Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VCU262Y2QB.exe

Overview

General Information

Sample name:VCU262Y2QB.exe
renamed because original name is a hash value
Original sample name:2b8887e80909f776f73b07b6870c4f3f3be8697560e693a4786707d76aae4c01.exe
Analysis ID:1588357
MD5:c4407cbd68725778ecd99dc7638be000
SHA1:0a232725a5857010de9eb61837fe6bbb3a6e151f
SHA256:2b8887e80909f776f73b07b6870c4f3f3be8697560e693a4786707d76aae4c01
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VCU262Y2QB.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\VCU262Y2QB.exe" MD5: C4407CBD68725778ECD99DC7638BE000)
    • VCU262Y2QB.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\VCU262Y2QB.exe" MD5: C4407CBD68725778ECD99DC7638BE000)
      • cmd.exe (PID: 7988 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 8044 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "info@gzdled.com.tr", "Password": "Gozdeled1048", "Host": "mail.gzdled.com.tr", "Port": "587", "Token": "8043217727:AAHet_KMDJubZguJgq0Cp7yrQCzgcnbbXpU", "Chat_id": "6247294228", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1491f:$a1: get_encryptedPassword
      • 0x14c0b:$a2: get_encryptedUsername
      • 0x1472b:$a3: get_timePasswordChanged
      • 0x14826:$a4: get_passwordField
      • 0x14935:$a5: set_encryptedPassword
      • 0x15fd0:$a7: get_logins
      • 0x15f33:$a10: KeyLoggerEventArgs
      • 0x15b9e:$a11: KeyLoggerEventArgsEventHandler
      00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x182f8:$x1: $%SMTPDV$
      • 0x1835e:$x2: $#TheHashHere%&
      • 0x19a4c:$x3: %FTPDV$
      • 0x19b40:$x4: $%TelegramDv$
      • 0x15b9e:$x5: KeyLoggerEventArgs
      • 0x15f33:$x5: KeyLoggerEventArgs
      • 0x19a70:$m2: Clipboard Logs ID
      • 0x19c90:$m2: Screenshot Logs ID
      • 0x19da0:$m2: keystroke Logs ID
      • 0x1a07a:$m3: SnakePW
      • 0x19c68:$m4: \SnakeKeylogger\
      00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.VCU262Y2QB.exe.3698610.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          1.2.VCU262Y2QB.exe.3698610.3.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            1.2.VCU262Y2QB.exe.3698610.3.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12d1f:$a1: get_encryptedPassword
            • 0x1300b:$a2: get_encryptedUsername
            • 0x12b2b:$a3: get_timePasswordChanged
            • 0x12c26:$a4: get_passwordField
            • 0x12d35:$a5: set_encryptedPassword
            • 0x143d0:$a7: get_logins
            • 0x14333:$a10: KeyLoggerEventArgs
            • 0x13f9e:$a11: KeyLoggerEventArgsEventHandler
            1.2.VCU262Y2QB.exe.3698610.3.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a84a:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x19a7c:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19eaf:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1aeee:$a5: \Kometa\User Data\Default\Login Data
            1.2.VCU262Y2QB.exe.3698610.3.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x1390c:$s1: UnHook
            • 0x13913:$s2: SetHook
            • 0x1391b:$s3: CallNextHook
            • 0x13928:$s4: _hook
            Click to see the 34 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T01:22:12.099366+010028033053Unknown Traffic192.168.2.749725104.21.48.1443TCP
            2025-01-11T01:22:12.849284+010028033053Unknown Traffic192.168.2.749732104.21.48.1443TCP
            2025-01-11T01:22:13.603893+010028033053Unknown Traffic192.168.2.749739104.21.48.1443TCP
            2025-01-11T01:22:15.182376+010028033053Unknown Traffic192.168.2.749750104.21.48.1443TCP
            2025-01-11T01:22:16.103285+010028033053Unknown Traffic192.168.2.749756104.21.48.1443TCP
            2025-01-11T01:22:18.458108+010028033053Unknown Traffic192.168.2.749772104.21.48.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T01:22:09.362693+010028032742Potentially Bad Traffic192.168.2.749699193.122.130.080TCP
            2025-01-11T01:22:11.550236+010028032742Potentially Bad Traffic192.168.2.749699193.122.130.080TCP
            2025-01-11T01:22:12.284582+010028032742Potentially Bad Traffic192.168.2.749699193.122.130.080TCP
            2025-01-11T01:22:13.034587+010028032742Potentially Bad Traffic192.168.2.749699193.122.130.080TCP
            2025-01-11T01:22:14.612818+010028032742Potentially Bad Traffic192.168.2.749699193.122.130.080TCP
            2025-01-11T01:22:15.518962+010028032742Potentially Bad Traffic192.168.2.749699193.122.130.080TCP
            2025-01-11T01:22:17.910242+010028032742Potentially Bad Traffic192.168.2.749699193.122.130.080TCP
            2025-01-11T01:22:20.628542+010028032742Potentially Bad Traffic192.168.2.749699193.122.130.080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "info@gzdled.com.tr", "Password": "Gozdeled1048", "Host": "mail.gzdled.com.tr", "Port": "587", "Token": "8043217727:AAHet_KMDJubZguJgq0Cp7yrQCzgcnbbXpU", "Chat_id": "6247294228", "Version": "5.1"}
            Multi AV Scanner detection for submitted file
            Source: VCU262Y2QB.exeVirustotal: Detection: 71%Perma Link
            Source: VCU262Y2QB.exeReversingLabs: Detection: 68%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: VCU262Y2QB.exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: VCU262Y2QB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49713 version: TLS 1.0
            Source: VCU262Y2QB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: VCU262Y2QB.exe, 00000001.00000002.3186079043.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000001.00000002.3189354916.0000000004F30000.00000004.08000000.00040000.00000000.sdmp

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3607f70.4.raw.unpack, type: UNPACKEDPE
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
            Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 193.122.130.0:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49725 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49772 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49739 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49732 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49750 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49756 -> 104.21.48.1:443
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49713 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002FFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003089000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.000000000303D000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003098000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: VCU262Y2QB.exe, 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003016000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: VCU262Y2QB.exeString found in binary or memory: https://github.com/0xd4d/dnSpy/wiki/Debugging-Unity-Games
            Source: VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003089000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.000000000303D000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003098000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: VCU262Y2QB.exe, 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002FFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003089000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.000000000303D000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003098000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 1.2.VCU262Y2QB.exe.3607f70.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 1.2.VCU262Y2QB.exe.3607f70.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 1.2.VCU262Y2QB.exe.3607f70.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: VCU262Y2QB.exe PID: 7548, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: VCU262Y2QB.exe PID: 7548, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: VCU262Y2QB.exe PID: 7624, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: VCU262Y2QB.exe PID: 7624, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 1_2_00ABD3641_2_00ABD364
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013C61083_2_013C6108
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013CC1903_2_013CC190
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013CB3283_2_013CB328
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013CC4703_2_013CC470
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013C67303_2_013C6730
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013CC7513_2_013CC751
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013C98583_2_013C9858
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013CBBD23_2_013CBBD2
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013CCA313_2_013CCA31
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013C4AD93_2_013C4AD9
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013CBEB03_2_013CBEB0
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013C35703_2_013C3570
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013CB4F23_2_013CB4F2
            Source: VCU262Y2QB.exe, 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs VCU262Y2QB.exe
            Source: VCU262Y2QB.exe, 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs VCU262Y2QB.exe
            Source: VCU262Y2QB.exe, 00000001.00000000.1314533691.000000000016A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInochia.exe0 vs VCU262Y2QB.exe
            Source: VCU262Y2QB.exe, 00000001.00000002.3186079043.00000000025B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs VCU262Y2QB.exe
            Source: VCU262Y2QB.exe, 00000001.00000002.3186079043.00000000025B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs VCU262Y2QB.exe
            Source: VCU262Y2QB.exe, 00000001.00000002.3184402779.000000000061E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs VCU262Y2QB.exe
            Source: VCU262Y2QB.exe, 00000001.00000002.3188990493.0000000004DE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs VCU262Y2QB.exe
            Source: VCU262Y2QB.exe, 00000001.00000002.3189354916.0000000004F30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs VCU262Y2QB.exe
            Source: VCU262Y2QB.exe, 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs VCU262Y2QB.exe
            Source: VCU262Y2QB.exeBinary or memory string: OriginalFilenameInochia.exe0 vs VCU262Y2QB.exe
            Source: VCU262Y2QB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 1.2.VCU262Y2QB.exe.3607f70.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 1.2.VCU262Y2QB.exe.3607f70.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 1.2.VCU262Y2QB.exe.3607f70.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: VCU262Y2QB.exe PID: 7548, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: VCU262Y2QB.exe PID: 7548, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: VCU262Y2QB.exe PID: 7624, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: VCU262Y2QB.exe PID: 7624, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: classification engineClassification label: mal92.troj.winEXE@8/1@2/2
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VCU262Y2QB.exe.logJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
            Source: VCU262Y2QB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: VCU262Y2QB.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: VCU262Y2QB.exeVirustotal: Detection: 71%
            Source: VCU262Y2QB.exeReversingLabs: Detection: 68%
            Source: unknownProcess created: C:\Users\user\Desktop\VCU262Y2QB.exe "C:\Users\user\Desktop\VCU262Y2QB.exe"
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Users\user\Desktop\VCU262Y2QB.exe "C:\Users\user\Desktop\VCU262Y2QB.exe"
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Users\user\Desktop\VCU262Y2QB.exe "C:\Users\user\Desktop\VCU262Y2QB.exe"Jump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: VCU262Y2QB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: VCU262Y2QB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: VCU262Y2QB.exe, 00000001.00000002.3186079043.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000001.00000002.3189354916.0000000004F30000.00000004.08000000.00040000.00000000.sdmp
            Source: VCU262Y2QB.exeStatic PE information: 0x81AF2B24 [Sun Dec 12 04:25:08 2038 UTC]
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeCode function: 3_2_013C24B9 push 8BFFFFFFh; retf 3_2_013C24BF
            Source: VCU262Y2QB.exeStatic PE information: section name: .text entropy: 7.348087930069703

            Hooking and other Techniques for Hiding and Protection

            barindex
            Self deletion via cmd or bat file
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"Jump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: AB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: 22C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: 13C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7844Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7732Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7660Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exe TID: 7844Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeThread delayed: delay time: 600000Jump to behavior
            Source: VCU262Y2QB.exeBinary or memory string: ResumeVirtualMachine
            Source: VCU262Y2QB.exeBinary or memory string: iqEMUhZ
            Source: VCU262Y2QB.exeBinary or memory string: InitializeVirtualMachine
            Source: VCU262Y2QB.exe, 00000003.00000002.3187838404.00000000065D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: VCU262Y2QB.exeBinary or memory string: get_VirtualMachine
            Source: VCU262Y2QB.exeBinary or memory string: get_MonoVirtualMachine
            Source: VCU262Y2QB.exeBinary or memory string: VirtualMachineManager
            Source: VCU262Y2QB.exe, 00000003.00000002.3184431643.0000000001017000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Users\user\Desktop\VCU262Y2QB.exe "C:\Users\user\Desktop\VCU262Y2QB.exe"Jump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Users\user\Desktop\VCU262Y2QB.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Users\user\Desktop\VCU262Y2QB.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\VCU262Y2QB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3607f70.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3185727746.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 7548, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 7624, type: MEMORYSTR
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3607f70.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 7548, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 7624, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3698610.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.VCU262Y2QB.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.36b9240.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.36b9240.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3698610.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.VCU262Y2QB.exe.3607f70.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3185727746.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 7548, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: VCU262Y2QB.exe PID: 7624, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Timestomp            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            File Deletion            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            VCU262Y2QB.exe72%VirustotalBrowse
            VCU262Y2QB.exe68%ReversingLabsWin32.Spyware.Snakekeylogger
            VCU262Y2QB.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            reallyfreegeoip.org
            		104.21.48.1
            		truefalse
              		high
              checkip.dyndns.com
              		193.122.130.0
              		truefalse
                		high
                checkip.dyndns.org
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/false
                    		high
                    https://reallyfreegeoip.org/xml/8.46.123.189false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.orgVCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003089000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.000000000303D000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003098000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030AE000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/0xd4d/dnSpy/wiki/Debugging-Unity-GamesVCU262Y2QB.exefalse
                          		high
                          http://checkip.dyndns.orgVCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003089000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.000000000303D000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003098000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030C5000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://checkip.dyndns.comVCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002FFA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.org/qVCU262Y2QB.exe, 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  https://reallyfreegeoip.org/xml/8.46.123.189$VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003089000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.000000000303D000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003098000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.00000000030AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://reallyfreegeoip.orgVCU262Y2QB.exe, 00000003.00000002.3185727746.0000000003016000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://reallyfreegeoip.org/xml/VCU262Y2QB.exe, 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VCU262Y2QB.exe, 00000003.00000002.3185727746.0000000002FFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.21.48.1
                                        		reallyfreegeoip.orgUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        193.122.130.0
                                        		checkip.dyndns.comUnited States
                                        		31898ORACLE-BMC-31898USfalse

                                        General Information

                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1588357
                                        Start date and time:2025-01-11 01:21:03 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 29s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Run name:Run with higher sleep bypass
                                        Number of analysed new started processes analysed:13
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:VCU262Y2QB.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:2b8887e80909f776f73b07b6870c4f3f3be8697560e693a4786707d76aae4c01.exe
                                        Detection:MAL
                                        Classification:mal92.troj.winEXE@8/1@2/2
                                        EGA Information:
                                        • Successful, ratio: 50%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 66
                                        • Number of non-executed functions: 2
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 52.149.20.212
                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target VCU262Y2QB.exe, PID 7624 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        104.21.48.1NWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                        • www.axis138ae.shop/j2vs/
                                        SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                        • twirpx.org/administrator/index.php
                                        SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                        • www.antipromil.site/7ykh/
                                        193.122.130.0h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                        • checkip.dyndns.org/
                                        tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                        • checkip.dyndns.org/
                                        wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                        • checkip.dyndns.org/
                                        zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • checkip.dyndns.org/

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        checkip.dyndns.comh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.130.0
                                        yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 158.101.44.242
                                        4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                        • 193.122.130.0
                                        h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.6.168
                                        tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.130.0
                                        TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 132.226.247.73
                                        Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.247.73
                                        WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                        • 193.122.130.0
                                        wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.130.0
                                        reallyfreegeoip.orgh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.96.1
                                        yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 104.21.112.1
                                        h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.96.1
                                        tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.32.1
                                        TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.80.1
                                        Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 104.21.16.1
                                        WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                        • 104.21.16.1
                                        wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.96.1
                                        H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.112.1

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUSh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.96.1
                                        ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.13.205
                                        yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 104.21.112.1
                                        JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                        • 104.16.185.241
                                        http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
                                        • 188.114.97.3
                                        h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.96.1
                                        http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
                                        • 104.17.25.14
                                        http://txto.eu.org/Get hashmaliciousUnknownBrowse
                                        • 104.21.16.1
                                        ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                        • 172.67.74.152
                                        ORACLE-BMC-31898USh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.130.0
                                        yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 158.101.44.242
                                        4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                        • 193.122.130.0
                                        h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.6.168
                                        tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.130.0
                                        phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                        • 192.29.202.93
                                        https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                        • 192.29.202.93
                                        https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                        • 192.29.202.93
                                        WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                        • 193.122.130.0

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        54328bd36c14bd82ddaa0c04b25ed9adh1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.48.1
                                        yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 104.21.48.1
                                        h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.48.1
                                        tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.48.1
                                        TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.48.1
                                        Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 104.21.48.1
                                        WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                        • 104.21.48.1
                                        wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.48.1
                                        H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.48.1

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VCU262Y2QB.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\VCU262Y2QB.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1039
                                        Entropy (8bit):5.353332853270839
                                        Encrypted:false
                                        SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                                        MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                                        SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                                        SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                                        SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.337433815181913
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:VCU262Y2QB.exe
                                        File size:553'472 bytes
                                        MD5:c4407cbd68725778ecd99dc7638be000
                                        SHA1:0a232725a5857010de9eb61837fe6bbb3a6e151f
                                        SHA256:2b8887e80909f776f73b07b6870c4f3f3be8697560e693a4786707d76aae4c01
                                        SHA512:4ba0d5c953ce0ee4c984f36360c60fa4212d77633ec24b8bbff91ead5dbbd853272c9c6b4700e0db6865bc6678bd356c039a7623d134ff44068e107b3ad80376
                                        SSDEEP:12288:YiU+RfWk1Sm5bpviLs+fMKqirYo4A4OPoTo84RPlA24:Yi3fWxIbZiLsSPWotf
                                        TLSH:B0C4BF2972E8E317D5AF0B3AF43411005B7ABE93B19AEF0D5C44A5EF0D53BD199122A3
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$+................0..h............... ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:00928e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x4887de
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x81AF2B24 [Sun Dec 12 04:25:08 2038 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x887900x4b.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x596.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x867e40x8680063fda6f3138ba46403304e0b8af4d0a3False0.6022867536013011data7.348087930069703IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x8a0000x5960x600bb337337fd525b603631f27b8432eb2eFalse0.41015625data4.03984594780929IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x8c0000xc0x200ea0438b2ffa5d5203b31ad259aa8633bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0x8a0a00x30cdata0.4230769230769231
                                        RT_MANIFEST0x8a3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2025-01-11T01:22:09.362693+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699193.122.130.080TCP
                                        2025-01-11T01:22:11.550236+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699193.122.130.080TCP
                                        2025-01-11T01:22:12.099366+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749725104.21.48.1443TCP
                                        2025-01-11T01:22:12.284582+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699193.122.130.080TCP
                                        2025-01-11T01:22:12.849284+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749732104.21.48.1443TCP
                                        2025-01-11T01:22:13.034587+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699193.122.130.080TCP
                                        2025-01-11T01:22:13.603893+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749739104.21.48.1443TCP
                                        2025-01-11T01:22:14.612818+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699193.122.130.080TCP
                                        2025-01-11T01:22:15.182376+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749750104.21.48.1443TCP
                                        2025-01-11T01:22:15.518962+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699193.122.130.080TCP
                                        2025-01-11T01:22:16.103285+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749756104.21.48.1443TCP
                                        2025-01-11T01:22:17.910242+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699193.122.130.080TCP
                                        2025-01-11T01:22:18.458108+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749772104.21.48.1443TCP
                                        2025-01-11T01:22:20.628542+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699193.122.130.080TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 11, 2025 01:22:07.269504070 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:07.274477959 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:07.274559975 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:07.274916887 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:07.279687881 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:09.180958986 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:09.185386896 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:09.190195084 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:09.314316034 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:09.362693071 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:09.424536943 CET49713443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:09.424577951 CET44349713104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:09.424637079 CET49713443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:09.434839010 CET49713443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:09.434858084 CET44349713104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:09.906455994 CET44349713104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:09.906578064 CET49713443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:09.920715094 CET49713443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:09.920737028 CET44349713104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:09.921108007 CET44349713104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:09.972054958 CET49713443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:10.319859028 CET49713443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:10.363341093 CET44349713104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:10.441201925 CET44349713104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:10.441363096 CET44349713104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:10.441411018 CET49713443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:10.448548079 CET49713443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:10.452672005 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:10.457494974 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:11.506596088 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:11.509963989 CET49725443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:11.509991884 CET44349725104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:11.510065079 CET49725443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:11.510371923 CET49725443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:11.510385036 CET44349725104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:11.550235987 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:11.963973999 CET44349725104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:11.970227003 CET49725443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:11.970263004 CET44349725104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:12.099387884 CET44349725104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:12.099473000 CET44349725104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:12.099524021 CET49725443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.100512981 CET49725443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.103866100 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:12.108751059 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:12.229398966 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:12.230185986 CET49732443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.230241060 CET44349732104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:12.230345011 CET49732443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.230664968 CET49732443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.230681896 CET44349732104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:12.284581900 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:12.705827951 CET44349732104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:12.708291054 CET49732443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.708333969 CET44349732104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:12.849298954 CET44349732104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:12.849368095 CET44349732104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:12.849411964 CET49732443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.849869967 CET49732443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.853818893 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:12.858706951 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:12.979187012 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:12.979979038 CET49739443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.979990959 CET44349739104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:12.980237961 CET49739443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.980470896 CET49739443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:12.980484009 CET44349739104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:13.034586906 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:13.454834938 CET44349739104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:13.457089901 CET49739443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:13.457125902 CET44349739104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:13.603988886 CET44349739104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:13.604150057 CET44349739104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:13.604226112 CET49739443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:13.604777098 CET49739443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:13.608603954 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:13.614845037 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:14.566737890 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:14.567754984 CET49750443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:14.567790985 CET44349750104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:14.567898989 CET49750443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:14.568238020 CET49750443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:14.568254948 CET44349750104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:14.612818003 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:15.029620886 CET44349750104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:15.032248020 CET49750443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:15.032269955 CET44349750104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:15.182399035 CET44349750104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:15.182476997 CET44349750104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:15.182555914 CET49750443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:15.183204889 CET49750443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:15.187335968 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:15.192380905 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:15.466149092 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:15.466869116 CET49756443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:15.466924906 CET44349756104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:15.469504118 CET49756443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:15.469789982 CET49756443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:15.469804049 CET44349756104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:15.518961906 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:15.940440893 CET44349756104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:15.942311049 CET49756443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:15.942336082 CET44349756104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:16.103292942 CET44349756104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:16.103364944 CET44349756104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:16.103406906 CET49756443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:16.104181051 CET49756443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:16.107453108 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:16.112282038 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:17.854139090 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:17.854921103 CET49772443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:17.854970932 CET44349772104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:17.855034113 CET49772443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:17.855297089 CET49772443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:17.855309010 CET44349772104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:17.910242081 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:18.321058035 CET44349772104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:18.323179960 CET49772443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:18.323208094 CET44349772104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:18.458180904 CET44349772104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:18.458331108 CET44349772104.21.48.1192.168.2.7
                                        Jan 11, 2025 01:22:18.458405018 CET49772443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:18.458898067 CET49772443192.168.2.7104.21.48.1
                                        Jan 11, 2025 01:22:18.461780071 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:18.466577053 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:20.580368996 CET8049699193.122.130.0192.168.2.7
                                        Jan 11, 2025 01:22:20.628541946 CET4969980192.168.2.7193.122.130.0
                                        Jan 11, 2025 01:22:20.796226978 CET4969980192.168.2.7193.122.130.0

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 11, 2025 01:22:06.695956945 CET5418153192.168.2.71.1.1.1
                                        Jan 11, 2025 01:22:06.703411102 CET53541811.1.1.1192.168.2.7
                                        Jan 11, 2025 01:22:09.416109085 CET5080353192.168.2.71.1.1.1
                                        Jan 11, 2025 01:22:09.423386097 CET53508031.1.1.1192.168.2.7

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jan 11, 2025 01:22:06.695956945 CET192.168.2.71.1.1.10xdf0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:09.416109085 CET192.168.2.71.1.1.10xc5c8Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jan 11, 2025 01:22:06.703411102 CET1.1.1.1192.168.2.70xdf0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                        Jan 11, 2025 01:22:06.703411102 CET1.1.1.1192.168.2.70xdf0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:06.703411102 CET1.1.1.1192.168.2.70xdf0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:06.703411102 CET1.1.1.1192.168.2.70xdf0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:06.703411102 CET1.1.1.1192.168.2.70xdf0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:06.703411102 CET1.1.1.1192.168.2.70xdf0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:09.423386097 CET1.1.1.1192.168.2.70xc5c8No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:09.423386097 CET1.1.1.1192.168.2.70xc5c8No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:09.423386097 CET1.1.1.1192.168.2.70xc5c8No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:09.423386097 CET1.1.1.1192.168.2.70xc5c8No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:09.423386097 CET1.1.1.1192.168.2.70xc5c8No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:09.423386097 CET1.1.1.1192.168.2.70xc5c8No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                        Jan 11, 2025 01:22:09.423386097 CET1.1.1.1192.168.2.70xc5c8No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • reallyfreegeoip.org
                                        • checkip.dyndns.org

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.749699193.122.130.0807624C:\Users\user\Desktop\VCU262Y2QB.exe
                                        TimestampBytes transferredDirectionData
                                        Jan 11, 2025 01:22:07.274916887 CET151OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Connection: Keep-Alive
                                        Jan 11, 2025 01:22:09.180958986 CET321INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:09 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: 4c6e641b9d9232388736dfac1fb428c1
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Jan 11, 2025 01:22:09.185386896 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Jan 11, 2025 01:22:09.314316034 CET321INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:09 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: 3cbf7a0f7b99be569c443e6609ab9392
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Jan 11, 2025 01:22:10.452672005 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Jan 11, 2025 01:22:11.506596088 CET321INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:11 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: ac47a28bc9a951e4277d206324ad1cde
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Jan 11, 2025 01:22:12.103866100 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Jan 11, 2025 01:22:12.229398966 CET321INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:12 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: 6511a9e2582356b50e5f1e8c1f64591b
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Jan 11, 2025 01:22:12.853818893 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Jan 11, 2025 01:22:12.979187012 CET321INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:12 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: 8976f32465132c6272cd3da3bdef1dae
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Jan 11, 2025 01:22:13.608603954 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Jan 11, 2025 01:22:14.566737890 CET321INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:14 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: 712c110f28033ac967a178f7353b301a
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Jan 11, 2025 01:22:15.187335968 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Jan 11, 2025 01:22:15.466149092 CET321INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:15 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: d94d7d66ee3fcad0d100a73347b44811
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Jan 11, 2025 01:22:16.107453108 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Jan 11, 2025 01:22:17.854139090 CET321INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:17 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: bfea5f1d3e77c6859a22e22058a854f7
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Jan 11, 2025 01:22:18.461780071 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Jan 11, 2025 01:22:20.580368996 CET730INHTTP/1.1 502 Bad Gateway
                                        Date: Sat, 11 Jan 2025 00:22:20 GMT
                                        Content-Type: text/html
                                        Content-Length: 547
                                        Connection: keep-alive
                                        X-Request-ID: a1ee3a24da1081414e72793a09782684
                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                        Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.749713104.21.48.14437624C:\Users\user\Desktop\VCU262Y2QB.exe
                                        TimestampBytes transferredDirectionData
                                        2025-01-11 00:22:10 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        Connection: Keep-Alive
                                        2025-01-11 00:22:10 UTC857INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:10 GMT
                                        Content-Type: text/xml
                                        Content-Length: 362
                                        Connection: close
                                        Age: 1869719
                                        Cache-Control: max-age=31536000
                                        cf-cache-status: HIT
                                        last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YW5fUaF5rBFYVv9Ux2jSPNWJUDRCHDnOZdBQz55sBrGy4%2FZW2TUfdR4bpxL9WqWDiARHMhiqPPmktElGc6vBZ7jFkR4DYymjaewtZjCD6jMBd9%2BUg03LYJCJDD1%2BsS3C%2BUkjGnNf"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 9000c03ad95c8cda-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1939&min_rtt=1933&rtt_var=738&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1469552&cwnd=243&unsent_bytes=0&cid=36dea1eaed0d279e&ts=547&x=0"
                                        2025-01-11 00:22:10 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.749725104.21.48.14437624C:\Users\user\Desktop\VCU262Y2QB.exe
                                        TimestampBytes transferredDirectionData
                                        2025-01-11 00:22:11 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        2025-01-11 00:22:12 UTC857INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:12 GMT
                                        Content-Type: text/xml
                                        Content-Length: 362
                                        Connection: close
                                        Age: 1869721
                                        Cache-Control: max-age=31536000
                                        cf-cache-status: HIT
                                        last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F%2FSeVeep27aWTyv52yEkVhdl%2FppelVJ2SmwmzsJIHM85HrHXJlA4hw0qKlgoTYddPZpkt41LfsS25feJOMoJUD%2FojCKPckCqJIpthZnWuhYQEc6%2FFbXnVPD0jPgnXOcJW89bmD6u"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 9000c0453aabc461-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1663&rtt_var=634&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1713615&cwnd=228&unsent_bytes=0&cid=6387235a0726b915&ts=140&x=0"
                                        2025-01-11 00:22:12 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.749732104.21.48.14437624C:\Users\user\Desktop\VCU262Y2QB.exe
                                        TimestampBytes transferredDirectionData
                                        2025-01-11 00:22:12 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        2025-01-11 00:22:12 UTC861INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:12 GMT
                                        Content-Type: text/xml
                                        Content-Length: 362
                                        Connection: close
                                        Age: 1869721
                                        Cache-Control: max-age=31536000
                                        cf-cache-status: HIT
                                        last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1AXUko9D1vOQXDBwKtUvzmpmLLZA7Bpm3IK5Om5AT%2FkDVmtTUN9i%2B60%2FTAd%2F6NUYK81tKrm6LGyM8WzjqZFq9ROjW081yp2yMEWKlJT4ru7XjbY05r%2B%2FhX2e0sgf9UOe7mX4RKN3"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 9000c049edf7c323-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1477&rtt_var=561&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1936339&cwnd=214&unsent_bytes=0&cid=e4e98e268fad3c2d&ts=149&x=0"
                                        2025-01-11 00:22:12 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.749739104.21.48.14437624C:\Users\user\Desktop\VCU262Y2QB.exe
                                        TimestampBytes transferredDirectionData
                                        2025-01-11 00:22:13 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        2025-01-11 00:22:13 UTC859INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:13 GMT
                                        Content-Type: text/xml
                                        Content-Length: 362
                                        Connection: close
                                        Age: 1869722
                                        Cache-Control: max-age=31536000
                                        cf-cache-status: HIT
                                        last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4sRMej9VjVHedadsVb13ZibgEVi4BzMIhVSGf2As3XbQfKFVVYJbN%2FlsHzATJyAYs56xKY64plkqxskRN%2Buo3N26E%2FzU%2FQA5HHpz08TJdF261o%2BdnuGdf8GlMCS4huRGxOoNlCC6"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 9000c04e9fe342e9-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1693&min_rtt=1689&rtt_var=642&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1691772&cwnd=240&unsent_bytes=0&cid=01b380d0d6f18de5&ts=154&x=0"
                                        2025-01-11 00:22:13 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.749750104.21.48.14437624C:\Users\user\Desktop\VCU262Y2QB.exe
                                        TimestampBytes transferredDirectionData
                                        2025-01-11 00:22:15 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        2025-01-11 00:22:15 UTC859INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:15 GMT
                                        Content-Type: text/xml
                                        Content-Length: 362
                                        Connection: close
                                        Age: 1869724
                                        Cache-Control: max-age=31536000
                                        cf-cache-status: HIT
                                        last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H03GHP%2FUzCt8d4mWaGVK7N%2B6Xl5alsXOCoHxRbljWCzjLPgCGHvH%2Fu5LXvRKwcwaUzyc%2BvxTtJ5FDIHjd1pqxzhFcx21rmlP1L9KRdpzxYQdAsgD3%2BW0wJU8zEU1sC3NyEpb8ggL"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 9000c0588eed43be-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1629&min_rtt=1626&rtt_var=616&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1766485&cwnd=226&unsent_bytes=0&cid=6a7e6932efc997b1&ts=158&x=0"
                                        2025-01-11 00:22:15 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        5192.168.2.749756104.21.48.14437624C:\Users\user\Desktop\VCU262Y2QB.exe
                                        TimestampBytes transferredDirectionData
                                        2025-01-11 00:22:15 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        2025-01-11 00:22:16 UTC853INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:16 GMT
                                        Content-Type: text/xml
                                        Content-Length: 362
                                        Connection: close
                                        Age: 1869725
                                        Cache-Control: max-age=31536000
                                        cf-cache-status: HIT
                                        last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yOF0rDhJihC2oOFEw1SjAGz3qL3nm%2BgS36mVjNaE53k4uSUd%2BlSP5FL9A48APA9ZhyUBHgNSI9UcyO6rbzaIucjwFAPrwsUjXnIXFoT9nQyKZZJjdqWBemWekDv68D7WSPrfZU1W"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 9000c05e3aef42e9-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1762&min_rtt=1720&rtt_var=675&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1697674&cwnd=240&unsent_bytes=0&cid=887f6e1764c3b7f2&ts=166&x=0"
                                        2025-01-11 00:22:16 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        6192.168.2.749772104.21.48.14437624C:\Users\user\Desktop\VCU262Y2QB.exe
                                        TimestampBytes transferredDirectionData
                                        2025-01-11 00:22:18 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        2025-01-11 00:22:18 UTC855INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 00:22:18 GMT
                                        Content-Type: text/xml
                                        Content-Length: 362
                                        Connection: close
                                        Age: 1869727
                                        Cache-Control: max-age=31536000
                                        cf-cache-status: HIT
                                        last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UXb0MMHdCBuYeXZbBdduPHw3TXlw86kFZhHxpfF2W2L8ygBdJkM%2BnK8MM49qIysQyMy4tjJ%2BtIP3WuWxpeg2zqZ%2Bh6vGgKaKtxkJg1a9139GS28wtxpgc2OVWoGcpnqlKlZXEEGQ"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 9000c06cf9b98cda-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1977&min_rtt=1969&rtt_var=754&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1436301&cwnd=243&unsent_bytes=0&cid=d5dd7acc58fcc723&ts=142&x=0"
                                        2025-01-11 00:22:18 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:1
                                        Start time:19:22:03
                                        Start date:10/01/2025
                                        Path:C:\Users\user\Desktop\VCU262Y2QB.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\VCU262Y2QB.exe"
                                        Imagebase:0xe0000
                                        File size:553'472 bytes
                                        MD5 hash:C4407CBD68725778ECD99DC7638BE000
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.3187669811.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:3
                                        Start time:19:22:04
                                        Start date:10/01/2025
                                        Path:C:\Users\user\Desktop\VCU262Y2QB.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\VCU262Y2QB.exe"
                                        Imagebase:0x9b0000
                                        File size:553'472 bytes
                                        MD5 hash:C4407CBD68725778ECD99DC7638BE000
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.3184091047.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3185727746.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:6
                                        Start time:20:35:18
                                        Start date:10/01/2025
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VCU262Y2QB.exe"
                                        Imagebase:0x410000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:20:35:18
                                        Start date:10/01/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:20:35:18
                                        Start date:10/01/2025
                                        Path:C:\Windows\SysWOW64\choice.exe
                                        Wow64 process (32bit):true
                                        Commandline:choice /C Y /N /D Y /T 3
                                        Imagebase:0xf60000
                                        File size:28'160 bytes
                                        MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:9.7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:85
                                          Total number of Limit Nodes:10
                                          execution_graph 15426 ab4668 15427 ab467a 15426->15427 15431 ab4686 15427->15431 15432 ab4779 15427->15432 15429 ab46a5 15437 ab3e10 15431->15437 15433 ab479d 15432->15433 15441 ab4888 15433->15441 15445 ab4878 15433->15445 15438 ab3e1b 15437->15438 15453 ab5c64 15438->15453 15440 ab6fe1 15440->15429 15443 ab48af 15441->15443 15442 ab498c 15442->15442 15443->15442 15449 ab4248 15443->15449 15447 ab48af 15445->15447 15446 ab498c 15446->15446 15447->15446 15448 ab4248 CreateActCtxA 15447->15448 15448->15446 15450 ab5918 CreateActCtxA 15449->15450 15452 ab59db 15450->15452 15454 ab5c6f 15453->15454 15457 ab5c84 15454->15457 15456 ab70e5 15456->15440 15458 ab5c8f 15457->15458 15461 ab5cb4 15458->15461 15460 ab71c2 15460->15456 15462 ab5cbf 15461->15462 15465 ab5ce4 15462->15465 15464 ab72c5 15464->15460 15466 ab5cef 15465->15466 15467 ab8609 15466->15467 15470 abcd6f 15466->15470 15475 abcd60 15466->15475 15467->15464 15471 abcd91 15470->15471 15472 abcdb5 15471->15472 15480 abcedd 15471->15480 15484 abcf20 15471->15484 15472->15467 15476 abcdc2 15475->15476 15477 abcdf8 15476->15477 15478 abcedd 2 API calls 15476->15478 15479 abcf20 2 API calls 15476->15479 15477->15467 15478->15477 15479->15477 15481 abcf42 15480->15481 15482 abcf67 15481->15482 15488 abb780 15481->15488 15482->15472 15485 abcf2d 15484->15485 15486 abcf67 15485->15486 15487 abb780 2 API calls 15485->15487 15486->15472 15487->15486 15489 abb78b 15488->15489 15491 abdc78 15489->15491 15492 abd084 15489->15492 15491->15491 15493 abd08f 15492->15493 15494 ab5ce4 2 API calls 15493->15494 15495 abdce7 15494->15495 15496 abdcf6 15495->15496 15499 abdd54 15495->15499 15503 abdd60 15495->15503 15496->15491 15500 abdd8e 15499->15500 15501 abde5a KiUserCallbackDispatcher 15500->15501 15502 abde5f 15500->15502 15501->15502 15504 abdd8e 15503->15504 15505 abde5a KiUserCallbackDispatcher 15504->15505 15506 abde5f 15504->15506 15505->15506 15509 abd438 15510 abd47e GetCurrentProcess 15509->15510 15512 abd4c9 15510->15512 15513 abd4d0 GetCurrentThread 15510->15513 15512->15513 15514 abd50d GetCurrentProcess 15513->15514 15515 abd506 15513->15515 15516 abd543 15514->15516 15515->15514 15517 abd56b GetCurrentThreadId 15516->15517 15518 abd59c 15517->15518 15507 abd680 DuplicateHandle 15508 abd716 15507->15508 15519 abacb0 15523 abad99 15519->15523 15528 abada8 15519->15528 15520 abacbf 15524 abaddc 15523->15524 15525 abadb9 15523->15525 15524->15520 15525->15524 15526 abafe0 GetModuleHandleW 15525->15526 15527 abb00d 15526->15527 15527->15520 15529 abaddc 15528->15529 15530 abadb9 15528->15530 15529->15520 15530->15529 15531 abafe0 GetModuleHandleW 15530->15531 15532 abb00d 15531->15532 15532->15520

                                          Executed Functions

                                          Function 00ABD429 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 294 abd429-abd4c7 GetCurrentProcess 298 abd4c9-abd4cf 294->298 299 abd4d0-abd504 GetCurrentThread 294->299 298->299 300 abd50d-abd541 GetCurrentProcess 299->300 301 abd506-abd50c 299->301 302 abd54a-abd565 call abd608 300->302 303 abd543-abd549 300->303 301->300 307 abd56b-abd59a GetCurrentThreadId 302->307 303->302 308 abd59c-abd5a2 307->308 309 abd5a3-abd605 307->309 308->309
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00ABD4B6
                                          • GetCurrentThread.KERNEL32 ref: 00ABD4F3
                                          • GetCurrentProcess.KERNEL32 ref: 00ABD530
                                          • GetCurrentThreadId.KERNEL32 ref: 00ABD589
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185224334.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_ab0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: f9c53af40e895bc137739e475e7706e3ea924bd4d86c493df43e429257b49ea7
                                          • Instruction ID: dd5a0e2c053ccd1d634aebad43e09c1c93e29b6f43dfb24ec706f45c1bda8fef
                                          • Opcode Fuzzy Hash: f9c53af40e895bc137739e475e7706e3ea924bd4d86c493df43e429257b49ea7
                                          • Instruction Fuzzy Hash: 535158B0D003498FDB68CFA9D548BEEBBF5BF88314F208459E409A73A1D7746944CB69
                                          Function 00ABD438 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 316 abd438-abd4c7 GetCurrentProcess 320 abd4c9-abd4cf 316->320 321 abd4d0-abd504 GetCurrentThread 316->321 320->321 322 abd50d-abd541 GetCurrentProcess 321->322 323 abd506-abd50c 321->323 324 abd54a-abd565 call abd608 322->324 325 abd543-abd549 322->325 323->322 329 abd56b-abd59a GetCurrentThreadId 324->329 325->324 330 abd59c-abd5a2 329->330 331 abd5a3-abd605 329->331 330->331
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00ABD4B6
                                          • GetCurrentThread.KERNEL32 ref: 00ABD4F3
                                          • GetCurrentProcess.KERNEL32 ref: 00ABD530
                                          • GetCurrentThreadId.KERNEL32 ref: 00ABD589
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185224334.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_ab0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 4500cc9cc9cb7e74e8a219deefc78d63f72674a6996b79659230d8aea4bf387e
                                          • Instruction ID: ed49c4521b61c47bb9de4f0458dc3e4a73dd4181e9a03af27b58a1996d9a2cee
                                          • Opcode Fuzzy Hash: 4500cc9cc9cb7e74e8a219deefc78d63f72674a6996b79659230d8aea4bf387e
                                          • Instruction Fuzzy Hash: 5C5158B0D003098FDB24CFAAD548BEEBBF5BF88314F208459E419A7361D7746944CB69
                                          Function 00ABADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 360 abada8-abadb7 361 abadb9-abadc6 call aba100 360->361 362 abade3-abade7 360->362 368 abadc8 361->368 369 abaddc 361->369 364 abadfb-abae3c 362->364 365 abade9-abadf3 362->365 371 abae49-abae57 364->371 372 abae3e-abae46 364->372 365->364 415 abadce call abb030 368->415 416 abadce call abb040 368->416 369->362 373 abae7b-abae7d 371->373 374 abae59-abae5e 371->374 372->371 379 abae80-abae87 373->379 376 abae69 374->376 377 abae60-abae67 call aba10c 374->377 375 abadd4-abadd6 375->369 378 abaf18-abafd8 375->378 381 abae6b-abae79 376->381 377->381 410 abafda-abafdd 378->410 411 abafe0-abb00b GetModuleHandleW 378->411 382 abae89-abae91 379->382 383 abae94-abae9b 379->383 381->379 382->383 386 abaea8-abaeb1 call aba11c 383->386 387 abae9d-abaea5 383->387 391 abaebe-abaec3 386->391 392 abaeb3-abaebb 386->392 387->386 393 abaee1-abaeee 391->393 394 abaec5-abaecc 391->394 392->391 401 abaf11-abaf17 393->401 402 abaef0-abaf0e 393->402 394->393 396 abaece-abaede call aba12c call aba13c 394->396 396->393 402->401 410->411 412 abb00d-abb013 411->412 413 abb014-abb028 411->413 412->413 415->375 416->375
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00ABAFFE
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185224334.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_ab0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: d43bff42e081fae570a87379b31428c1ef5085b3604a42505f67850cd498f93a
                                          • Instruction ID: 363aae852e2032fdb6dcfdc6ccef2685bbe1e098093836c014677d4d99ae5700
                                          • Opcode Fuzzy Hash: d43bff42e081fae570a87379b31428c1ef5085b3604a42505f67850cd498f93a
                                          • Instruction Fuzzy Hash: 3E814570A00B058FD764DF29D44179ABBF5FF88300F008A2DE48AD7A51D775E849CB95
                                          Function 00AB590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 417 ab590d-ab59d9 CreateActCtxA 419 ab59db-ab59e1 417->419 420 ab59e2-ab5a3c 417->420 419->420 427 ab5a4b-ab5a4f 420->427 428 ab5a3e-ab5a41 420->428 429 ab5a51-ab5a5d 427->429 430 ab5a60 427->430 428->427 429->430 432 ab5a61 430->432 432->432
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00AB59C9
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185224334.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_ab0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: ba00b7c6235c15a9ccc6573966949e191acc9c26458065b88ca60af8e2fdc65a
                                          • Instruction ID: a606a0b4b6625595443e3b93560dd84f0165f6731af5a40cc84f5199e43b6c1d
                                          • Opcode Fuzzy Hash: ba00b7c6235c15a9ccc6573966949e191acc9c26458065b88ca60af8e2fdc65a
                                          • Instruction Fuzzy Hash: 6141CFB0C00759CFEB24CFA9C884BDEBBB9BF49304F20816AD408AB251DB756946CF54
                                          Function 00AB4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 433 ab4248-ab59d9 CreateActCtxA 436 ab59db-ab59e1 433->436 437 ab59e2-ab5a3c 433->437 436->437 444 ab5a4b-ab5a4f 437->444 445 ab5a3e-ab5a41 437->445 446 ab5a51-ab5a5d 444->446 447 ab5a60 444->447 445->444 446->447 449 ab5a61 447->449 449->449
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00AB59C9
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185224334.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_ab0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 758e4c9c2ad4313da15c6f0db1f41b126031ec1a61e52184e5aa68ac8df4c6fa
                                          • Instruction ID: f1b29deef5398d8d9d2a3cb932d2c3f30f10b5480e55a50d887082e4f8bdd192
                                          • Opcode Fuzzy Hash: 758e4c9c2ad4313da15c6f0db1f41b126031ec1a61e52184e5aa68ac8df4c6fa
                                          • Instruction Fuzzy Hash: 5741AF70C00719DBEB24DFA9C8847DDBBF9BF49304F20816AD409AB251DB756946CF94
                                          Function 00ABD679 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 450 abd679-abd714 DuplicateHandle 451 abd71d-abd73a 450->451 452 abd716-abd71c 450->452 452->451
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABD707
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185224334.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_ab0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 839d51f2fb6e78592debdcd4e91b1d2c3fb55641a3b59e38114e7aebe02ae92f
                                          • Instruction ID: 92996c89c2374d71b731375ba36c456115da0ba08f36c34dc7d6f3bd55f16ac9
                                          • Opcode Fuzzy Hash: 839d51f2fb6e78592debdcd4e91b1d2c3fb55641a3b59e38114e7aebe02ae92f
                                          • Instruction Fuzzy Hash: 9321E4B5D00248DFDB10CFAAD884AEEBBF9FB48314F14801AE958A3351D375A945CF64
                                          Function 00ABD680 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 455 abd680-abd714 DuplicateHandle 456 abd71d-abd73a 455->456 457 abd716-abd71c 455->457 457->456
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABD707
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185224334.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_ab0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 2781a9a3c77c63de3b529340a6c66953eceffbf679a24f888368655582c45f5e
                                          • Instruction ID: 2a2f5558089cab36ea236fccf3e4ef5f42a394e2c0782ebf4222431c5cad9165
                                          • Opcode Fuzzy Hash: 2781a9a3c77c63de3b529340a6c66953eceffbf679a24f888368655582c45f5e
                                          • Instruction Fuzzy Hash: F221E2B5D002089FDB10CFAAD884ADEBBF8FB48310F14801AE918A3350D378A940CFA5
                                          Function 00ABAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 460 abaf98-abafd8 461 abafda-abafdd 460->461 462 abafe0-abb00b GetModuleHandleW 460->462 461->462 463 abb00d-abb013 462->463 464 abb014-abb028 462->464 463->464
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00ABAFFE
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185224334.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_ab0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: b7de359cf4494cdb69fc459727e918fe3b69344860ce2880da5f87b1263d378e
                                          • Instruction ID: 0b1fe6ea5bbfa8a2ad16b4ae37c8dd7e082935528df3a360929938679dbc91d2
                                          • Opcode Fuzzy Hash: b7de359cf4494cdb69fc459727e918fe3b69344860ce2880da5f87b1263d378e
                                          • Instruction Fuzzy Hash: 4811E0B6C003498FDB24DFAAC444BDEFBF8EB88314F10842AD469A7611D379A545CFA5
                                          Function 0094D3D8 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3184948907.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_94d000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d2e50779c4cbb05843a1abd0915c1331954671039177c3d37efa1be0929861eb
                                          • Instruction ID: f942bf5303f210b3a026299d3e1c1bdec0910017887b1ada14e0a6db962e14c6
                                          • Opcode Fuzzy Hash: d2e50779c4cbb05843a1abd0915c1331954671039177c3d37efa1be0929861eb
                                          • Instruction Fuzzy Hash: 6C21F879505204DFDB15DF10D9C0F16BBA5FB94324F24C56DE9090F2A6C33AE856CAA2
                                          Function 00A6D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185047293.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_a6d000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6eed41c5f380c174f9b351525b43713d8948879021e4929ce57cd8e067c9694c
                                          • Instruction ID: 1197c24513948ca15f4b2bc158e58917e7439cf140e5c3edc289ce94ded199d8
                                          • Opcode Fuzzy Hash: 6eed41c5f380c174f9b351525b43713d8948879021e4929ce57cd8e067c9694c
                                          • Instruction Fuzzy Hash: B721F2B1E04200EFDB15DF20D9D0B66BBB5FB88314F24CA6DE9094F292C336D846CA61
                                          Function 00A6D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185047293.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_a6d000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f96bd4fb7320b671a7ba57e7e12f164c1bc10f31a5321d4ffd9f8bf90596973
                                          • Instruction ID: 99563d1bcdb92f18aa16f0b5b4e226b6fdd3c7300a0a6cd02cc9556012e3bb31
                                          • Opcode Fuzzy Hash: 2f96bd4fb7320b671a7ba57e7e12f164c1bc10f31a5321d4ffd9f8bf90596973
                                          • Instruction Fuzzy Hash: 5C21D075A04240EFDB14DF20D984B26BBB5FB88314F24C569E80A4B296C337D847CAA2
                                          Function 00A6D2BC Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185047293.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_a6d000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e745196947352156cb12c3addeaa1669569d976ab22a54b86c26396acab6e58
                                          • Instruction ID: a5db79ddb34dffed3b134d641d222a313c38e2619a681f9ccc8aeab54c353d9f
                                          • Opcode Fuzzy Hash: 9e745196947352156cb12c3addeaa1669569d976ab22a54b86c26396acab6e58
                                          • Instruction Fuzzy Hash: 75210875A04344EFDB14DF10D5C4B2ABBB5FB84364F24C569E8490F341C336D846CAA2
                                          Function 0094D3D3 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3184948907.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_94d000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                          • Instruction ID: 8c5f1c786480a559060cbf9c563ba34f44739aec22dc73e4fd060c87a4c56a54
                                          • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                          • Instruction Fuzzy Hash: 2211D376504240DFDB15CF10D5C4B16BF72FB94324F24C6A9D9090B6A6C33AE856CBA1
                                          Function 00A6D017 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185047293.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_a6d000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                          • Instruction ID: 13592c6062e0c5273322cc01ff8242aac1f14cd3dd68e7ca299b02926365be17
                                          • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                          • Instruction Fuzzy Hash: A5119075A04280DFCB15CF14D5C4B15FBB1FB84318F24C6A9D84A4B656C33BD84ACB61
                                          Function 00A6D2B7 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185047293.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_a6d000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
                                          • Instruction ID: 297ed3c2263e4d7e2bb9d06333a0fa4435f005f7a2828e3d7da5436b34a351b6
                                          • Opcode Fuzzy Hash: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
                                          • Instruction Fuzzy Hash: 29116075904684DFDB11CF14D5C4B19BB71FB84324F24C6AAD8494F756C33AD846CB92
                                          Function 00A6D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185047293.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_a6d000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                          • Instruction ID: b70a9dc4e7a2b3152d11e8096edec5e0d448b91ea90550f8e11dcedab831ea39
                                          • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                          • Instruction Fuzzy Hash: E4118BB5A04280DFCB16CF20D5D4B55BBB1FB84314F28C6A9D8494B696C33AD84ACB61

                                          Non-executed Functions

                                          Function 00ABD364 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.3185224334.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_ab0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff4bcbe203c5a0bc72ca9ac017f60dafc54935afa6aa29a723d57b2893972334
                                          • Instruction ID: 651fff8726f3f8f394161a0e827724d120598b52285e029c0d9b62bbbcfb39f8
                                          • Opcode Fuzzy Hash: ff4bcbe203c5a0bc72ca9ac017f60dafc54935afa6aa29a723d57b2893972334
                                          • Instruction Fuzzy Hash: 5CA17E36E002098FCF05DFB4C9945DEB7B6FF85300B1985BAE905AB266EB31D956CB40

                                          Executed Functions

                                          Function 013C6730 Relevance: 5.4, Strings: 4, Instructions: 441COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (oq$(oq$,q$,q
                                          • API String ID: 0-620556200
                                          • Opcode ID: fb5671584b4ac55994ef425de668b3a390cce49392228bdcbe81241b15991e2d
                                          • Instruction ID: 0f2858d99ff156640a5123eb01b6a57294e5a94dce63e9d1db443b96f91c4fd7
                                          • Opcode Fuzzy Hash: fb5671584b4ac55994ef425de668b3a390cce49392228bdcbe81241b15991e2d
                                          • Instruction Fuzzy Hash: B6024AB0A00209DFDB15CFA9C985AAEBBF6FF88708F148469E515AB361D731EC41CB50
                                          Function 013C9858 Relevance: 3.4, Strings: 2, Instructions: 859COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (oq$4'q
                                          • API String ID: 0-1336004174
                                          • Opcode ID: 675fc04745279910221525104f001e7fd770f7e6e98a9b0d2fedf97a8b9fbb14
                                          • Instruction ID: 909deed3e84fbc0ab56f082140f14b95cbe1fd120565b1b43feab11fee4f7280
                                          • Opcode Fuzzy Hash: 675fc04745279910221525104f001e7fd770f7e6e98a9b0d2fedf97a8b9fbb14
                                          • Instruction Fuzzy Hash: 8C728E71A00209DFCB16CFA8C984AAEBBF6FF88758F158559E8059B3A1D730ED51CB50
                                          Function 013C6108 Relevance: 3.0, Strings: 2, Instructions: 513COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (oq$Hq
                                          • API String ID: 0-2917151738
                                          • Opcode ID: 5df601492fe912e93b940cc30f68d15edb6430d0cac39592488de3737171db59
                                          • Instruction ID: d91f126730accb84ace71cea5270b40e641b5a07de82180057efe05fe57e5fd9
                                          • Opcode Fuzzy Hash: 5df601492fe912e93b940cc30f68d15edb6430d0cac39592488de3737171db59
                                          • Instruction Fuzzy Hash: 3612AEB0A002199FDB14DF69D855BAEBBF6BF88704F14852DE40ADB395DB309D42CB90
                                          Function 013CB328 Relevance: 2.9, Strings: 2, Instructions: 351COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq$PHq
                                          • API String ID: 0-1274609152
                                          • Opcode ID: 3ae88c73d77d35381d3e38db173776d22e267c6caddff74e059800a98308092b
                                          • Instruction ID: b36a79787fb1b2cc733b92e229594f13b9d45a0ec5c4d4f2c741dda8ac4e905b
                                          • Opcode Fuzzy Hash: 3ae88c73d77d35381d3e38db173776d22e267c6caddff74e059800a98308092b
                                          • Instruction Fuzzy Hash: 8FE11471E04219CFDB14CFA9C885A9DFBB2BF48754F1580A9E809AB366DB31AC41CF50
                                          Function 013CBBD2 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq$PHq
                                          • API String ID: 0-1274609152
                                          • Opcode ID: 0408f8dd716cb6957d9c6c8b0794d8f15b4b6dab6e6123d8ba4d5f4bc0577be6
                                          • Instruction ID: 6da83d7e731aadcd213459e0a63f25c3ecab5ceff03e84c3a98e70c6afdabe0e
                                          • Opcode Fuzzy Hash: 0408f8dd716cb6957d9c6c8b0794d8f15b4b6dab6e6123d8ba4d5f4bc0577be6
                                          • Instruction Fuzzy Hash: 5991C274E002589FEB14DFAAD894A9DFBF2BF89314F148069E449AB369DB309D41CF11
                                          Function 013CBEB0 Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq$PHq
                                          • API String ID: 0-1274609152
                                          • Opcode ID: 5e2e6086e9e68ab1b7264ea9b2185c29d92855f69c9661c61541f7e80070b81a
                                          • Instruction ID: f38bbf0a377b3ac2bed2a2647a58d2de377118796125402e69465951b4b6e6da
                                          • Opcode Fuzzy Hash: 5e2e6086e9e68ab1b7264ea9b2185c29d92855f69c9661c61541f7e80070b81a
                                          • Instruction Fuzzy Hash: 6A81B174E00218DFEB14DFAAD994A9DBBF2BF89314F149069E409AB365DB309D81CF11
                                          Function 013CC190 Relevance: 2.7, Strings: 2, Instructions: 193COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq$PHq
                                          • API String ID: 0-1274609152
                                          • Opcode ID: e89cc2d2c960dba847ef873ff079403883c0dd61f6fa6b6316c22762de6405ea
                                          • Instruction ID: a3665965e83f75a6c7acbbc5618873e6651fdc4b726b42953c7ef0718a572d8c
                                          • Opcode Fuzzy Hash: e89cc2d2c960dba847ef873ff079403883c0dd61f6fa6b6316c22762de6405ea
                                          • Instruction Fuzzy Hash: 4D81B174E002189FEB14DFAAD984A9DBBF2BF89304F14D069E819AB365DB349D41CF10
                                          Function 013C4AD9 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq$PHq
                                          • API String ID: 0-1274609152
                                          • Opcode ID: d783e3d6aec3140ebee1ee3968e646004fe60302d2f422101e0d029999debd77
                                          • Instruction ID: 5f9588bb34a5b2e28654a1f2a2594660ca1f8c060499c7409e0f85d8badd96f3
                                          • Opcode Fuzzy Hash: d783e3d6aec3140ebee1ee3968e646004fe60302d2f422101e0d029999debd77
                                          • Instruction Fuzzy Hash: 6881A074E002189FEB14DFAAD994A9DBBF2BF89314F14C069E859AB365DB309941CF10
                                          Function 013CC470 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq$PHq
                                          • API String ID: 0-1274609152
                                          • Opcode ID: 1fbd02615068ba6278f6f3e45a6b5c497f48c498f8bb36bd848329fb9fe2fd96
                                          • Instruction ID: 138b94c41b326b49920f7f314753fa18a22b96a15613f9936368f0dc295886a7
                                          • Opcode Fuzzy Hash: 1fbd02615068ba6278f6f3e45a6b5c497f48c498f8bb36bd848329fb9fe2fd96
                                          • Instruction Fuzzy Hash: 5F819F74E00218DFEB14DFAAD984A9DBBF2BF89314F149069E419AB365DB349D42CF10
                                          Function 013CC751 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq$PHq
                                          • API String ID: 0-1274609152
                                          • Opcode ID: 77b5e16f7b86552364d0c1588c9d35464bad1d50c3f002d1fe4230ab1d6d7dec
                                          • Instruction ID: 6e0ada8f5feffb8a9f94c9fd6bd4fd7be922199c1c420623073bfc4d8e920bd0
                                          • Opcode Fuzzy Hash: 77b5e16f7b86552364d0c1588c9d35464bad1d50c3f002d1fe4230ab1d6d7dec
                                          • Instruction Fuzzy Hash: 3681BF74E00218DFEB14DFAAD984A9DBBF2BF89314F149069E819AB365DB319D41CF10
                                          Function 013CCA31 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq$PHq
                                          • API String ID: 0-1274609152
                                          • Opcode ID: 6c7fafed71970ffc762d60b3a2bf0c11cbdaf3a6dcfb95217aa09d348b8100a9
                                          • Instruction ID: 1c72671bf5e6f30082d7b4c8c82ccb1fe5558131933e6e1d52232d3ea8ae8166
                                          • Opcode Fuzzy Hash: 6c7fafed71970ffc762d60b3a2bf0c11cbdaf3a6dcfb95217aa09d348b8100a9
                                          • Instruction Fuzzy Hash: 47819474E002189FDB14DFAAD994A9DBBF2BF88314F14D069E419AB365DB309D42CF10
                                          Function 013CB4F2 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq$PHq
                                          • API String ID: 0-1274609152
                                          • Opcode ID: c718ab82b6d85fef4502a650fc02673e3da6bf5319f694a1ac0b758b473fd588
                                          • Instruction ID: 28c21d2ca76eeff65bbc84564e420a88da12992efabdf6bb7d82e69c2080dd14
                                          • Opcode Fuzzy Hash: c718ab82b6d85fef4502a650fc02673e3da6bf5319f694a1ac0b758b473fd588
                                          • Instruction Fuzzy Hash: 4461D674E002089FEB14DFAAD984A9DFBF2BF89314F14C069E818AB369DB755941CF10
                                          Function 013C6E58 Relevance: 10.5, Strings: 8, Instructions: 477COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                          • API String ID: 0-2212926057
                                          • Opcode ID: c7dde9c4ce26096d694a7ea6661d487a59eee3a3f18d262843f16189163d21f7
                                          • Instruction ID: 6af8e24929783e2e8f1978b3469a0d37b0921bfa4eca02807c884857fb2f838c
                                          • Opcode Fuzzy Hash: c7dde9c4ce26096d694a7ea6661d487a59eee3a3f18d262843f16189163d21f7
                                          • Instruction Fuzzy Hash: 3C125930A002099FDB25CF69D884AAEBBF2BF88718F148599E945DB361DB30ED41CF50
                                          Function 013C77F0 Relevance: 3.2, Strings: 2, Instructions: 697COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q
                                          • API String ID: 0-3126353813
                                          • Opcode ID: 7fe785e0f84fac61402fb97218a3b090e634da644faa916e4300b14c2047e918
                                          • Instruction ID: 29a7611300712cbea93b0791e9513abb26af588a09c0baa5847032d3a38a7763
                                          • Opcode Fuzzy Hash: 7fe785e0f84fac61402fb97218a3b090e634da644faa916e4300b14c2047e918
                                          • Instruction Fuzzy Hash: CD521474A002199FEB24EBA4C864B9EBB73EF94700F1080ADC10A6B799CF355E45DF65
                                          Function 013C87E9 Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q$4'q
                                          • API String ID: 0-1467158625
                                          • Opcode ID: 00051ffa6835c81189089d1cb847390f46a01ac318c99ba9dd7ddf3a175d88cb
                                          • Instruction ID: d0c42650777e6d477a95d8148cf6571fcacc6dae8cd898eddf82a7498e4b041a
                                          • Opcode Fuzzy Hash: 00051ffa6835c81189089d1cb847390f46a01ac318c99ba9dd7ddf3a175d88cb
                                          • Instruction Fuzzy Hash: 00B196707542018FEB159A2DC968BB93B9AEF85F08F1904EEE502CF7A1DE25CE42C741
                                          Function 013C56A8 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hq$Hq
                                          • API String ID: 0-925789375
                                          • Opcode ID: 74479255b0348ccab65e2cd5dec42127eafadcf484d0b802458a7346c58195dc
                                          • Instruction ID: cc03082b0ffa8c9951e0df9f767fd188e0b9d06a7dd38620ecfd1df1c69dd368
                                          • Opcode Fuzzy Hash: 74479255b0348ccab65e2cd5dec42127eafadcf484d0b802458a7346c58195dc
                                          • Instruction Fuzzy Hash: FBB1ED347042049FEB269F78D894B7A7BE6AFC8618F14486DE406CB391DB74EC42C791
                                          Function 013C5C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ,q$,q
                                          • API String ID: 0-1667412543
                                          • Opcode ID: 64f56bd102d537b5ee3d0629938bbf71f62cdc5a0197026b8ca7d8c2643abdc8
                                          • Instruction ID: 3c7a349afef4d8e8284203da8a5ba40f930b2633652cd8329c850b4a4162c632
                                          • Opcode Fuzzy Hash: 64f56bd102d537b5ee3d0629938bbf71f62cdc5a0197026b8ca7d8c2643abdc8
                                          • Instruction Fuzzy Hash: 38818F31B002058FDB14DF6DC888AA9BBB6BF89A18B14816DD509DB765DB31FC42CF50
                                          Function 013C3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Xq$Xq
                                          • API String ID: 0-1556399337
                                          • Opcode ID: fa6c9ff44acacd9218477c0446f71ca6e742cd32ca4676256d958927ba014f47
                                          • Instruction ID: b19461a2b2525e60256ee561876314c52326f485d4d85110e5186e40b823a63b
                                          • Opcode Fuzzy Hash: fa6c9ff44acacd9218477c0446f71ca6e742cd32ca4676256d958927ba014f47
                                          • Instruction Fuzzy Hash: 9C313C75B003198BEF299A6D599527EB6EABBC4A18F18843DD807D7780DF74CC018761
                                          Function 013C0C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq
                                          • API String ID: 0-3187445251
                                          • Opcode ID: 67c2ae26968838570451687ae29fafa1ddbc4ce2673a956404442171198fb25c
                                          • Instruction ID: ea4b7498e49248823fa23a24c790b0d470ed2587b011fc9187b2eef9cc88b85f
                                          • Opcode Fuzzy Hash: 67c2ae26968838570451687ae29fafa1ddbc4ce2673a956404442171198fb25c
                                          • Instruction Fuzzy Hash: 3122FB78E0021ADFDB64EF64E894A9DBBB2FF48311F1085AAD809A7358DB305D46CF51
                                          Function 013C0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq
                                          • API String ID: 0-3187445251
                                          • Opcode ID: 75082db232680a683df3b56f05b06ee86d8be9d287340909d3b5f0449927f5b9
                                          • Instruction ID: d488b5827c17ce4cac18060014afb911e186cf25c31b8cf8b3ae8bff38c42335
                                          • Opcode Fuzzy Hash: 75082db232680a683df3b56f05b06ee86d8be9d287340909d3b5f0449927f5b9
                                          • Instruction Fuzzy Hash: 7822FB78E0021ADFDB64EF64E894A9DBBB2FF48311F1085AAD809A7358DB305D46CF51
                                          Function 013CA650 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (oq
                                          • API String ID: 0-1999159160
                                          • Opcode ID: 25e50b51cda1034dafcc89c888ca342524a7108c6a3044d9c45f4aff744a27f3
                                          • Instruction ID: 5d217c92d37a9aa42268235c2e796597e3d59990b6379fc04ea1dca6124cb881
                                          • Opcode Fuzzy Hash: 25e50b51cda1034dafcc89c888ca342524a7108c6a3044d9c45f4aff744a27f3
                                          • Instruction Fuzzy Hash: 82410231B002089FDB15AF69E8146EE7BF7BFC9620F144469E506D7790DE359C12CBA0
                                          Function 013CA818 Relevance: .4, Instructions: 415COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad3d076a292a55a238549b5f5e32b5a0268e69119781550345e27962fcdd5484
                                          • Instruction ID: 93d8da45d4b3cc61320769733f3c5dbba0c8bec3dee4a82ac9e5d2fe08c912b1
                                          • Opcode Fuzzy Hash: ad3d076a292a55a238549b5f5e32b5a0268e69119781550345e27962fcdd5484
                                          • Instruction Fuzzy Hash: 77F14D75A402198FCB04CFACC984AADBBF6FF88714B1A8459E505EB361DB35EC42CB50
                                          Function 013C7438 Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4b02704fdd86e55a55054b24c586b0394339c37c05fd6de359a680d67a31dcf4
                                          • Instruction ID: 3babe7ed5db5a222d5046380dd2e9dd770b830766d561af952eb5dff33b0a81c
                                          • Opcode Fuzzy Hash: 4b02704fdd86e55a55054b24c586b0394339c37c05fd6de359a680d67a31dcf4
                                          • Instruction Fuzzy Hash: 6B71F4347002458FDB15DF2DC898AAA7BEAAF59B18F1500A9E906CB3B1DB70DC51CF90
                                          Function 013CD36A Relevance: .2, Instructions: 171COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abbc7614b88c3ac44e2146cc0517c19b75a4a2bc920e12a9fb7df66a3edc62cc
                                          • Instruction ID: 63e1cae8d0ad6b04e87bfded5e8169c3e5574554259155b562f76a403a2e3d90
                                          • Opcode Fuzzy Hash: abbc7614b88c3ac44e2146cc0517c19b75a4a2bc920e12a9fb7df66a3edc62cc
                                          • Instruction Fuzzy Hash: BD51D3709A5696AFC3252F60B1AC16E7BA2FF1F313345BD00E00F85A08CBB408A6CB51
                                          Function 013CD378 Relevance: .2, Instructions: 167COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d80b60cce4e16188f0906b8d28672ce3b35f35c4a3b2e93aaf575bfaf59acfba
                                          • Instruction ID: 91337a810bc962faaff5502f009ad20fbe725f77ee0fa1b3dccd709cc6bec613
                                          • Opcode Fuzzy Hash: d80b60cce4e16188f0906b8d28672ce3b35f35c4a3b2e93aaf575bfaf59acfba
                                          • Instruction Fuzzy Hash: A051A0709A5656AFD3243F60B1AC16E7BA2FF5F723345BD00E10F85A48CBB408A6CB51
                                          Function 013CD031 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b2788bb4d408525de45aebce2ff24ba58f07d035275a213da97b854af000a5c9
                                          • Instruction ID: 9d15a787df9825a77116632eecf8077605033c25629509410553b9daaa005bd9
                                          • Opcode Fuzzy Hash: b2788bb4d408525de45aebce2ff24ba58f07d035275a213da97b854af000a5c9
                                          • Instruction Fuzzy Hash: 3C51A274E01208DFDB58DFA9D594ADDBBF2BF89310F24816AE809AB365DB319901CF00
                                          Function 013C3908 Relevance: .1, Instructions: 134COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 356ddbf703ba876e19582d76bef2796b3e1a766e4fd67bf737a7a2ec7a915920
                                          • Instruction ID: 0e53dc6fd1dae2626e42a3420bc4b335cb98d1e63a062f0ea0e73667fe6d5a5b
                                          • Opcode Fuzzy Hash: 356ddbf703ba876e19582d76bef2796b3e1a766e4fd67bf737a7a2ec7a915920
                                          • Instruction Fuzzy Hash: 8E519075E01208DFCB08DFA9E59499DBBF2FF89304B209469E805AB328DB31AD41CF50
                                          Function 013C9A63 Relevance: .1, Instructions: 125COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b12438b462fa9a5618ea955a23584f650c27556f3e37c47b639bd22f0b45129f
                                          • Instruction ID: c90a16fab2a420a6ca80c91607d761125c4b3b6b1650ac81467d922773d862f4
                                          • Opcode Fuzzy Hash: b12438b462fa9a5618ea955a23584f650c27556f3e37c47b639bd22f0b45129f
                                          • Instruction Fuzzy Hash: 6D41D231A04249DFDF12CFA8C844B9DBFB6AF49758F15855AE8019F2A2D331ED11CBA0
                                          Function 013C4DC8 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 523d0e85407659e58435ce48e20112c87d016160559c13c3467335e0b3535a4c
                                          • Instruction ID: c54af5591c2c04b38005db8cdf16d202183ca8cfeb53bd32e2965c35f3edb623
                                          • Opcode Fuzzy Hash: 523d0e85407659e58435ce48e20112c87d016160559c13c3467335e0b3535a4c
                                          • Instruction Fuzzy Hash: EA31807160410AAFDB05AF68E864AAF7FA7FB48614F004419F9198B755CB34CC66DFA0
                                          Function 013C76D0 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a9eb9c66ceff58f5851005ded3a0b9af7a2cfb32b78d4e95333c3e6f00bf58d
                                          • Instruction ID: 6c83e38ae67a26ef7041818e7c22e6c07898e97ff974fa2a7fec7ac6c190238f
                                          • Opcode Fuzzy Hash: 6a9eb9c66ceff58f5851005ded3a0b9af7a2cfb32b78d4e95333c3e6f00bf58d
                                          • Instruction Fuzzy Hash: 3021F4347442084BEB26163E989467D7B97AFC4E5C718007DDD06CBB9AEE298C439B80
                                          Function 013CA809 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b41581916b60b81f1b2e0300f2be2adc5f34e2e7fdb0e4268754ec99a7cc005
                                          • Instruction ID: 3787e5143ca42a2e45d31a08618a43a6a5051a98a8b272af0520239a7ec51ea4
                                          • Opcode Fuzzy Hash: 2b41581916b60b81f1b2e0300f2be2adc5f34e2e7fdb0e4268754ec99a7cc005
                                          • Instruction Fuzzy Hash: 54318D70E002098FCB04DF6DC8849EEBBF2BF89764B198559E555DB3A5DB359C02CB90
                                          Function 013C76E0 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73bf749a44591a9855bd5a3bd3c88f60a4a84aefa9e478f3690f994bc1b5c681
                                          • Instruction ID: 0cd5f88c1d64c7897f72fa2d5cd82453ad73f99b002c5f215a22ceded319e828
                                          • Opcode Fuzzy Hash: 73bf749a44591a9855bd5a3bd3c88f60a4a84aefa9e478f3690f994bc1b5c681
                                          • Instruction Fuzzy Hash: EB21F5343002085BEB25163D9854A7E768BAFC4F5CF14407DDD06CBB99EE29CC429B80
                                          Function 013C5A60 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dad27a0a3c45fa613f440e2d0f54e718ba74449852332f5c5456534ff1bb8df6
                                          • Instruction ID: 4c33fd174ab801233201b927372459635c8ba05c1d3a92330e6b398eae84d606
                                          • Opcode Fuzzy Hash: dad27a0a3c45fa613f440e2d0f54e718ba74449852332f5c5456534ff1bb8df6
                                          • Instruction Fuzzy Hash: C721D3387456129FD3169A29C4A453BBBA3EF89B54704446DE906CB754CE20EC03CBD0
                                          Function 013C2060 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e3ee6a9a5894a12a451c3b3ea096e8d8bcd97ba7383a43bb0de55ab8d8da0451
                                          • Instruction ID: ae8ad0663df09978916684139846fe87b10d953d92847512d570d960705f35c4
                                          • Opcode Fuzzy Hash: e3ee6a9a5894a12a451c3b3ea096e8d8bcd97ba7383a43bb0de55ab8d8da0451
                                          • Instruction Fuzzy Hash: 2F21C435A00219AFCB14DF28C850AAF7BA6EB88754B51C51DD8099B348DB32EE42CBD1
                                          Function 013CD5B9 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29a35f4407e70e20d57e9e0ae7bb4800e96817dcf17cc28a7a27f537e4c57ad5
                                          • Instruction ID: faccab614742bfa0214b4e6691f0ec7b07a27d0fdec926861edd0f74d571258c
                                          • Opcode Fuzzy Hash: 29a35f4407e70e20d57e9e0ae7bb4800e96817dcf17cc28a7a27f537e4c57ad5
                                          • Instruction Fuzzy Hash: B3216631C102099ECB11EFF8D8146ECFBB5EF4A314F409229E40477214EB35AAAACB80
                                          Function 013C1F08 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 90b62d995161795134dc99ed8eddd1643a3d590e8ae73742a47fc1b7b0beac4c
                                          • Instruction ID: 69fcb04c0c4beb7c7b56bdc11524411d562543636268881c31ee18e6f793ad1c
                                          • Opcode Fuzzy Hash: 90b62d995161795134dc99ed8eddd1643a3d590e8ae73742a47fc1b7b0beac4c
                                          • Instruction Fuzzy Hash: 31214870C04219DFDB11EFB8C4945EDBBF0BB49314F50456AC405A7255EB305A4ADBA2
                                          Function 013CD6B7 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c209dc28bfd89fdda6f4aad993dc807ec329fab30a11c05a426e3a68a7e39ad0
                                          • Instruction ID: 32a2ebb6fea4a74d2b325940b7cdb21f6fe3ce56cf135fff25f58b6d8f25d45c
                                          • Opcode Fuzzy Hash: c209dc28bfd89fdda6f4aad993dc807ec329fab30a11c05a426e3a68a7e39ad0
                                          • Instruction Fuzzy Hash: 1C2139349052499BDF08DFB5D4509EEBBB2BF8A300F10547AC40577358DB369C46CB54
                                          Function 013C215C Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3d58e9506223fb2549e12c47eda2a7a3e8a486a70862d1774b6cc83093297dd
                                          • Instruction ID: f8e26c56d2ed7bbe72e5c42283429a3eebd8581b5dbd2d75db67df0ce287c7f4
                                          • Opcode Fuzzy Hash: f3d58e9506223fb2549e12c47eda2a7a3e8a486a70862d1774b6cc83093297dd
                                          • Instruction Fuzzy Hash: 37115C35E143599FCB02DBFC9C009DEFBB1FF89210B248656D515B7151E6311D06C7A0
                                          Function 013C4DB9 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ef826128c08542d565e79ad6c3a61193a324a8760a84987bd417d552104e537
                                          • Instruction ID: c72b094f698b4e09bf077aa2bd3c231fa4de68b6afc4e90271879e9c901ebfa4
                                          • Opcode Fuzzy Hash: 9ef826128c08542d565e79ad6c3a61193a324a8760a84987bd417d552104e537
                                          • Instruction Fuzzy Hash: 3521C27164824A9FDB12EF78E4646AB3FE2EB58614F004469E8498B756CB38CC56CBD0
                                          Function 013C39ED Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a6bb6a1a3df664e48d39d3fc9aca528050d456c02e3029f8c0701795955cb37a
                                          • Instruction ID: 87076c74b0efb2cebc2bf5e9558b6e573050fd823fd609de88796419e4194a15
                                          • Opcode Fuzzy Hash: a6bb6a1a3df664e48d39d3fc9aca528050d456c02e3029f8c0701795955cb37a
                                          • Instruction Fuzzy Hash: E0316078E01308DFCB48DFA8E59499DBBB2FF49305B209469E819AB324DB31AD15CF41
                                          Function 013CD6C8 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 23e0901aa6fcab2385d4ec86198231f82f860533042a1589c4da6df0b6fcf95a
                                          • Instruction ID: 6a3cbf05384d004085ffa6257a8d156dc3fbc0cc66afe525f8f9f1b40afdff5c
                                          • Opcode Fuzzy Hash: 23e0901aa6fcab2385d4ec86198231f82f860533042a1589c4da6df0b6fcf95a
                                          • Instruction Fuzzy Hash: 3F21E7349052089BDF18DFB5E850AEEB7B2FB8A300F10652AD40573368DB769D45CF65
                                          Function 013C5A70 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cbf0e28c0fe0b9933df022c249f8a9de3f5c89784312e680eee3a414a27843f4
                                          • Instruction ID: 67fa92c632f56d8b7d8c032333b7f098884c64822737a17e215a5b0d92426481
                                          • Opcode Fuzzy Hash: cbf0e28c0fe0b9933df022c249f8a9de3f5c89784312e680eee3a414a27843f4
                                          • Instruction Fuzzy Hash: 8511C2397416129FE71A9A2EC4A452FBBA7FF84B64704446CE906CB750CF20EC02CBD0
                                          Function 013C1F61 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 545383178501c4ce66c4b69ff5da9131b898139f3b01461464b8b4d8376d4b64
                                          • Instruction ID: 85f99c15986579ca57d7005bc5eda06f23cad5d77792796ca503af3bfbf0f3b6
                                          • Opcode Fuzzy Hash: 545383178501c4ce66c4b69ff5da9131b898139f3b01461464b8b4d8376d4b64
                                          • Instruction Fuzzy Hash: 8621F2B4C0420A8FCB00EFA8D9945EEBFF1BF09300F10466AD805F3211EB305A56CBA1
                                          Function 013C5607 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b832145091bdf8d3c99fa17790eb8482b4a06e809bc0aed34f8237dda0064ebd
                                          • Instruction ID: c7bce3b059a70c576190b1e1f07a92aa40c58b203dd510aea1813aabac41b75c
                                          • Opcode Fuzzy Hash: b832145091bdf8d3c99fa17790eb8482b4a06e809bc0aed34f8237dda0064ebd
                                          • Instruction Fuzzy Hash: 2D01F572B040596FDB02DE68A8106BF3FE7DBD9661B18806AF904D7394CE719D26C790
                                          Function 013C2010 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8549f516c2df49f0b3aaaa4488f0a6199bc1aae0a5fe6a8f78edfea4eace7995
                                          • Instruction ID: 665a994d880263ff641ac2f60969109dd1ab818cfa33bad00008cf9651a58ac4
                                          • Opcode Fuzzy Hash: 8549f516c2df49f0b3aaaa4488f0a6199bc1aae0a5fe6a8f78edfea4eace7995
                                          • Instruction Fuzzy Hash: 39E02230D183A64BCB02A76898540EEBFB09DD7321B6646BAD09076401D725151BC761
                                          Function 013C2020 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b7c6b18510ab6fca1ece9c1e5d48497e4797b3ba87b3ade07a6b0b2bb0fb64be
                                          • Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
                                          • Opcode Fuzzy Hash: b7c6b18510ab6fca1ece9c1e5d48497e4797b3ba87b3ade07a6b0b2bb0fb64be
                                          • Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1
                                          Function 013C8258 Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                          • Instruction ID: e6ab98ca439b8be1d1f711698088dfd2b5bdd0b28e210da7fbd976c11b3d21b2
                                          • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                          • Instruction Fuzzy Hash: 0CC0803720D1282AD635104F7C44DB3774CC3C17F8915017BF51CD320054425C4002F4
                                          Function 013CA70D Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 03cead810f6bbaefa2074d718c706977a4a4420e51f6f8ea9697f75c4e7d9c89
                                          • Instruction ID: a98684b732cb18a02e22663dae04c3923006466133f50bc0192184083a24319f
                                          • Opcode Fuzzy Hash: 03cead810f6bbaefa2074d718c706977a4a4420e51f6f8ea9697f75c4e7d9c89
                                          • Instruction Fuzzy Hash: 18D0173BB01008AFCB008F88E8408DDB7B6FB8C221B008016F911A3260C6319821CB90
                                          Function 013C5EA8 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4607a6518b4302b824c7020f30638cd06d91555d2ce8160a33e94b59e53acda9
                                          • Instruction ID: 57b3042dedfee62ac255565c8a1bf5a7751a39cfb7cd1fcf56d529b57465e22c
                                          • Opcode Fuzzy Hash: 4607a6518b4302b824c7020f30638cd06d91555d2ce8160a33e94b59e53acda9
                                          • Instruction Fuzzy Hash: BED02B7480C38B5BD352F730F92409437777A80104F8004D0E4040E40AEB74480A8BF2
                                          Function 013C5EB8 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2345755208c112f2c31781429124e9414fa9e8ba744e9daf1829826e4f2c1955
                                          • Instruction ID: fd62319ca67ae49d9f2778cf589a07ea86f84026a0793773c86e3fa0d0dc642b
                                          • Opcode Fuzzy Hash: 2345755208c112f2c31781429124e9414fa9e8ba744e9daf1829826e4f2c1955
                                          • Instruction Fuzzy Hash: D6C0807491C30F97D511F771F95459573BB76D0510F404910F0090D51DDF749C4A8BB1

                                          Non-executed Functions

                                          Function 013C6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3185184817.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_13c0000_VCU262Y2QB.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \;q$\;q$\;q$\;q
                                          • API String ID: 0-2933265366
                                          • Opcode ID: a8d8da158362c812e8dc6a5be1bfa83e6f4e50f619982e731711fff04d2f346c
                                          • Instruction ID: 1dc5307e209e5e51ac8d03e5ae008c6103d6b58ae59022030fcc41b43925a469
                                          • Opcode Fuzzy Hash: a8d8da158362c812e8dc6a5be1bfa83e6f4e50f619982e731711fff04d2f346c
                                          • Instruction Fuzzy Hash: F001A7717081398FCB258A2DC846A2577FABFC8EA8719427EE502DB3B1DA71DC428751