTC861INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:15 GMT
                                            Content-Type: text/xml
                                            Content-Length: 362
                                            Connection: close
                                            Age: 1869364
                                            Cache-Control: max-age=31536000
                                            cf-cache-status: HIT
                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oRrLtk9opy2GYKn2EtmPF%2Fob%2Bvyq56%2BPibLBIlIR8X%2BfcvLpHKkgBUoqdISIP5t4QRbbjYE8yCqfyNs%2BkGaQmftTEQxdV6h5vNRXAHb9Zr4jhQ8w%2BXjujvpGnbX0iqjMjNS1CRyz"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 9000b78e6bd37293-EWR
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=1932&min_rtt=1923&rtt_var=728&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1518460&cwnd=158&unsent_bytes=0&cid=eb0b7a4822125b86&ts=165&x=0"
                                            2025-01-11 00:16:15 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.1249728104.21.16.14436828C:\Users\user\Desktop\VCU262Y2QB.exe
                                            TimestampBytes transferredDirectionData
                                            2025-01-11 00:16:21 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                            Host: reallyfreegeoip.org
                                            Connection: Keep-Alive
                                            2025-01-11 00:16:21 UTC857INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 00:16:21 GMT
                                            Content-Type: text/xml
                                            Content-Length: 362
                                            Connection: close
                                            Age: 1869370
                                            Cache-Control: max-age=31536000
                                            cf-cache-status: HIT
                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1tpT4lDMa83bCtfcRkJChIF35p4pnz6gai5Vb0ZeO9DjuRF%2FXEdxnnwP2qpPA4mvATvlPNG8NrkoZTcrH7t%2FZJ7v7QbgcACMy4As9ZyZQ%2BKnufRryeD3Lhma1uEV%2FUWtiiP7JRIj"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 9000b7b40f931899-EWR
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=1552&min_rtt=1545&rtt_var=593&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1823860&cwnd=153&unsent_bytes=0&cid=af222674a4c7ef1b&ts=141&x=0"
                                            2025-01-11 00:16:21 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:19:15:57
                                            Start date:10/01/2025
                                            Path:C:\Users\user\Desktop\VCU262Y2QB.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\VCU262Y2QB.exe"
                                            Imagebase:0x90000
                                            File size:553'472 bytes
                                            MD5 hash:C4407CBD68725778ECD99DC7638BE000
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.3938041321.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:2
                                            Start time:19:15:58
                                            Start date:10/01/2025
                                            Path:C:\Users\user\Desktop\VCU262Y2QB.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\VCU262Y2QB.exe"
                                            Imagebase:0xd40000
                                            File size:553'472 bytes
                                            MD5 hash:C4407CBD68725778ECD99DC7638BE000
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.2924867689.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2926305512.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:19:16:22
                                            Start date:10/01/2025
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"
                                            Imagebase:0x1f0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:19:16:22
                                            Start date:10/01/2025
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff704000000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:19:16:22
                                            Start date:10/01/2025
                                            Path:C:\Windows\SysWOW64\choice.exe
                                            Wow64 process (32bit):true
                                            Commandline:choice /C Y /N /D Y /T 3
                                            Imagebase:0xb30000
                                            File size:28'160 bytes
                                            MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:9.2%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:2.5%
                                              Total number of Nodes:118
                                              Total number of Limit Nodes:13
                                              execution_graph 24207 a4acb0 24211 a4ada8 24207->24211 24216 a4ad99 24207->24216 24208 a4acbf 24212 a4addc 24211->24212 24213 a4adb9 24211->24213 24212->24208 24213->24212 24214 a4afe0 GetModuleHandleW 24213->24214 24215 a4b00d 24214->24215 24215->24208 24217 a4addc 24216->24217 24218 a4adb9 24216->24218 24217->24208 24218->24217 24219 a4afe0 GetModuleHandleW 24218->24219 24220 a4b00d 24219->24220 24220->24208 24097 8171a70 24098 8171a8a 24097->24098 24101 8171a9d 24097->24101 24103 81707e4 24098->24103 24100 8171ae3 24101->24100 24102 81707e4 OleInitialize 24101->24102 24102->24100 24104 81707ef 24103->24104 24105 8171b0e 24104->24105 24108 8171b38 24104->24108 24113 8171b48 24104->24113 24105->24101 24109 8171b70 24108->24109 24112 8171b9c 24108->24112 24110 8171b79 24109->24110 24118 8170884 24109->24118 24110->24105 24112->24105 24114 8171b70 24113->24114 24117 8171b9c 24113->24117 24115 8171b79 24114->24115 24116 8170884 OleInitialize 24114->24116 24115->24105 24116->24117 24117->24105 24120 817088f 24118->24120 24119 8171e93 24119->24112 24120->24119 24122 81708a0 24120->24122 24123 8171ec8 OleInitialize 24122->24123 24124 8171f2c 24123->24124 24124->24119 24125 a44668 24126 a4467a 24125->24126 24127 a44686 24126->24127 24131 a44779 24126->24131 24136 a43e10 24127->24136 24129 a446a5 24132 a4479d 24131->24132 24140 a44888 24132->24140 24144 a44878 24132->24144 24137 a43e1b 24136->24137 24152 a45c64 24137->24152 24139 a46fe1 24139->24129 24141 a448af 24140->24141 24142 a4498c 24141->24142 24148 a44248 24141->24148 24145 a448af 24144->24145 24146 a44248 CreateActCtxA 24145->24146 24147 a4498c 24145->24147 24146->24147 24149 a45918 CreateActCtxA 24148->24149 24151 a459db 24149->24151 24153 a45c6f 24152->24153 24156 a45c84 24153->24156 24155 a470e5 24155->24139 24157 a45c8f 24156->24157 24160 a45cb4 24157->24160 24159 a471c2 24159->24155 24161 a45cbf 24160->24161 24164 a45ce4 24161->24164 24163 a472c5 24163->24159 24166 a45cef 24164->24166 24165 a48609 24165->24163 24166->24165 24169 a4cd70 24166->24169 24173 a4cd6f 24166->24173 24170 a4cd91 24169->24170 24171 a4cdb5 24170->24171 24177 a4cf20 24170->24177 24171->24165 24174 a4cd91 24173->24174 24175 a4cdb5 24174->24175 24176 a4cf20 2 API calls 24174->24176 24175->24165 24176->24175 24178 a4cf2d 24177->24178 24180 a4cf67 24178->24180 24181 a4b780 24178->24181 24180->24171 24182 a4b78b 24181->24182 24184 a4dc78 24182->24184 24185 a4d084 24182->24185 24184->24184 24186 a4d08f 24185->24186 24187 a45ce4 2 API calls 24186->24187 24188 a4dce7 24187->24188 24189 a4dcf6 24188->24189 24192 a4dd5a 24188->24192 24196 a4dd60 24188->24196 24189->24184 24193 a4dd8e 24192->24193 24194 a4de5f 24193->24194 24195 a4de5a KiUserCallbackDispatcher 24193->24195 24195->24194 24197 a4dd8e 24196->24197 24198 a4de5a KiUserCallbackDispatcher 24197->24198 24199 a4de5f 24197->24199 24198->24199 24221 a4d438 24222 a4d47e 24221->24222 24226 a4d608 24222->24226 24229 a4d618 24222->24229 24223 a4d56b 24232 a4b790 24226->24232 24230 a4d646 24229->24230 24231 a4b790 DuplicateHandle 24229->24231 24230->24223 24231->24230 24233 a4d680 DuplicateHandle 24232->24233 24234 a4d646 24233->24234 24234->24223 24235 81702ab 24236 81702be 24235->24236 24240 8170563 24236->24240 24244 8170588 24236->24244 24237 81702e1 24241 817058c PostMessageW 24240->24241 24242 8170588 24240->24242 24243 81705f4 24241->24243 24242->24241 24243->24237 24245 817058c PostMessageW 24244->24245 24246 81705f4 24245->24246 24246->24237 24200 81794f8 24202 817955d 24200->24202 24201 81795aa 24202->24201 24204 81787c4 24202->24204 24205 817a260 DispatchMessageW 24204->24205 24206 817a2cc 24205->24206 24206->24202

                                              Executed Functions

                                              Function 081794F8 Relevance: .4, Instructions: 396COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3940653866.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8170000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: DispatchMessage
                                              • String ID:
                                              • API String ID: 2061451462-0
                                              • Opcode ID: 62325034b94d2d2e1c567c5078c6eb54fbf2f872f75ed7ce3dee002e65755316
                                              • Instruction ID: a79255958099fdb8d134bb91b404f381c3e473af1bf061e0121a741f7f68eb8c
                                              • Opcode Fuzzy Hash: 62325034b94d2d2e1c567c5078c6eb54fbf2f872f75ed7ce3dee002e65755316
                                              • Instruction Fuzzy Hash: 5AF13A70A00209CFEB14DFA9C844BADBBF1FF88305F15816DE409AB265DB79A949CF50
                                              Function 00A4ADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 a4ada8-a4adb7 1 a4ade3-a4ade7 0->1 2 a4adb9-a4adc6 call a4a100 0->2 4 a4ade9-a4adf3 1->4 5 a4adfb-a4ae3c 1->5 9 a4addc 2->9 10 a4adc8 2->10 4->5 11 a4ae3e-a4ae46 5->11 12 a4ae49-a4ae57 5->12 9->1 55 a4adce call a4b030 10->55 56 a4adce call a4b040 10->56 11->12 13 a4ae59-a4ae5e 12->13 14 a4ae7b-a4ae7d 12->14 16 a4ae60-a4ae67 call a4a10c 13->16 17 a4ae69 13->17 19 a4ae80-a4ae87 14->19 15 a4add4-a4add6 15->9 18 a4af18-a4afd8 15->18 23 a4ae6b-a4ae79 16->23 17->23 50 a4afe0-a4b00b GetModuleHandleW 18->50 51 a4afda-a4afdd 18->51 20 a4ae94-a4ae9b 19->20 21 a4ae89-a4ae91 19->21 24 a4ae9d-a4aea5 20->24 25 a4aea8-a4aeb1 call a4a11c 20->25 21->20 23->19 24->25 31 a4aeb3-a4aebb 25->31 32 a4aebe-a4aec3 25->32 31->32 33 a4aec5-a4aecc 32->33 34 a4aee1-a4aeee 32->34 33->34 36 a4aece-a4aede call a4a12c call a4a13c 33->36 40 a4aef0-a4af0e 34->40 41 a4af11-a4af17 34->41 36->34 40->41 52 a4b014-a4b028 50->52 53 a4b00d-a4b013 50->53 51->50 53->52 55->15 56->15
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00A4AFFE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936440394.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: e6e01fdbab682950a39d5429ef30552c7aea57b73d1bf176a6875fdc292bf824
                                              • Instruction ID: ead90c5cf2571603380949be41dd5da1aa2f0f1d257ed1da208be02b1333ca4f
                                              • Opcode Fuzzy Hash: e6e01fdbab682950a39d5429ef30552c7aea57b73d1bf176a6875fdc292bf824
                                              • Instruction Fuzzy Hash: 19715674A00B058FDB24DF2AD44175ABBF1FF88304F108A2DE59AD7A50D735E849CB92
                                              Function 00A45A84 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 57 a45a84-a45b14
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936440394.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b52d395ed10134c2ee97bae96d112c6d6905a3ac45af8032073ed42cd4002a6
                                              • Instruction ID: f35d5e4c3eb903a008e1011f4fef9bb425a022850ef3289106d80fb926b8bb41
                                              • Opcode Fuzzy Hash: 8b52d395ed10134c2ee97bae96d112c6d6905a3ac45af8032073ed42cd4002a6
                                              • Instruction Fuzzy Hash: 1F31AC79C05A49CFDF21CFB8C8597DDBBB0EF82314F24829AC445AB292C7766906CB51
                                              Function 00A4590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 60 a4590d-a4598c 62 a4598f-a459d9 CreateActCtxA 60->62 64 a459e2-a45a3c 62->64 65 a459db-a459e1 62->65 72 a45a3e-a45a41 64->72 73 a45a4b-a45a4f 64->73 65->64 72->73 74 a45a60 73->74 75 a45a51-a45a5d 73->75 77 a45a61 74->77 75->74 77->77
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00A459C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936440394.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 428e46c078b5ea61ee97ad21e8d3f4050cceaaa61dac546f48a8a00b97728fb4
                                              • Instruction ID: 2f8b1b8c372074a81564c7eeeb5e3a9797a4c79ffd74e7e4d35605621b19b220
                                              • Opcode Fuzzy Hash: 428e46c078b5ea61ee97ad21e8d3f4050cceaaa61dac546f48a8a00b97728fb4
                                              • Instruction Fuzzy Hash: 0241D170D00719CBEF24CFA9C884BCDBBB6BF89704F20816AD508AB251DB756946CF91
                                              Function 00A44248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 78 a44248-a459d9 CreateActCtxA 82 a459e2-a45a3c 78->82 83 a459db-a459e1 78->83 90 a45a3e-a45a41 82->90 91 a45a4b-a45a4f 82->91 83->82 90->91 92 a45a60 91->92 93 a45a51-a45a5d 91->93 95 a45a61 92->95 93->92 95->95
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00A459C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936440394.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 92cc51b382e6646840e5aae4afc52e720ea8f988df49368b0fd1e665c5d69e93
                                              • Instruction ID: bddb65d13b3888aad23980d0406982d491229c3bf1cfd00afe9c5310685a442f
                                              • Opcode Fuzzy Hash: 92cc51b382e6646840e5aae4afc52e720ea8f988df49368b0fd1e665c5d69e93
                                              • Instruction Fuzzy Hash: ED41D170C0071DCBEB24CFAAC884B8DBBB5FF89704F20816AD508AB251DB756946CF91
                                              Function 00A4B790 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 96 a4b790-a4d714 DuplicateHandle 98 a4d716-a4d71c 96->98 99 a4d71d-a4d73a 96->99 98->99
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A4D646,?,?,?,?,?), ref: 00A4D707
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936440394.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 8dfd6bffc08f793dc7d6216760166495a8baabc956ae2e7dc62b23534aa78531
                                              • Instruction ID: a338b4b6dffe285efdca84ea44f640b0219dafbe4ba11ddfd7188b1dba8c16b1
                                              • Opcode Fuzzy Hash: 8dfd6bffc08f793dc7d6216760166495a8baabc956ae2e7dc62b23534aa78531
                                              • Instruction Fuzzy Hash: 8521E4B5900349EFDB10CFAAD884ADEBBF4EB48310F14841AE918B3350D378A950CFA5
                                              Function 00A4D679 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 102 a4d679-a4d714 DuplicateHandle 103 a4d716-a4d71c 102->103 104 a4d71d-a4d73a 102->104 103->104
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A4D646,?,?,?,?,?), ref: 00A4D707
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936440394.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 7e93d7f37f6dc09798df5d327a97b90fcd76aa7d714a08672f5644f5a15f79ee
                                              • Instruction ID: 8339da93b2c125a6a7ce120d332fe5089c6e3adf877e19da1b3391ddc5f51c70
                                              • Opcode Fuzzy Hash: 7e93d7f37f6dc09798df5d327a97b90fcd76aa7d714a08672f5644f5a15f79ee
                                              • Instruction Fuzzy Hash: 5021E4B5900249DFDB10CFAAD984ADEBBF5EB48310F14802AE918A7351D378A944CFA5
                                              Function 08170563 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 107 8170563-8170586 108 817058c-81705f2 PostMessageW 107->108 109 8170588-817058b 107->109 110 81705f4-81705fa 108->110 111 81705fb-817061c 108->111 109->108 110->111
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 081705E5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3940653866.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8170000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 4ce6b1ca01041fa936abf99aa19da88c8d1f11d18063d6ea5d876cc162c53e50
                                              • Instruction ID: 853020f62ad431ea455bc761e0e5a85262d9b66667f4d31d399fd5242ef4366d
                                              • Opcode Fuzzy Hash: 4ce6b1ca01041fa936abf99aa19da88c8d1f11d18063d6ea5d876cc162c53e50
                                              • Instruction Fuzzy Hash: 9C217CB18087898FDB11CF99C844BDEBFF4EF4A310F14809ED554A7662C338A944CBA1
                                              Function 08170588 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 113 8170588-81705f2 PostMessageW 115 81705f4-81705fa 113->115 116 81705fb-817061c 113->116 115->116
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 081705E5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3940653866.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8170000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 95390428f0b251b5aec5faa528cb3d733da2887703a89ae23c8c215099f6731b
                                              • Instruction ID: f1670d0771895090cf250199d9a5481e3c6343f85c44c0b3a7634517b082e8ba
                                              • Opcode Fuzzy Hash: 95390428f0b251b5aec5faa528cb3d733da2887703a89ae23c8c215099f6731b
                                              • Instruction Fuzzy Hash: 8F1125B1800349CFDB10CF9AC845BDEBBF8EB48320F108419D554A3240C378A984CFA1
                                              Function 00A4AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 118 a4af98-a4afd8 119 a4afe0-a4b00b GetModuleHandleW 118->119 120 a4afda-a4afdd 118->120 121 a4b014-a4b028 119->121 122 a4b00d-a4b013 119->122 120->119 122->121
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00A4AFFE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936440394.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: d6cd902bf3d4f91c5a929629e65a4f4fe0f3582540c9cb61a1387fc6766878ae
                                              • Instruction ID: b6b1fc3c423474544a2006c2034c8f1e970d77a2b0cb92cf0aa31dae89f2b140
                                              • Opcode Fuzzy Hash: d6cd902bf3d4f91c5a929629e65a4f4fe0f3582540c9cb61a1387fc6766878ae
                                              • Instruction Fuzzy Hash: BA11DFB5C006498FDB20CFAAD444BDEFBF4AB88314F10846AD929A7610D379A545CFA1
                                              Function 081708A0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 124 81708a0-8171f2a OleInitialize 126 8171f33-8171f50 124->126 127 8171f2c-8171f32 124->127 127->126
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 08171F1D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3940653866.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8170000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: ac9f3a67b18f7df9b0f8841c51f7469f87f7a689c68eb8e2ea90a38f00db2600
                                              • Instruction ID: 725eec96647b3bc260813b425803bf420ae7073f34a5a5baf930f3ec856e5f90
                                              • Opcode Fuzzy Hash: ac9f3a67b18f7df9b0f8841c51f7469f87f7a689c68eb8e2ea90a38f00db2600
                                              • Instruction Fuzzy Hash: AA1130B18003489FDB20DFAAC544B9EBBF8EF48320F20845AD619A3200C379A944CFA1
                                              Function 0817A258 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 140 817a258-817a2ca DispatchMessageW 141 817a2d3-817a2e7 140->141 142 817a2cc-817a2d2 140->142 142->141
                                              APIs
                                              • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0817981F), ref: 0817A2BD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3940653866.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8170000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: DispatchMessage
                                              • String ID:
                                              • API String ID: 2061451462-0
                                              • Opcode ID: 87c6717e0cdf94e197a02006e27135dda25f689b70762e6d52f76c329653913a
                                              • Instruction ID: b8ce74269ea19da5d90083036f423023ec2445169392aaf8ee95799e112da50b
                                              • Opcode Fuzzy Hash: 87c6717e0cdf94e197a02006e27135dda25f689b70762e6d52f76c329653913a
                                              • Instruction Fuzzy Hash: 9711FEB5C046598FCB10CFAAD484BCEBBF4EF48314F10852AD528A3650D379A685CFA5
                                              Function 08171EC0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 130 8171ec0-8171f2a OleInitialize 131 8171f33-8171f50 130->131 132 8171f2c-8171f32 130->132 132->131
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 08171F1D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3940653866.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8170000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: f2e7f252e3771805b7b4b420e752b8c9ebea213d71bff7f1fd3774951ee21df7
                                              • Instruction ID: 243715d19f0b36829f10f7f537b0c317077b291ba80793c7a138a609eee76912
                                              • Opcode Fuzzy Hash: f2e7f252e3771805b7b4b420e752b8c9ebea213d71bff7f1fd3774951ee21df7
                                              • Instruction Fuzzy Hash: 241103B1800649CFDB20DF9AD485BDEBBF4EF48324F208459D519A7610C779A548CFA1
                                              Function 081787C4 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 135 81787c4-817a2ca DispatchMessageW 137 817a2d3-817a2e7 135->137 138 817a2cc-817a2d2 135->138 138->137
                                              APIs
                                              • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0817981F), ref: 0817A2BD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3940653866.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8170000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID: DispatchMessage
                                              • String ID:
                                              • API String ID: 2061451462-0
                                              • Opcode ID: 69d1eddf40aec9fbfcf17e5377b2997e19f21c743c5e75d65746897b35e6d05f
                                              • Instruction ID: bc39dede656944ac1587f74115c221d9519ee4d759dbd6541daddfe3a25f6751
                                              • Opcode Fuzzy Hash: 69d1eddf40aec9fbfcf17e5377b2997e19f21c743c5e75d65746897b35e6d05f
                                              • Instruction Fuzzy Hash: 5D111DB1C047888FDB20CFAAD444B9EBBF4EF48314F10802AD928B3200D379A544CFA5
                                              Function 008DD4C4 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936127832.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8dd000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 38e4baab1dbcecc5ada5e61809ad31ea6d0aa82696de759eaec93d24edf6a5c2
                                              • Instruction ID: 7d84625fe1f10396cd93842d21d5faaa7b2e98c11a1b2a4a839692db7b9e65c9
                                              • Opcode Fuzzy Hash: 38e4baab1dbcecc5ada5e61809ad31ea6d0aa82696de759eaec93d24edf6a5c2
                                              • Instruction Fuzzy Hash: 6421F171500344EFDB15DF24E980F26BF76FB88318F20C66AE9058A356C33AD856CBA1
                                              Function 008ED01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936209251.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8ed000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54cc408bac167eda301d47890bfd1c6cd797960580cdf9299543b69ea2ca6ab4
                                              • Instruction ID: 3f23faf61ff89a240ba5b900a95a6d811980c01b556489a5e9a671eea014cc8a
                                              • Opcode Fuzzy Hash: 54cc408bac167eda301d47890bfd1c6cd797960580cdf9299543b69ea2ca6ab4
                                              • Instruction Fuzzy Hash: A0212271604784EFCB14DF25D980B16BBA1FB89314F28C56DD90A8B292C33AD84BCA61
                                              Function 008ED2BC Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936209251.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8ed000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 009e588b506fe38cb4646de07bdf539fa13c1e8b9557cd21dad4c89f91187206
                                              • Instruction ID: c09012b3966ca4af45a1fd80394154d064e365976b1376bd65ba99b544e4ec32
                                              • Opcode Fuzzy Hash: 009e588b506fe38cb4646de07bdf539fa13c1e8b9557cd21dad4c89f91187206
                                              • Instruction Fuzzy Hash: 41216875504384DFDB00DF15D5C0B2ABB65FB85324F20C56DD9098B382D33AD80ACAA2
                                              Function 008ED006 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936209251.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8ed000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7035c1e64b235180b1eff08242052a5a546c9c70aa0c6954e838a3d2c1163277
                                              • Instruction ID: 665b1915595ea709ad975cb003fcb3446bda8cb147c469d8cc5594d72aecf5d2
                                              • Opcode Fuzzy Hash: 7035c1e64b235180b1eff08242052a5a546c9c70aa0c6954e838a3d2c1163277
                                              • Instruction Fuzzy Hash: 3A214F755087849FCB02CF14D994715BF71FB46314F28C5EAD8498B2A7C33A985ACB62
                                              Function 008DD4BF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936127832.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8dd000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7328aad906307f87a639ae946db57a35503b58b28594a988dc7ce012466a0042
                                              • Instruction ID: bdb4f9be18af150d4e56bc624b6212c3c8e01ea028d319c7ada55fc979d986cf
                                              • Opcode Fuzzy Hash: 7328aad906307f87a639ae946db57a35503b58b28594a988dc7ce012466a0042
                                              • Instruction Fuzzy Hash: 5A11B176504280DFCB15CF10D5C4B16BF71FB88324F24C6AAD8494B656C33AD856CBA1
                                              Function 008ED2B7 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936209251.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_8ed000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 296aed39e50b2be89e29007edf28e118c2410cc531b03b83390ffbfdf496a8bb
                                              • Instruction ID: f1bc256c9bf1f8751634ecc6afe1ffede147757fe39176706cbb62db14f37747
                                              • Opcode Fuzzy Hash: 296aed39e50b2be89e29007edf28e118c2410cc531b03b83390ffbfdf496a8bb
                                              • Instruction Fuzzy Hash: 14119D7A504284CFCB11CF10D5C4B19FB61FB85324F28C6AAD8494B796C33AD80ACBA2

                                              Non-executed Functions

                                              Function 00A4D364 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3936440394.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_a40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 891ed12407d1e7319e99e846b7947d042c800981c88e8e5b304cdf96843f1aa0
                                              • Instruction ID: af8807eada96056bae766d17024118e9cbc5d16b5ac0483e26f4a158a8f0b840
                                              • Opcode Fuzzy Hash: 891ed12407d1e7319e99e846b7947d042c800981c88e8e5b304cdf96843f1aa0
                                              • Instruction Fuzzy Hash: A0A15B3AE002098FCF05DFA4C94459EBBB2FFC5300B25957AE905AB266EB35ED55CB40

                                              Executed Functions

                                              Function 02F4C4C9 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8
                                              • API String ID: 0-4194326291
                                              • Opcode ID: b3323ca164b58cdf676be710cc8650e6279d9183baf4e8b878af577c542951c4
                                              • Instruction ID: 5e5ee2eda718c4fbca9f4cc521a9a2464e3bdbf69afdeea6d5df71f0a97a31c1
                                              • Opcode Fuzzy Hash: b3323ca164b58cdf676be710cc8650e6279d9183baf4e8b878af577c542951c4
                                              • Instruction Fuzzy Hash: 3281D374E01218CFEB14CFAAD944A9DBBF2BF88340F14D06AD909AB365DB749985CF10
                                              Function 02F49868 Relevance: .9, Instructions: 855COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d9cd3ea8da8b59b72edde20f27c523202b386a5b528ebcee57043d0732dffac3
                                              • Instruction ID: 36df06acfcdb568375b9e2c89a55caf078405139cec38958a476021658030c65
                                              • Opcode Fuzzy Hash: d9cd3ea8da8b59b72edde20f27c523202b386a5b528ebcee57043d0732dffac3
                                              • Instruction Fuzzy Hash: 7E728D31A40209DFDB15CF68C894AAEBFB2FF88354F158559EA159B2A1DBB0ED40CF50
                                              Function 02F46120 Relevance: .5, Instructions: 514COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea0868e0107aa89291c366866dde06d2a4dc4bac8754c6bf1e35abe5c1f65430
                                              • Instruction ID: f8d636189b8fc64be9979d1ee07a4421ced82691fae1e8c0e0b3de48f52517a6
                                              • Opcode Fuzzy Hash: ea0868e0107aa89291c366866dde06d2a4dc4bac8754c6bf1e35abe5c1f65430
                                              • Instruction Fuzzy Hash: AB127A70A002199FDB14DF69C854BAEBBBAFF89380F108569E916DB394DF749C41CB50
                                              Function 02F4B740 Relevance: .4, Instructions: 361COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 620f5d7465deeea194736b93ef85babc6777cd4d84bf4691105b5cb394bd70d3
                                              • Instruction ID: 666f9c696613dd9b66293db04ed16d0d848d6b6d7e472722258d9dcb2a385ad8
                                              • Opcode Fuzzy Hash: 620f5d7465deeea194736b93ef85babc6777cd4d84bf4691105b5cb394bd70d3
                                              • Instruction Fuzzy Hash: B7E1FA75E00218CFDB14DFA9C884A9DBBB2FF49359F158069E909AB362DB71E841CF50
                                              Function 02F46898 Relevance: .3, Instructions: 335COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5936f6d25a2ad2ca2e7f67193877fe0c8d4073cda3c89ec5ce43e9f43662dc6b
                                              • Instruction ID: 2ca55c2904451758ba43dcd19fb590b803cf126f5b75fd27c0bdc94c9f9ee4f0
                                              • Opcode Fuzzy Hash: 5936f6d25a2ad2ca2e7f67193877fe0c8d4073cda3c89ec5ce43e9f43662dc6b
                                              • Instruction Fuzzy Hash: 80D13C71E00109DFCB14CFA9C984AADBBB6FF8A385F148165E615EB264DBB0DD41CB50
                                              Function 02F44A8F Relevance: .2, Instructions: 232COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9071a2ed261c3de145cfe3b97539293d9581d0ca39f7c79548f5e280bab39eb1
                                              • Instruction ID: 26ea27e52ce9dcdcbd9f79a9842baf598088317c65cde196fbfa5d3d38b345d1
                                              • Opcode Fuzzy Hash: 9071a2ed261c3de145cfe3b97539293d9581d0ca39f7c79548f5e280bab39eb1
                                              • Instruction Fuzzy Hash: 9BA14671E00258CFDB14CFAAD894B9DBFB2FF89340F1480AAD948AB265DB749945CF50
                                              Function 02F4BEA7 Relevance: .2, Instructions: 207COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 482fd593880d8b1ac5e9f31cbda96999cb7ab68326a1e5d1c2333b4098d6bb16
                                              • Instruction ID: 5652355de3a5ae361b3afc6280ca2a10a904773735bd5034e3378dd43fd717f6
                                              • Opcode Fuzzy Hash: 482fd593880d8b1ac5e9f31cbda96999cb7ab68326a1e5d1c2333b4098d6bb16
                                              • Instruction Fuzzy Hash: 9F91E374E00218DFEB14DFAAD844A9DBBF2BF88344F14D06AD509AB365DB749981CF50
                                              Function 02F4C1E9 Relevance: .2, Instructions: 189COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b61588556b1640bf6307c419debbc2b99ca1c6febbd841ad3bd0e04d253885e3
                                              • Instruction ID: f39257c8a051d742abe31217a1156fda6737daa1c71079316bdd72cf551eb031
                                              • Opcode Fuzzy Hash: b61588556b1640bf6307c419debbc2b99ca1c6febbd841ad3bd0e04d253885e3
                                              • Instruction Fuzzy Hash: 2181E774E01218CFDB14CFAAD984AADBBF2BF89304F14D06AD909AB365DB749945CF10
                                              Function 02F4C7A8 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 251023c2d3b0d73cff3e59ae3ea82478c79a8b09c6673dfa0221126a37a8fa8a
                                              • Instruction ID: 9e1956832e180b338c0eccd597dfb4669722cab1f0d7f4384129766068d5d48f
                                              • Opcode Fuzzy Hash: 251023c2d3b0d73cff3e59ae3ea82478c79a8b09c6673dfa0221126a37a8fa8a
                                              • Instruction Fuzzy Hash: 7781D274E01218DFEB14CFAAD854A9DBBF2BF88300F10D06AD949AB365DB749985CF11
                                              Function 02F4CA88 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6540b65d2868ece259dcc0bf63d1cb26c93035be1e7be30eeac5b8fa357fcb29
                                              • Instruction ID: f1efbc6e462bae15c866e959e065fab0d43bf8465ce73c8c1ec7ebde1f1aa7b4
                                              • Opcode Fuzzy Hash: 6540b65d2868ece259dcc0bf63d1cb26c93035be1e7be30eeac5b8fa357fcb29
                                              • Instruction Fuzzy Hash: 1881A175E01218CFDB14CFAAD884A9DBBF2BF88340F14D06AD909AB365DB749985CF50
                                              Function 02F4CD69 Relevance: .2, Instructions: 184COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 38f1635c573bdefaf385a90b6d1bc5a138305f9615de12d59ccebed231f17187
                                              • Instruction ID: b9a3610d5ae3e3017143e09ee4000a721712bda614677859837102a978cb7f94
                                              • Opcode Fuzzy Hash: 38f1635c573bdefaf385a90b6d1bc5a138305f9615de12d59ccebed231f17187
                                              • Instruction Fuzzy Hash: 7D81D574E01218CFDB14CFAAD884A9DBBF2BF88310F14D06AE919AB365DB749945CF50
                                              Function 02F4BF08 Relevance: .2, Instructions: 153COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e65a48cae9abf42550159c931963aa54d17967b03c8b7c6df19c552bcaddbde8
                                              • Instruction ID: daed62c0848e779076b520122203bdc725656871b8d24a13d6597ba01a056efb
                                              • Opcode Fuzzy Hash: e65a48cae9abf42550159c931963aa54d17967b03c8b7c6df19c552bcaddbde8
                                              • Instruction Fuzzy Hash: 6D61C475E01208DFEB14CFAAD844A9DBBF2BF88350F14D06AD918AB365DB749845CF50
                                              Function 02F495E4 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: T
                                              • API String ID: 0-3187964512
                                              • Opcode ID: bf26b8045ed9cbfcc0e187953a4cd36a571f34bc116c8d341702d07a02c743f0
                                              • Instruction ID: 0c0764b4a75d2a0219b60f03cc9e41242d062b6f0dcc265f49fb344b6e19eba9
                                              • Opcode Fuzzy Hash: bf26b8045ed9cbfcc0e187953a4cd36a571f34bc116c8d341702d07a02c743f0
                                              • Instruction Fuzzy Hash: FC51E271B042498FDB01DB69C844BBF7FAADF85390F14896AD605DB291DFE9CC428B60
                                              Function 02F47808 Relevance: .7, Instructions: 690COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ac7ac194a36f4f963551676e2f8daf5b948094f57d92f52b808ac13696e17953
                                              • Instruction ID: 6d88a655d556b187b18ab6c556804c239df7c8c4bdff7c34445a3c9c8c9258e7
                                              • Opcode Fuzzy Hash: ac7ac194a36f4f963551676e2f8daf5b948094f57d92f52b808ac13696e17953
                                              • Instruction Fuzzy Hash: 6652E970A0021CCFEB249BA5C854BAEBB76FF85740F5080ADD60A6B395CB349D85DF61
                                              Function 02F46E70 Relevance: .5, Instructions: 475COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7fda5d8fb19c0750904b8ccc81cd9c144b12d1d0529de38b0d5b8319fd41d933
                                              • Instruction ID: c6fae93904a5d4e67f1acc82201b7fe3b517e27cc700a82a565660ab7e2d3fc9
                                              • Opcode Fuzzy Hash: 7fda5d8fb19c0750904b8ccc81cd9c144b12d1d0529de38b0d5b8319fd41d933
                                              • Instruction Fuzzy Hash: 77123930A00208DFDB14DFA9D884AAEBBF6FF89354F148559EA49DB261DB70ED41CB50
                                              Function 02F4A828 Relevance: .4, Instructions: 407COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7503dbc7b31c67e790289e30558e69944b9a1919f1346ce2c30207b5150642ca
                                              • Instruction ID: 69bd07dccbcb279411f859ac7e83a55f39be52d237265d2772384082e0f8dca9
                                              • Opcode Fuzzy Hash: 7503dbc7b31c67e790289e30558e69944b9a1919f1346ce2c30207b5150642ca
                                              • Instruction Fuzzy Hash: ECF16D71E40214CFCB05CFA9C598AADBBF2FF88354B1A8059E615AB361CB75ED41CB50
                                              Function 02F40C8F Relevance: .4, Instructions: 404COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc239596e21b85cb845eef0011cc7eec134e2807fb4e13b30ca31928fa748454
                                              • Instruction ID: 240ff050c387d8fe5d3b4e832d8effbfa0972dd825532b65922b7f49bf07246e
                                              • Opcode Fuzzy Hash: cc239596e21b85cb845eef0011cc7eec134e2807fb4e13b30ca31928fa748454
                                              • Instruction Fuzzy Hash: 65220374E4020ACFCB54DF65E988A9DBBB6FF48340F1085A9D919A7314DB346E89CF50
                                              Function 02F40CA0 Relevance: .4, Instructions: 395COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1802a57e989d1a5b36c2470058da906d99ecd58b604c1cef45eea1ec321ad187
                                              • Instruction ID: b855dd7f8036fe8ec7f2d2da09513c4fe6d096a4df208ce0ad91cdad5ed7aecc
                                              • Opcode Fuzzy Hash: 1802a57e989d1a5b36c2470058da906d99ecd58b604c1cef45eea1ec321ad187
                                              • Instruction Fuzzy Hash: 2A220474E4020ACFCB54DF66E988A9DBBB6FF48340F1085A9D919A7314DB346E89CF50
                                              Function 02F48801 Relevance: .3, Instructions: 328COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d0414db323d23ec4899513535cf4587a8ddcf81c22269d314281e5f410c1fc08
                                              • Instruction ID: b4042c41f671929210f6c153bc0b11a75cd3800f6125863045ed663e729fcc65
                                              • Opcode Fuzzy Hash: d0414db323d23ec4899513535cf4587a8ddcf81c22269d314281e5f410c1fc08
                                              • Instruction Fuzzy Hash: CEB16C71B005018FDB259A29CC58B397A96FF84AC5F1804AAE652CF3B5DFE9CC41C752
                                              Function 02F456B0 Relevance: .3, Instructions: 323COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7842bd8e692fc5c8992122e96d664f73eef58e0fe141c802b488668d1ea533e9
                                              • Instruction ID: c7aee6b00aaa6359acd8e4fb6f5465aa238f7b574654be0eca8ef754dd9dc231
                                              • Opcode Fuzzy Hash: 7842bd8e692fc5c8992122e96d664f73eef58e0fe141c802b488668d1ea533e9
                                              • Instruction Fuzzy Hash: 31B1C131B002198FDB15AF34C858B2A7FE2EB99394F448569EA06CB390DFB5CC45CB90
                                              Function 02F49180 Relevance: .2, Instructions: 235COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29e3a25b8c6c78057fd7d636b7f10363261a8a3cc8d4f6747e89b460ab751a10
                                              • Instruction ID: 8ee0fb607ef0f4c5bbcc4e42300b6982cc91356953c846979538032f00d73373
                                              • Opcode Fuzzy Hash: 29e3a25b8c6c78057fd7d636b7f10363261a8a3cc8d4f6747e89b460ab751a10
                                              • Instruction Fuzzy Hash: 8D812A31A006059FC711CF68CC84AABBBB5FF853A4B548265DA58C7355CBB1F912CBA0
                                              Function 02F45C10 Relevance: .2, Instructions: 230COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e4f1ffabcfd82aaa16cfbbd682a1b4490b0aacb3b078983ba2696501c1e6c76
                                              • Instruction ID: a83ad2ef921d8c1a35a57a502b6e1a732df3196aa7e239fa43476708ab1ff393
                                              • Opcode Fuzzy Hash: 7e4f1ffabcfd82aaa16cfbbd682a1b4490b0aacb3b078983ba2696501c1e6c76
                                              • Instruction Fuzzy Hash: 2A81A135B00105CFCB14EF79C888A6ABBB2FF99294B948069D606DB365DF71EC41CB90
                                              Function 02F47450 Relevance: .2, Instructions: 201COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 25b6f2fc453c75dfd1c94c8688636c6736c1a4d5e55d5ba40ba33c243deb4aae
                                              • Instruction ID: 54d3318e6cad2d83478a01a38674974d7616c982f6124ff37feda140a02c8001
                                              • Opcode Fuzzy Hash: 25b6f2fc453c75dfd1c94c8688636c6736c1a4d5e55d5ba40ba33c243deb4aae
                                              • Instruction Fuzzy Hash: BD713734B002458FDB14EF28C888A6ABFEAAF49384F1544A9EA15CB371DFB0DC41CB50
                                              Function 02F4D382 Relevance: .2, Instructions: 178COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 565a11cc9d2e283e58a292280f4a1307657cdfca47302c4ab35646e6afecc38a
                                              • Instruction ID: 07a40297afc474dfb3c169932b140eec835ed5b9b82bd25d4732e3d2f356f9ab
                                              • Opcode Fuzzy Hash: 565a11cc9d2e283e58a292280f4a1307657cdfca47302c4ab35646e6afecc38a
                                              • Instruction Fuzzy Hash: CA51D171AE634B8FD3006F32A5BC53ABB64FB5F7A77846D10E52E85445CB3140A8DE22
                                              Function 02F4D390 Relevance: .2, Instructions: 167COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d72275271217897fdfda8c660fb296a83ca08ae36b42e24d5adc69edd2f66cf
                                              • Instruction ID: c8807cd302d1efc2127e774b2848eb28964e17583c42460a887a1078d86a6afb
                                              • Opcode Fuzzy Hash: 1d72275271217897fdfda8c660fb296a83ca08ae36b42e24d5adc69edd2f66cf
                                              • Instruction Fuzzy Hash: A551A070AE634B8F93006F32A5BC53ABB65FB4F7A77846D10E42E85015CB3100A8DE12
                                              Function 02F493A0 Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31c07d16bd66d707f02aaa990c1e350ac9bcfaa9d1ccb414c2796688909cd038
                                              • Instruction ID: 9591d61428f539f6c361434803010a8ef991a45812b9463a51d868619447ff71
                                              • Opcode Fuzzy Hash: 31c07d16bd66d707f02aaa990c1e350ac9bcfaa9d1ccb414c2796688909cd038
                                              • Instruction Fuzzy Hash: 4C516035B002149FDB009F69C944B6FBBE6EF893A4F54C465EA09CB3A1DBB1DC018B61
                                              Function 02F4D048 Relevance: .1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d41f95e0c82716e87326e9863288c4686dc4089997e9edeb149fd5eee0dc3650
                                              • Instruction ID: df299882b4bfd9be9eacc217a911138303f06bd59fac9a127da90bca34f23bc7
                                              • Opcode Fuzzy Hash: d41f95e0c82716e87326e9863288c4686dc4089997e9edeb149fd5eee0dc3650
                                              • Instruction Fuzzy Hash: 8A519475E01208DFDB54DFAAD98499DBBF2FF89300F249169E909AB364DB30A845CF50
                                              Function 02F43908 Relevance: .1, Instructions: 134COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f26adc39ce4c832eb420437e77b1b4a74d4e7eda3a08af44a566a875dc80ca69
                                              • Instruction ID: 8f7ff747258cee55a0759805ff7af693666e792e53312e3f831746e46c52dc09
                                              • Opcode Fuzzy Hash: f26adc39ce4c832eb420437e77b1b4a74d4e7eda3a08af44a566a875dc80ca69
                                              • Instruction Fuzzy Hash: 5F519375E01208CFCB08DFAAD99499DBBB2FF89310B608469D905AB364DB35AD45CF50
                                              Function 02F49A73 Relevance: .1, Instructions: 124COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 61f9f744f51dd9e677cb8e7c729d4af82c8444838857190d8edb60a0da11bcfa
                                              • Instruction ID: 3037ca02883130d1eb632e48d31332ef21e5cdeae75a1b0c7fd55e8bb201e382
                                              • Opcode Fuzzy Hash: 61f9f744f51dd9e677cb8e7c729d4af82c8444838857190d8edb60a0da11bcfa
                                              • Instruction Fuzzy Hash: E5418E31B04249DFCF11CFA4C844B9EBFB2EF49394F048556EA15AB251D7B5EA14CB60
                                              Function 02F4A660 Relevance: .1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f3ffa082dadb55a6afad67cdcfc31f547abc3de463deace22837990009d4958
                                              • Instruction ID: e0550f838a07a8635d7789289a190ef76048e83081dec7537792d974a03b6044
                                              • Opcode Fuzzy Hash: 9f3ffa082dadb55a6afad67cdcfc31f547abc3de463deace22837990009d4958
                                              • Instruction Fuzzy Hash: 8F41D236B402089FCB159B69D828BAEBBF6EFC9251F148469D916D7390CE758C01CBA0
                                              Function 02F46748 Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 378d04ecd90665ea09a82584e7763023b86fe0b3e1f533b61a6c63ca5dfe64f4
                                              • Instruction ID: dfd526e1bbfc99e760723927676061f418c4ef52aa4f3a0333e3b58259a9ac79
                                              • Opcode Fuzzy Hash: 378d04ecd90665ea09a82584e7763023b86fe0b3e1f533b61a6c63ca5dfe64f4
                                              • Instruction Fuzzy Hash: 6141BD71A002089FDB148F64C808FBABBBAEF85390F04C46AE955DB250DBB5DD55DF60
                                              Function 02F43428 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6d9169834baab1697894193b03010501f905f62892987b7986f3f1a455026bde
                                              • Instruction ID: 58d87c91f0ac6d364711b164fec338f30f516ec3b0cb84dda2307df2feae81bb
                                              • Opcode Fuzzy Hash: 6d9169834baab1697894193b03010501f905f62892987b7986f3f1a455026bde
                                              • Instruction Fuzzy Hash: EC31D772F003158BDB19997A8A943BEB9DAABC4290F78447DDA16C3394DFF4CC4487A1
                                              Function 02F44DD0 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 72c2b2cf27a2bde1aec64da7d85c39aa921603cf67450424a2cb30604384fe1d
                                              • Instruction ID: 504cc86ddba977a4aebdd2ed9ba40d4eb1658482f9befb6a5a583a6dfd6f25e5
                                              • Opcode Fuzzy Hash: 72c2b2cf27a2bde1aec64da7d85c39aa921603cf67450424a2cb30604384fe1d
                                              • Instruction Fuzzy Hash: 5D316031B442099FCB059FA4D858BBF7BA7EB88394F108424FA169B290CF75CC65CB90
                                              Function 02F476F8 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ce2c8042ef952446392a52defb99da884fb5187fcca03f618642e21b9f127fdc
                                              • Instruction ID: 4a54fcd68b7017712bd030c8ba4dbd99729646906f305c872a536a6908b86b45
                                              • Opcode Fuzzy Hash: ce2c8042ef952446392a52defb99da884fb5187fcca03f618642e21b9f127fdc
                                              • Instruction Fuzzy Hash: 2421B335B001094BDB143639C458B3EBA97DFC86D9F648039DA02CB794EFE9C8429791
                                              Function 02F4A819 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c974d02006c95f8606b99f26e3e25479955db67b35c683f96854aba53a50c4df
                                              • Instruction ID: 3cb007f6c70bffe1b2a5159b6cae13de3aa72f7f5718c9d22c199c724411df95
                                              • Opcode Fuzzy Hash: c974d02006c95f8606b99f26e3e25479955db67b35c683f96854aba53a50c4df
                                              • Instruction Fuzzy Hash: 6D31A471E405098FDB04CFA9C8A8AAEBBB3FF88354B158155E615973A5CB74ED02CB90
                                              Function 02F42060 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 681bb9a71efa77b2c6c43a3770161166fcfab6bb657bc6621884c561854a30e3
                                              • Instruction ID: 60f1db03a7835cd93d2811a9426675e7bbcbea3c1a8fe3b7fc149a45b04966d0
                                              • Opcode Fuzzy Hash: 681bb9a71efa77b2c6c43a3770161166fcfab6bb657bc6621884c561854a30e3
                                              • Instruction Fuzzy Hash: 9121A436A001159FDF14DF24D840AAE7BA9EF9C690B20C069E9199B344DF75EA41CBD1
                                              Function 02F4D5D1 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1bd46f6ea4bb524f2357a6719197eed1a60bca8831366f99e2a56710be80fc8d
                                              • Instruction ID: 5dc05acac1542d15649656fca42f25c7f96cb3d5352483a510220ffc23cf02cf
                                              • Opcode Fuzzy Hash: 1bd46f6ea4bb524f2357a6719197eed1a60bca8831366f99e2a56710be80fc8d
                                              • Instruction Fuzzy Hash: BA213B31C50219DFCB10EFA9D8446ECFBB5FF4A304F509529D90877254EB70669ACB90
                                              Function 02F45A78 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b18fd71651e190e5cdcbb263e81ea7e65894fdc2257bfa617b86932c6cb5d188
                                              • Instruction ID: c586867124abd3328e4d68dad72a6c36d43d008a185205af13c9e07b028c6551
                                              • Opcode Fuzzy Hash: b18fd71651e190e5cdcbb263e81ea7e65894fdc2257bfa617b86932c6cb5d188
                                              • Instruction Fuzzy Hash: 87210231B406118FC719AA69D89892EBBA7FF847E4754457AEA16DB350CF70DC06CBC0
                                              Function 02F4D6CF Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b63aa47e266d8e4527122d845bf013b670d3b0f17a0bbc8149ec5cb54cfa99df
                                              • Instruction ID: 06a4d6a72b6915dbfc6942b6a1054f28a0c1d865fe0acb9f290c5e7ce405d2b5
                                              • Opcode Fuzzy Hash: b63aa47e266d8e4527122d845bf013b670d3b0f17a0bbc8149ec5cb54cfa99df
                                              • Instruction Fuzzy Hash: 23212735E422089FDB44DFB5D890AEDB7B2FF8A344F509429C80177390DB769845CA65
                                              Function 02F439ED Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 085d8eafeb830d324f6c826b0d3c654e17ba6406450daedbba7a120683f69ae2
                                              • Instruction ID: 452f9d49bc0610537caa86414f32ebdad0a04dd43db94607a2c826e89771c7b8
                                              • Opcode Fuzzy Hash: 085d8eafeb830d324f6c826b0d3c654e17ba6406450daedbba7a120683f69ae2
                                              • Instruction Fuzzy Hash: 4E31C579E01309CFCB04DFA8E9948ADBBB6FF49301B204469E919AB324DB35AD45CF40
                                              Function 02F44DC1 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 953097745aa453cfec89b0a5715479a9d7e884eb2d2bccb9e8bdd626bb1e4389
                                              • Instruction ID: 5176e02a5581a0de1e4fe2dc3f1a3e53cd97975979f41b0c065b84e73e41cc66
                                              • Opcode Fuzzy Hash: 953097745aa453cfec89b0a5715479a9d7e884eb2d2bccb9e8bdd626bb1e4389
                                              • Instruction Fuzzy Hash: A921B431B442099FCB15AF64D80877B7BA6EB887A4F108025FA159B380CF74DD55CBD0
                                              Function 02F48ED9 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dca6766878eab574c5477e8da0f162a3551eebb459140659c1db07ab6daf7279
                                              • Instruction ID: f9a93f2c39f8eb5749655e202b1c46792e8684c1ae01d515954fe2356ef29fc0
                                              • Opcode Fuzzy Hash: dca6766878eab574c5477e8da0f162a3551eebb459140659c1db07ab6daf7279
                                              • Instruction Fuzzy Hash: 90216B30E01249EFDB04CFA5E854AEEBFBBEF48394F14815AF551A6290DB349981CF50
                                              Function 02F4D6E0 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd1cfc36a1c1a46065bef7abebd748363561c92a9d74df76b7d823f80605e88c
                                              • Instruction ID: 59432f4b244f9ee83853e0f3d2c212ffb6ff03e8dacc51993403fec117ee28b2
                                              • Opcode Fuzzy Hash: fd1cfc36a1c1a46065bef7abebd748363561c92a9d74df76b7d823f80605e88c
                                              • Instruction Fuzzy Hash: E3210034E422089FCB44DFB5D850AEEB7B2FF8A344F209429C50177390DB7A9845CA64
                                              Function 02F41F61 Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 814342327a32ff967877676ec6c1b3a0c9704dd327d3f6c53f490de3e7184bff
                                              • Instruction ID: 6520f02cab49103651a21ab5d3d0b76ee31e08f9bc2bb7078b6d0b6181d88196
                                              • Opcode Fuzzy Hash: 814342327a32ff967877676ec6c1b3a0c9704dd327d3f6c53f490de3e7184bff
                                              • Instruction Fuzzy Hash: 2E21B274C052498FCB01DFB9D8955EDBFF0FF4A240F10456AD845B7214EB305A96CBA1
                                              Function 02F4560F Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 628c12b2f0503857d66540305e68d66217e5d3b949425941ab229d47abe2e3b7
                                              • Instruction ID: 8bd1368270d7943efb57a3237e34a9641d05e0ffd6a55b8be876ba6276cb92a1
                                              • Opcode Fuzzy Hash: 628c12b2f0503857d66540305e68d66217e5d3b949425941ab229d47abe2e3b7
                                              • Instruction Fuzzy Hash: B901F972B001056FCB029E549814AFF3FA7DBD97D0B18806AFA15DB240CE75CC159FA0
                                              Function 02F42010 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5ee1dda73ed481d9b11f7183bfc61124d64f85fd6de037e100173ed542192b72
                                              • Instruction ID: c89b39fdb9ad6e6e3829939fceaeb89d036a67e40070c6db66901236ae7b17e4
                                              • Opcode Fuzzy Hash: 5ee1dda73ed481d9b11f7183bfc61124d64f85fd6de037e100173ed542192b72
                                              • Instruction Fuzzy Hash: 56E09232C243EA4BCB0297708C602DEBF34EFA7211F1845D6D4A42B156EBA0165BC7A1
                                              Function 02F42020 Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 951908a4b2d951050f99d3dcabd07d21f593f36aaaebd9a61e213896c7cce07e
                                              • Instruction ID: daf5192e2d83f7b05157a70f881d6f7553ce3c5a5224041422b1faa6ca38cece
                                              • Opcode Fuzzy Hash: 951908a4b2d951050f99d3dcabd07d21f593f36aaaebd9a61e213896c7cce07e
                                              • Instruction Fuzzy Hash: 22D01732D2026A978B05A6A5DC048EEB739EE96221BA08626E52437140EB706669C7E1
                                              Function 02F48270 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                              • Instruction ID: ab7d567245dfd895857a9a27e4e4597da8b5349c07d981213b52a2989c70f8d5
                                              • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                              • Instruction Fuzzy Hash: 60C01233A0C5282AA625108E7C44AABAA8CE2C16F8A250237FA1C9320098829C8041E4
                                              Function 02F4A71D Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 396f022a3641b21c8989447acf3f141de3871e4cdfd6ce2c6c789720420a8462
                                              • Instruction ID: 082b446ba83c1faa0119bb6f69c50e045094fb95a8ccf276203eabf56c1dddbd
                                              • Opcode Fuzzy Hash: 396f022a3641b21c8989447acf3f141de3871e4cdfd6ce2c6c789720420a8462
                                              • Instruction Fuzzy Hash: BBD0677BB410089FCB049F98E8449DDF7B6FB9C221B048516E925A7260C6319921DBA0
                                              Function 02F45EB0 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 106462b63c7b788fd10c91b9a6b42d1b902aef8137360bdee2b1db3969055f17
                                              • Instruction ID: 724890bf543a4a4ff0d2abb83b4e8ccab9861c88b914a24730742caae3c68c23
                                              • Opcode Fuzzy Hash: 106462b63c7b788fd10c91b9a6b42d1b902aef8137360bdee2b1db3969055f17
                                              • Instruction Fuzzy Hash: 2CD02B7000838A8FD307BB32FE242553F1ADF41749F4044E5CC140A086EBAE4C594751
                                              Function 02F45EC0 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2925992618.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2f40000_VCU262Y2QB.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 717a3f68858fcf58aad72e7c4bd09f47f3cb6e980c4e4789f03440d0cc0bb3d2
                                              • Instruction ID: 057e42086aa5372babd0ed105dc35b3c234abedb1095c5c9a65be05e24db2abe
                                              • Opcode Fuzzy Hash: 717a3f68858fcf58aad72e7c4bd09f47f3cb6e980c4e4789f03440d0cc0bb3d2
                                              • Instruction Fuzzy Hash: F4C0223014030ECBC248BB33FE04894330FEA80780B408520900806044DFBCAC800690