Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z95g0YV3PKzM3LA5zt.exe

Overview

General Information

Sample name:z95g0YV3PKzM3LA5zt.exe
Analysis ID:1518579
MD5:b37fbc315b7e7bb63be8df480dc06e9e
SHA1:4067d052f93087281edbe16f86cfd5fbac07c145
SHA256:8e1469a8d3fac63fefa4affff492ca82c6d3059bc5c8097a38c04e4e965e1a39
Tags:exeuser-Porcupine
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z95g0YV3PKzM3LA5zt.exe (PID: 3564 cmdline: "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe" MD5: B37FBC315B7E7BB63BE8DF480DC06E9E)
    • z95g0YV3PKzM3LA5zt.exe (PID: 4344 cmdline: "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe" MD5: B37FBC315B7E7BB63BE8DF480DC06E9E)
    • z95g0YV3PKzM3LA5zt.exe (PID: 3608 cmdline: "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe" MD5: B37FBC315B7E7BB63BE8DF480DC06E9E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7103143262:AAG465MUhsk82xbAoiKNfXs-PGi4dmGgzyE/sendMessage?chat_id=7337843299", "Token": "7103143262:AAG465MUhsk82xbAoiKNfXs-PGi4dmGgzyE", "Chat_id": "7337843299", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4622343107.0000000003316000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x14864:$a1: get_encryptedPassword
        • 0x14b50:$a2: get_encryptedUsername
        • 0x14670:$a3: get_timePasswordChanged
        • 0x1476b:$a4: get_passwordField
        • 0x1487a:$a5: set_encryptedPassword
        • 0x15ef1:$a7: get_logins
        • 0x15e54:$a10: KeyLoggerEventArgs
        • 0x15abf:$a11: KeyLoggerEventArgsEventHandler
        00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x19844:$x1: $%SMTPDV$
        • 0x18228:$x2: $#TheHashHere%&
        • 0x197ec:$x3: %FTPDV$
        • 0x181c8:$x4: $%TelegramDv$
        • 0x15abf:$x5: KeyLoggerEventArgs
        • 0x15e54:$x5: KeyLoggerEventArgs
        • 0x19810:$m2: Clipboard Logs ID
        • 0x19a4e:$m2: Screenshot Logs ID
        • 0x19b5e:$m2: keystroke Logs ID
        • 0x19e38:$m3: SnakePW
        • 0x19a26:$m4: \SnakeKeylogger\
        Click to see the 17 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x14a64:$a1: get_encryptedPassword
              • 0x14d50:$a2: get_encryptedUsername
              • 0x14870:$a3: get_timePasswordChanged
              • 0x1496b:$a4: get_passwordField
              • 0x14a7a:$a5: set_encryptedPassword
              • 0x160f1:$a7: get_logins
              • 0x16054:$a10: KeyLoggerEventArgs
              • 0x15cbf:$a11: KeyLoggerEventArgsEventHandler
              4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x1c3fa:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x1b62c:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x1ba5f:$a4: \Orbitum\User Data\Default\Login Data
              • 0x1ca9e:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 28 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-25T21:23:05.485264+020028033053Unknown Traffic192.168.2.649716188.114.96.3443TCP
              2024-09-25T21:23:06.868520+020028033053Unknown Traffic192.168.2.649719188.114.96.3443TCP
              2024-09-25T21:23:13.856554+020028033053Unknown Traffic192.168.2.649731188.114.96.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-25T21:23:03.748617+020028032742Potentially Bad Traffic192.168.2.649713132.226.247.7380TCP
              2024-09-25T21:23:04.779814+020028032742Potentially Bad Traffic192.168.2.649713132.226.247.7380TCP
              2024-09-25T21:23:06.279821+020028032742Potentially Bad Traffic192.168.2.649717132.226.247.7380TCP
              2024-09-25T21:23:07.651130+020028032742Potentially Bad Traffic192.168.2.649720132.226.247.7380TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: z95g0YV3PKzM3LA5zt.exeAvira: detected
              Found malware configuration
              Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7103143262:AAG465MUhsk82xbAoiKNfXs-PGi4dmGgzyE/sendMessage?chat_id=7337843299", "Token": "7103143262:AAG465MUhsk82xbAoiKNfXs-PGi4dmGgzyE", "Chat_id": "7337843299", "Version": "5.1"}
              Multi AV Scanner detection for submitted file
              Source: z95g0YV3PKzM3LA5zt.exeReversingLabs: Detection: 34%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: z95g0YV3PKzM3LA5zt.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: z95g0YV3PKzM3LA5zt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.0
              Source: z95g0YV3PKzM3LA5zt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: Xyapk.pdbSHA256 source: z95g0YV3PKzM3LA5zt.exe
              Source: Binary string: Xyapk.pdb source: z95g0YV3PKzM3LA5zt.exe
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4x nop then jmp 072BB68Eh0_2_072BBBC6
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4x nop then jmp 0176E61Fh4_2_0176E431
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4x nop then jmp 0176EFA9h4_2_0176E431
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4x nop then jmp 0176FA39h4_2_0176F778
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_0176D7F0

              Networking

              barindex
              Yara detected Generic Downloader
              Source: Yara matchFile source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49717 -> 132.226.247.73:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49720 -> 132.226.247.73:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49713 -> 132.226.247.73:80
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49731 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49716 -> 188.114.96.3:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49719 -> 188.114.96.3:443
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003250000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.000000000322A000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003250000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003250000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
              Source: z95g0YV3PKzM3LA5zt.exeString found in binary or memory: https://static.wikia.nocookie.net/mitologa/images/a/a3/Imagen_por_defecto.png/revision/latest/thumbn
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_0126D3640_2_0126D364
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_051200060_2_05120006
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_051200400_2_05120040
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_06EC19980_2_06EC1998
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_06EC95180_2_06EC9518
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_06EC95130_2_06EC9513
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_06ECF12B0_2_06ECF12B
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_06ECF1380_2_06ECF138
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B00400_2_072B0040
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B75F00_2_072B75F0
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B71B80_2_072B71B8
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B00060_2_072B0006
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B6D6F0_2_072B6D6F
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B8CE80_2_072B8CE8
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B69380_2_072B6938
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072BE8480_2_072BE848
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_017661084_2_01766108
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176C1904_2_0176C190
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176C4704_2_0176C470
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176E4314_2_0176E431
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176B4A04_2_0176B4A0
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176F7784_2_0176F778
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176C7544_2_0176C754
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_017698584_2_01769858
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_017668804_2_01766880
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176BBB84_2_0176BBB8
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176CA344_2_0176CA34
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_01764AD94_2_01764AD9
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176BEB04_2_0176BEB0
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176D7F04_2_0176D7F0
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_0176D7E04_2_0176D7E0
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_017638754_2_01763875
              Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000000.2145858496.0000000000812000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXyapk.exe: vs z95g0YV3PKzM3LA5zt.exe
              Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2179154488.0000000007AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z95g0YV3PKzM3LA5zt.exe
              Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2175840617.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z95g0YV3PKzM3LA5zt.exe
              Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2174860901.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z95g0YV3PKzM3LA5zt.exe
              Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z95g0YV3PKzM3LA5zt.exe
              Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z95g0YV3PKzM3LA5zt.exe
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621249210.0000000001157000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs z95g0YV3PKzM3LA5zt.exe
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z95g0YV3PKzM3LA5zt.exe
              Source: z95g0YV3PKzM3LA5zt.exeBinary or memory string: OriginalFilenameXyapk.exe: vs z95g0YV3PKzM3LA5zt.exe
              Source: z95g0YV3PKzM3LA5zt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: z95g0YV3PKzM3LA5zt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, ----.csBase64 encoded string: 'ut1OzrCluW/9VTP3BdyjCRa85OkG0NGBKygUyQwlThgtXkBOEL5s2n8dEfCL+Y0P'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, ----.csBase64 encoded string: 'ut1OzrCluW/9VTP3BdyjCRa85OkG0NGBKygUyQwlThgtXkBOEL5s2n8dEfCL+Y0P'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, FWiTG5G38fkpqNXSKd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, PRy9AOYOfo28a09o9Y.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, PRy9AOYOfo28a09o9Y.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, PRy9AOYOfo28a09o9Y.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, FWiTG5G38fkpqNXSKd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, PRy9AOYOfo28a09o9Y.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, PRy9AOYOfo28a09o9Y.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, PRy9AOYOfo28a09o9Y.csSecurity API names: _0020.AddAccessRule
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/2
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z95g0YV3PKzM3LA5zt.exe.logJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMutant created: NULL
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMutant created: \Sessions\1\BaseNamedObjects\xkdYybQGWIVFbk
              Source: z95g0YV3PKzM3LA5zt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: z95g0YV3PKzM3LA5zt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.000000000338D000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000033CF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.000000000339B000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4623670248.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.000000000337D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: z95g0YV3PKzM3LA5zt.exeReversingLabs: Detection: 34%
              Source: unknownProcess created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: z95g0YV3PKzM3LA5zt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: z95g0YV3PKzM3LA5zt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: z95g0YV3PKzM3LA5zt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: Xyapk.pdbSHA256 source: z95g0YV3PKzM3LA5zt.exe
              Source: Binary string: Xyapk.pdb source: z95g0YV3PKzM3LA5zt.exe

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: z95g0YV3PKzM3LA5zt.exe, Home.cs.Net Code: InitializeComponent
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7090000.4.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, PRy9AOYOfo28a09o9Y.cs.Net Code: zl40CrGhar System.Reflection.Assembly.Load(byte[])
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.2ccdea8.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, PRy9AOYOfo28a09o9Y.cs.Net Code: zl40CrGhar System.Reflection.Assembly.Load(byte[])
              Source: z95g0YV3PKzM3LA5zt.exeStatic PE information: 0xA0722687 [Tue Apr 20 12:05:27 2055 UTC]
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072BB5AC pushfd ; ret 0_2_072BB5AD
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B24CC pushfd ; ret 0_2_072B24CD
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B4FF0 pushfd ; ret 0_2_072B4FF1
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B9DDB pushfd ; ret 0_2_072B9DDC
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B5971 pushfd ; ret 0_2_072B5979
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 0_2_072B49D9 pushad ; retf 0_2_072B49E5
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeCode function: 4_2_017624B9 push 8BFFFFFFh; retf 4_2_017624BF
              Source: z95g0YV3PKzM3LA5zt.exeStatic PE information: section name: .text entropy: 7.744576518851154
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7090000.4.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7090000.4.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, FWiTG5G38fkpqNXSKd.csHigh entropy of concatenated method names: 'roMRbEDBPo', 'mWfROWO0Lv', 'hvYR38qBES', 'GxQR2l32SN', 'pcZRda5Zj1', 'lNLR85Edg4', 'gw2RMy7njr', 'j34RFlRH23', 'RE4RB9THus', 'atMRoHFJfx'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, rJdl8S4EIMFsWqAWrU.csHigh entropy of concatenated method names: 'X9swtUHud0', 'J1dwRXFCen', 'KFmwhVQCQ8', 'DnLwiSrMtW', 'LHLwYTDjTu', 'lMnhdB5oTo', 'YYvh8HiPOU', 'nSxhMGoXBw', 'ewdhFwdswD', 'ut7hBCsfn3'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, SfAnGpQqaAlCguRy2q.csHigh entropy of concatenated method names: 'kTUNykZKue', 'eLvNLAM9iV', 'QMqNGfkw8G', 'IlrNQtg65m', 'y8mN5GWwrQ', 'WQANkWRP7Z', 'GhYNgFYKVC', 'FDaNTH3rXZ', 'ejFNmE4fOf', 'SGLNZ8eTBW'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, ivgC5E3TmDknlRVt7E.csHigh entropy of concatenated method names: 'ToString', 'BH4kS4Tb7S', 'uy0klB2Au1', 'lKukIHmtnN', 'EM1kKI8iDD', 't58kVFHrFx', 'YE9kxvluN4', 'CPJk9EnWuP', 'jhRkW3DlwR', 'OMdkJl1nun'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, egkYUmX7RAr4MSUhbR1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dpaZbetXQj', 'dlFZO3kCFL', 'r60Z3GXoGO', 'oVvZ2dQMHj', 'hRpZd135qQ', 'ImyZ8utWBp', 'UdhZMJlDgl'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, DYr2JCpgcbpFW3iPL3.csHigh entropy of concatenated method names: 'IYq1GOSA7l', 'ztx1Q1qKYy', 'iDT148Vh4E', 'awP1lxuoyy', 'KFs1KS2mID', 'FmW1V6dyyp', 'wQL19iVYcc', 'DHr1WrBV65', 'jDJ1E0WAfh', 'dLq1SKTLnv'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, tkrKMm81BObwOWpwht.csHigh entropy of concatenated method names: 'vFWgF3xYlc', 'FJAgo4Xi92', 'ct7TPwwojL', 'mBNTX5aYP9', 'xqZgSsoit1', 'gmbguFTtdU', 'RMMgpYrB9o', 's4PgbGMm3x', 'WSEgOFVSnT', 'yDlg3VgjUZ'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, hUOYUVbgpAmBlGMGd2.csHigh entropy of concatenated method names: 'uXh5E0MROW', 'ov45uxXfvM', 'WIM5bWsxUY', 'Ksd5OvKRA0', 'UKd5lLtUfD', 'Bmb5IKNfPA', 'UC65KZfrbp', 'eN35VisYCC', 'GYB5x0WDlj', 'zav59uJljC'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, p51uIyBLvqaGfHh2Qc.csHigh entropy of concatenated method names: 'Bo9T4xM6S3', 'TPUTlKEHjB', 'QaoTImAIPR', 'hUHTKWiter', 'CflTbo5g2e', 'Ef0TV4uT9e', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, TJCXGWJYHbY7Of0cv5.csHigh entropy of concatenated method names: 'HXbir2fiV2', 'qtri6dxOyW', 'aQhiCMquS3', 'QcxiytWFMZ', 'dtIijLrZOg', 'F1CiLTYIXZ', 'oDrifjPVo2', 'xAfiGKwOGD', 'bfkiQU8wSN', 'IXSiaitSiU'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, P6xBRGXPsVIyCN86tFt.csHigh entropy of concatenated method names: 'zrjmrxFWf7', 'hwcm6kXWYS', 'uqxmClHaAu', 'mSnmywe0de', 'BZDmjEpspw', 'odimLq4HLL', 'S5OmfMqpcR', 'yU6mGQlfvg', 'RJJmQ9h1ZC', 'bdomasZ1RW'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, G26FUwF0lQ4OMj0EHT.csHigh entropy of concatenated method names: 'hDPTs2SoSE', 'LhZTRaO3K5', 'FQ8TNhcBZU', 'UJgThjnC6L', 'LJvTwjTvaf', 'gMjTicoV9f', 'vLyTYCTkW9', 'GQUTUOxNng', 'S0OTe8cSdZ', 'KjwTvPFh6s'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, OD3MtX0q54rlpiTRqI.csHigh entropy of concatenated method names: 'XBaXiWiTG5', 'S8fXYkpqNX', 'QqaXeAlCgu', 'fy2Xvqkh3m', 'KrVX51gmJd', 'H8SXkEIMFs', 'BbnJtU3E0ZIF716xTw', 'zo2KPUMKJyA5R8apJk', 'F0kXXinwvg', 'JWSX7oQEg6'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, xu2O1A99f7VPQm8VkA.csHigh entropy of concatenated method names: 'OPgisIuHjI', 'URTiNrEJLA', 'atyiwi82s0', 'ceFwoHNhIq', 'L3twzeqLvy', 'h4SiPu9S7h', 'WkiiX5Sele', 'EmjiD816WV', 'jf5i7IJddg', 'SWoi0xfPxF'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, PRy9AOYOfo28a09o9Y.csHigh entropy of concatenated method names: 'YXh7tD5CI5', 'PjX7sD4sRj', 'AVG7R4la52', 'fWO7NlXani', 'qTd7hq1kay', 'AEN7wT7wda', 'RI07i39TOX', 'Bie7YYIQ0o', 'OGD7UWmAtd', 'KNP7ept416'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, f7qq7CRBDAJVb1ChHc.csHigh entropy of concatenated method names: 'Dispose', 'iNTXBYi9Hv', 'QkfDlWTJKG', 'LH7iiY3gN5', 'wl2Xo6FUw0', 'HQ4XzOMj0E', 'ProcessDialogKey', 'uTkDP51uIy', 'BvqDXaGfHh', 'TQcDD4O4X5'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, a8bubl26Qt0gOQkXRc.csHigh entropy of concatenated method names: 'mBDgeuemgw', 'UqpgvnYUWJ', 'ToString', 'Q34gsm8YWj', 'VRlgRB1eUm', 'L9jgN5IfrL', 'DYVghaX5sc', 'kmxgwTVh97', 'mpHgi6Hn2H', 'avRgYHXcrh'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, UMBaSczaeF6AZ5yjh0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UQIm1WXVZV', 'QfHm5qkG3H', 'eWCmkbmjjU', 'JSrmgFsExN', 'tXwmTcqR1k', 'tZ6mmKquqY', 'LlBmZFvBJn'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, LL3julD1IuZS0jrlkJ.csHigh entropy of concatenated method names: 'kHbCX6w6N', 'gBCyI4dV2', 'Vu8LDlxNK', 'wBafIyNy7', 'kTlQ5LjM5', 'QPCaO4uhv', 'xoW6OJLodVT4eSSNUU', 'gamIffXTZhEi5GSM3Y', 'fcHTsTeE1', 'WBJZM4Jla'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, FO4X5AoC8eUDAUijMc.csHigh entropy of concatenated method names: 'i6KmXkR9k7', 'BjTm7D3PSu', 'DFFm0j9d8Z', 'WkGmscev0w', 'vaymRc6gBY', 'dSOmhvmucp', 'P6omwB2eCV', 'xkrTMhiWgN', 'X0ZTF632LV', 'MQmTBPaGan'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.2ccdea8.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.2ccdea8.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, FWiTG5G38fkpqNXSKd.csHigh entropy of concatenated method names: 'roMRbEDBPo', 'mWfROWO0Lv', 'hvYR38qBES', 'GxQR2l32SN', 'pcZRda5Zj1', 'lNLR85Edg4', 'gw2RMy7njr', 'j34RFlRH23', 'RE4RB9THus', 'atMRoHFJfx'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, rJdl8S4EIMFsWqAWrU.csHigh entropy of concatenated method names: 'X9swtUHud0', 'J1dwRXFCen', 'KFmwhVQCQ8', 'DnLwiSrMtW', 'LHLwYTDjTu', 'lMnhdB5oTo', 'YYvh8HiPOU', 'nSxhMGoXBw', 'ewdhFwdswD', 'ut7hBCsfn3'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, SfAnGpQqaAlCguRy2q.csHigh entropy of concatenated method names: 'kTUNykZKue', 'eLvNLAM9iV', 'QMqNGfkw8G', 'IlrNQtg65m', 'y8mN5GWwrQ', 'WQANkWRP7Z', 'GhYNgFYKVC', 'FDaNTH3rXZ', 'ejFNmE4fOf', 'SGLNZ8eTBW'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, ivgC5E3TmDknlRVt7E.csHigh entropy of concatenated method names: 'ToString', 'BH4kS4Tb7S', 'uy0klB2Au1', 'lKukIHmtnN', 'EM1kKI8iDD', 't58kVFHrFx', 'YE9kxvluN4', 'CPJk9EnWuP', 'jhRkW3DlwR', 'OMdkJl1nun'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, egkYUmX7RAr4MSUhbR1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dpaZbetXQj', 'dlFZO3kCFL', 'r60Z3GXoGO', 'oVvZ2dQMHj', 'hRpZd135qQ', 'ImyZ8utWBp', 'UdhZMJlDgl'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, DYr2JCpgcbpFW3iPL3.csHigh entropy of concatenated method names: 'IYq1GOSA7l', 'ztx1Q1qKYy', 'iDT148Vh4E', 'awP1lxuoyy', 'KFs1KS2mID', 'FmW1V6dyyp', 'wQL19iVYcc', 'DHr1WrBV65', 'jDJ1E0WAfh', 'dLq1SKTLnv'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, tkrKMm81BObwOWpwht.csHigh entropy of concatenated method names: 'vFWgF3xYlc', 'FJAgo4Xi92', 'ct7TPwwojL', 'mBNTX5aYP9', 'xqZgSsoit1', 'gmbguFTtdU', 'RMMgpYrB9o', 's4PgbGMm3x', 'WSEgOFVSnT', 'yDlg3VgjUZ'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, hUOYUVbgpAmBlGMGd2.csHigh entropy of concatenated method names: 'uXh5E0MROW', 'ov45uxXfvM', 'WIM5bWsxUY', 'Ksd5OvKRA0', 'UKd5lLtUfD', 'Bmb5IKNfPA', 'UC65KZfrbp', 'eN35VisYCC', 'GYB5x0WDlj', 'zav59uJljC'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, p51uIyBLvqaGfHh2Qc.csHigh entropy of concatenated method names: 'Bo9T4xM6S3', 'TPUTlKEHjB', 'QaoTImAIPR', 'hUHTKWiter', 'CflTbo5g2e', 'Ef0TV4uT9e', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, TJCXGWJYHbY7Of0cv5.csHigh entropy of concatenated method names: 'HXbir2fiV2', 'qtri6dxOyW', 'aQhiCMquS3', 'QcxiytWFMZ', 'dtIijLrZOg', 'F1CiLTYIXZ', 'oDrifjPVo2', 'xAfiGKwOGD', 'bfkiQU8wSN', 'IXSiaitSiU'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, P6xBRGXPsVIyCN86tFt.csHigh entropy of concatenated method names: 'zrjmrxFWf7', 'hwcm6kXWYS', 'uqxmClHaAu', 'mSnmywe0de', 'BZDmjEpspw', 'odimLq4HLL', 'S5OmfMqpcR', 'yU6mGQlfvg', 'RJJmQ9h1ZC', 'bdomasZ1RW'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, G26FUwF0lQ4OMj0EHT.csHigh entropy of concatenated method names: 'hDPTs2SoSE', 'LhZTRaO3K5', 'FQ8TNhcBZU', 'UJgThjnC6L', 'LJvTwjTvaf', 'gMjTicoV9f', 'vLyTYCTkW9', 'GQUTUOxNng', 'S0OTe8cSdZ', 'KjwTvPFh6s'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, OD3MtX0q54rlpiTRqI.csHigh entropy of concatenated method names: 'XBaXiWiTG5', 'S8fXYkpqNX', 'QqaXeAlCgu', 'fy2Xvqkh3m', 'KrVX51gmJd', 'H8SXkEIMFs', 'BbnJtU3E0ZIF716xTw', 'zo2KPUMKJyA5R8apJk', 'F0kXXinwvg', 'JWSX7oQEg6'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, xu2O1A99f7VPQm8VkA.csHigh entropy of concatenated method names: 'OPgisIuHjI', 'URTiNrEJLA', 'atyiwi82s0', 'ceFwoHNhIq', 'L3twzeqLvy', 'h4SiPu9S7h', 'WkiiX5Sele', 'EmjiD816WV', 'jf5i7IJddg', 'SWoi0xfPxF'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, PRy9AOYOfo28a09o9Y.csHigh entropy of concatenated method names: 'YXh7tD5CI5', 'PjX7sD4sRj', 'AVG7R4la52', 'fWO7NlXani', 'qTd7hq1kay', 'AEN7wT7wda', 'RI07i39TOX', 'Bie7YYIQ0o', 'OGD7UWmAtd', 'KNP7ept416'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, f7qq7CRBDAJVb1ChHc.csHigh entropy of concatenated method names: 'Dispose', 'iNTXBYi9Hv', 'QkfDlWTJKG', 'LH7iiY3gN5', 'wl2Xo6FUw0', 'HQ4XzOMj0E', 'ProcessDialogKey', 'uTkDP51uIy', 'BvqDXaGfHh', 'TQcDD4O4X5'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, a8bubl26Qt0gOQkXRc.csHigh entropy of concatenated method names: 'mBDgeuemgw', 'UqpgvnYUWJ', 'ToString', 'Q34gsm8YWj', 'VRlgRB1eUm', 'L9jgN5IfrL', 'DYVghaX5sc', 'kmxgwTVh97', 'mpHgi6Hn2H', 'avRgYHXcrh'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, UMBaSczaeF6AZ5yjh0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UQIm1WXVZV', 'QfHm5qkG3H', 'eWCmkbmjjU', 'JSrmgFsExN', 'tXwmTcqR1k', 'tZ6mmKquqY', 'LlBmZFvBJn'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, LL3julD1IuZS0jrlkJ.csHigh entropy of concatenated method names: 'kHbCX6w6N', 'gBCyI4dV2', 'Vu8LDlxNK', 'wBafIyNy7', 'kTlQ5LjM5', 'QPCaO4uhv', 'xoW6OJLodVT4eSSNUU', 'gamIffXTZhEi5GSM3Y', 'fcHTsTeE1', 'WBJZM4Jla'
              Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, FO4X5AoC8eUDAUijMc.csHigh entropy of concatenated method names: 'i6KmXkR9k7', 'BjTm7D3PSu', 'DFFm0j9d8Z', 'WkGmscev0w', 'vaymRc6gBY', 'dSOmhvmucp', 'P6omwB2eCV', 'xkrTMhiWgN', 'X0ZTF632LV', 'MQmTBPaGan'
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: 1220000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: 2B40000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: 92B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: 7CA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: A2B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: B2B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: 1720000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599891Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599782Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599657Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599532Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599422Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599313Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599141Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599014Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598902Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598748Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598547Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598422Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598313Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598188Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598063Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597938Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597828Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597719Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597485Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597360Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597235Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597110Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596985Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596860Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596735Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596610Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596485Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596360Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596235Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596110Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595985Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595860Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595735Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595610Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595485Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595360Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595235Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595110Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594985Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594860Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594719Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594500Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594387Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594282Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594157Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594032Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 593907Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 593782Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 593657Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeWindow / User API: threadDelayed 2146Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeWindow / User API: threadDelayed 7664Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 5024Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep count: 31 > 30Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -28592453314249787s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -599891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 3152Thread sleep count: 2146 > 30Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 3152Thread sleep count: 7664 > 30Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -599782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep count: 33 > 30Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -599657s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -599532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -599422s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -599313s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -599141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -599014s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -598902s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -598748s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -598547s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -598422s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -598313s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -598188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -598063s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -597938s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -597828s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -597719s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -597594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -597485s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -597360s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -597235s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -597110s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -596985s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -596860s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -596735s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -596610s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -596485s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -596360s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -596235s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -596110s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -595985s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -595860s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -595735s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -595610s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -595485s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -595360s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -595235s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -595110s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -594985s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -594860s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -594719s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -594610s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -594500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -594387s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -594282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -594157s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -594032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -593907s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -593782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552Thread sleep time: -593657s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599891Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599782Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599657Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599532Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599422Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599313Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599141Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 599014Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598902Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598748Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598547Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598422Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598313Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598188Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 598063Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597938Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597828Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597719Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597485Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597360Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597235Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 597110Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596985Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596860Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596735Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596610Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596485Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596360Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596235Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 596110Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595985Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595860Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595735Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595610Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595485Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595360Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595235Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 595110Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594985Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594860Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594719Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594500Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594387Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594282Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594157Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 594032Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 593907Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 593782Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeThread delayed: delay time: 593657Jump to behavior
              Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621356875.0000000001386000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeMemory written: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeProcess created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4622343107.0000000003316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.4622343107.0000000003316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading              		111
              Process Injection              		1
              Masquerading              		1
              OS Credential Dumping              		1
              Query Registry              		Remote Services1
              Email Collection              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory1
              Security Software Discovery              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin Shares1
              Data from Local System              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
              Process Injection              		NTDS31
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync13
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Timestomp              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              DLL Side-Loading              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              z95g0YV3PKzM3LA5zt.exe34%ReversingLabsWin32.Dropper.Generic
              z95g0YV3PKzM3LA5zt.exe100%AviraHEUR/AGEN.1306908
              z95g0YV3PKzM3LA5zt.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://reallyfreegeoip.org0%URL Reputationsafe
              http://checkip.dyndns.org0%URL Reputationsafe
              http://checkip.dyndns.org/0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://checkip.dyndns.org/q0%URL Reputationsafe
              https://reallyfreegeoip.org/xml/0%URL Reputationsafe
              https://reallyfreegeoip.org/xml/8.46.123.33$0%Avira URL Cloudsafe
              http://checkip.dyndns.com0%Avira URL Cloudsafe
              http://reallyfreegeoip.org0%Avira URL Cloudsafe
              https://static.wikia.nocookie.net/mitologa/images/a/a3/Imagen_por_defecto.png/revision/latest/thumbn0%Avira URL Cloudsafe
              https://reallyfreegeoip.org/xml/8.46.123.330%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		188.114.96.3
              		truetrue
                		unknown
                checkip.dyndns.com
                		132.226.247.73
                		truefalse
                  		unknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://checkip.dyndns.org/false
                    • URL Reputation: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://reallyfreegeoip.orgz95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003250000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.orgz95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003250000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.comz95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33$z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003250000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://static.wikia.nocookie.net/mitologa/images/a/a3/Imagen_por_defecto.png/revision/latest/thumbnz95g0YV3PKzM3LA5zt.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namez95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://checkip.dyndns.org/qz95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://reallyfreegeoip.orgz95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.000000000322A000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    188.114.96.3
                    		reallyfreegeoip.orgEuropean Union
                    		13335CLOUDFLARENETUStrue
                    132.226.247.73
                    		checkip.dyndns.comUnited States
                    		16989UTMEMUSfalse

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1518579
                    Start date and time:2024-09-25 21:22:05 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 55s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:7
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:z95g0YV3PKzM3LA5zt.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@5/1@2/2
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 94
                    • Number of non-executed functions: 13
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target z95g0YV3PKzM3LA5zt.exe, PID 3608 because it is empty
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: z95g0YV3PKzM3LA5zt.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    15:23:00API Interceptor10788375x Sleep call for process: z95g0YV3PKzM3LA5zt.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    188.114.96.3Cbequipment-Voice Audio Interface.pdfGet hashmaliciousHTMLPhisherBrowse
                    • www.444317.com/
                    Sept order.docGet hashmaliciousFormBookBrowse
                    • www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
                    1e#U0414.exeGet hashmaliciousLokibotBrowse
                    • dddotx.shop/Mine/PWS/fre.php
                    https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRHGet hashmaliciousUnknownBrowse
                    • hdcy.emcl00.com/qRCfs/
                    PO23100072.exeGet hashmaliciousFormBookBrowse
                    • www.cc101.pro/ttiz/
                    RFQ urrgently.exeGet hashmaliciousFormBookBrowse
                    • www.1win-moldovia.fun/1g7m/
                    TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                    • www.weight-loss-003.today/jd21/?Bl=8pSpW470ix&FjUh5xw=8QhlJgbwFiNHSz6ilu/NO/QAEgywgMMp9yv6yRtWAY1NzG57DnL+pjMXQcNu92teMaGp
                    Petronas quotation request.exeGet hashmaliciousFormBookBrowse
                    • www.chinaen.org/zi4g/
                    Shipping Documemt.vbsGet hashmaliciousLokibotBrowse
                    • werdotx.shop/Devil/PWS/fre.php
                    Quotes updates request.exeGet hashmaliciousFormBookBrowse
                    • www.1win-moldovia.fun/1g7m/
                    132.226.247.73SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    file.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                    • checkip.dyndns.org/
                    rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    rShippingDocuments_Pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    rPO_CW00402902400438.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Inquiry List.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    reallyfreegeoip.orgSecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                    • 188.114.97.3
                    inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.96.3
                    SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.96.3
                    E-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    file.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                    • 188.114.97.3
                    z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.97.3
                    rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                    • 188.114.96.3
                    cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    checkip.dyndns.comSecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                    • 193.122.130.0
                    inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 158.101.44.242
                    SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 132.226.247.73
                    Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 132.226.247.73
                    E-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 193.122.130.0
                    Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 193.122.6.168
                    file.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                    • 132.226.247.73
                    z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 193.122.130.0
                    rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                    • 132.226.247.73
                    cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.247.73

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, VidarBrowse
                    • 188.114.96.3
                    https://qrco.de/bfQgn5Get hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    https://1drv.ms/o/c/e6ccafb0b1aa23aa/ErAFgONHz7JMjKMGZiNY1B8BzX_hsp6NES_6N9-YPDqBow?e=ZhzETjGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.24.14
                    SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                    • 188.114.97.3
                    Cbequipment-Voice Audio Interface.pdfGet hashmaliciousHTMLPhisherBrowse
                    • 104.18.86.42
                    SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                    • 104.26.13.205
                    Cbequipment-Voice Audio Interface.pdfGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.25.14
                    https://www.baidu.com/link?url=71TX_d4SSy_YcnMiSmK1k9U0hv2RvPANssrmsR9fCmhPc58TVaShxZVuVWaWCInt&wd=YWhvd2V8WlhWeWIzQmhhWFF1Ym1WMHxMalRQY2t0Uk90Get hashmaliciousUnknownBrowse
                    • 104.18.10.207
                    SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                    • 162.159.137.232
                    https://cumonecumall.com/?tgaficro=aa6ca3230027edf772fbf6d355a8a93e4088a24800997b7b19a8eb4071188a24b1c94854a55c607abc04079f5ff46a3546a43c2ec2696476011777d6ea677911Get hashmaliciousHTMLPhisherBrowse
                    • 104.18.95.41
                    UTMEMUSSecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 132.226.247.73
                    Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 132.226.247.73
                    Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 132.226.247.73
                    file.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                    • 132.226.247.73
                    rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                    • 132.226.247.73
                    cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.247.73
                    Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.247.73
                    rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 132.226.8.169
                    rPROFORMAINVOICE-PO_ATS_1036pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.8.169
                    rShippingDocuments_Pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 132.226.247.73

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    54328bd36c14bd82ddaa0c04b25ed9adSecuriteInfo.com.Win32.PWSX-gen.19525.31847.exeGet hashmaliciousVIP KeyloggerBrowse
                    • 188.114.96.3
                    inquiry.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.96.3
                    SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.96.3
                    Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.96.3
                    E-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    file.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                    • 188.114.96.3
                    z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 188.114.96.3
                    rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                    • 188.114.96.3
                    cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3
                    Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.96.3

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z95g0YV3PKzM3LA5zt.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.7371445717797585
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    • Win32 Executable (generic) a (10002005/4) 49.75%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Windows Screen Saver (13104/52) 0.07%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    File name:z95g0YV3PKzM3LA5zt.exe
                    File size:648'192 bytes
                    MD5:b37fbc315b7e7bb63be8df480dc06e9e
                    SHA1:4067d052f93087281edbe16f86cfd5fbac07c145
                    SHA256:8e1469a8d3fac63fefa4affff492ca82c6d3059bc5c8097a38c04e4e965e1a39
                    SHA512:7c95ee856caba832301ef0eeafd63807d620c645eba424589a65ac8d2973026d3c5986e0947d2f9a78d5a3e91441132b34b690a9d869a443f86aeeb7a0e2c0de
                    SSDEEP:12288:lIwFcDL0sj9HstDlYsjnZDw9MGaUPExCQ8NqEwrJ9by/C:2wFcDL59SDlYmw1EoQ8NqFJ9bmC
                    TLSH:DCD4D00793ECC711FC3247F2A5145693037EB217E5EDD325AA8C26DE56A0F21AE98B43
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&r...............0.................. ........@.. .......................@............@................................

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x49f9ce
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0xA0722687 [Tue Apr 20 12:05:27 2055 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x9f97a0x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x5ac.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x9cabc0x70.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x9d9d40x9da00491ef6036004a8c291051e2da53a34cbFalse0.7952084159397304data7.744576518851154IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0xa00000x5ac0x600a8d4132255aae5091510046462e72125False0.4186197916666667data4.0792101098427915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0xa20000xc0x2000ca6d00760e3f55bfc69fcc58ac2c8c9False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0xa00900x31cdata0.4334170854271357
                    RT_MANIFEST0xa03bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-09-25T21:23:03.748617+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649713132.226.247.7380TCP
                    2024-09-25T21:23:04.779814+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649713132.226.247.7380TCP
                    2024-09-25T21:23:05.485264+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649716188.114.96.3443TCP
                    2024-09-25T21:23:06.279821+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649717132.226.247.7380TCP
                    2024-09-25T21:23:06.868520+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649719188.114.96.3443TCP
                    2024-09-25T21:23:07.651130+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649720132.226.247.7380TCP
                    2024-09-25T21:23:13.856554+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649731188.114.96.3443TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Sep 25, 2024 21:23:02.771465063 CEST4971380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:02.776352882 CEST8049713132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:02.776463985 CEST4971380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:02.776833057 CEST4971380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:02.782680988 CEST8049713132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:03.489649057 CEST8049713132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:03.494705915 CEST4971380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:03.501867056 CEST8049713132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:03.703701019 CEST8049713132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:03.748616934 CEST4971380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:03.758949041 CEST49715443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:03.759005070 CEST44349715188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:03.759346008 CEST49715443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:03.782485962 CEST49715443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:03.782512903 CEST44349715188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:04.286572933 CEST44349715188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:04.286660910 CEST49715443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:04.291575909 CEST49715443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:04.291614056 CEST44349715188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:04.291878939 CEST44349715188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:04.342319965 CEST49715443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:04.398772955 CEST49715443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:04.443412066 CEST44349715188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:04.516753912 CEST44349715188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:04.516813040 CEST44349715188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:04.516860008 CEST49715443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:04.522613049 CEST49715443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:04.526335001 CEST4971380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:04.531181097 CEST8049713132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:04.734488964 CEST8049713132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:04.736932993 CEST49716443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:04.737025976 CEST44349716188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:04.737128019 CEST49716443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:04.737387896 CEST49716443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:04.737425089 CEST44349716188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:04.779814005 CEST4971380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:05.324975967 CEST44349716188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:05.327299118 CEST49716443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:05.327405930 CEST44349716188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:05.485241890 CEST44349716188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:05.485311985 CEST44349716188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:05.485451937 CEST49716443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:05.511465073 CEST49716443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:05.515708923 CEST4971380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:05.517277956 CEST4971780192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:05.521075964 CEST8049713132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:05.522245884 CEST8049717132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:05.522337914 CEST4971380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:05.522365093 CEST4971780192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:05.522512913 CEST4971780192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:05.527548075 CEST8049717132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:06.225425005 CEST8049717132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:06.229948044 CEST49719443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:06.230040073 CEST44349719188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:06.230120897 CEST49719443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:06.234010935 CEST49719443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:06.234045982 CEST44349719188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:06.279820919 CEST4971780192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:06.691143036 CEST44349719188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:06.692852974 CEST49719443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:06.692905903 CEST44349719188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:06.868568897 CEST44349719188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:06.868702888 CEST44349719188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:06.870496988 CEST49719443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:06.876725912 CEST49719443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:06.882857084 CEST4971780192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:06.884308100 CEST4972080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:06.889532089 CEST8049717132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:06.889758110 CEST4971780192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:06.890383005 CEST8049720132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:06.890449047 CEST4972080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:06.890543938 CEST4972080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:06.895328999 CEST8049720132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:07.650901079 CEST8049720132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:07.651129961 CEST4972080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:07.652370930 CEST49722443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:07.652440071 CEST44349722188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:07.652576923 CEST49722443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:07.652774096 CEST49722443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:07.652791977 CEST44349722188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:07.656588078 CEST8049720132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:07.656693935 CEST4972080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:08.241172075 CEST44349722188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:08.242868900 CEST49722443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:08.242892027 CEST44349722188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:08.399482012 CEST44349722188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:08.399637938 CEST44349722188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:08.399741888 CEST49722443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:08.400228024 CEST49722443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:08.405035973 CEST4972380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:08.409862041 CEST8049723132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:08.412293911 CEST4972380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:08.412394047 CEST4972380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:08.417258024 CEST8049723132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:09.128407001 CEST8049723132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:09.129863977 CEST49724443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:09.129906893 CEST44349724188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:09.130124092 CEST49724443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:09.130328894 CEST49724443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:09.130351067 CEST44349724188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:09.170464039 CEST4972380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:09.606197119 CEST44349724188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:09.608005047 CEST49724443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:09.608027935 CEST44349724188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:09.755176067 CEST44349724188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:09.755274057 CEST44349724188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:09.755321980 CEST49724443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:09.755723953 CEST49724443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:09.759314060 CEST4972380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:09.760369062 CEST4972580192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:09.764374971 CEST8049723132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:09.764441013 CEST4972380192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:09.765119076 CEST8049725132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:09.765189886 CEST4972580192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:09.765295982 CEST4972580192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:09.770096064 CEST8049725132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:10.457246065 CEST8049725132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:10.458507061 CEST49727443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:10.458537102 CEST44349727188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:10.458607912 CEST49727443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:10.458884001 CEST49727443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:10.458899021 CEST44349727188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:10.498720884 CEST4972580192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:10.947576046 CEST44349727188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:10.949264050 CEST49727443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:10.949284077 CEST44349727188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:11.101008892 CEST44349727188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:11.101131916 CEST44349727188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:11.101183891 CEST49727443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:11.102082014 CEST49727443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:11.105623007 CEST4972580192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:11.106784105 CEST4972880192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:11.110831976 CEST8049725132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:11.110898018 CEST4972580192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:11.111772060 CEST8049728132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:11.111848116 CEST4972880192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:11.111948013 CEST4972880192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:11.116940975 CEST8049728132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:11.811682940 CEST8049728132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:11.813208103 CEST49729443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:11.813277960 CEST44349729188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:11.813374043 CEST49729443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:11.813610077 CEST49729443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:11.813626051 CEST44349729188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:11.857990026 CEST4972880192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:12.312726021 CEST44349729188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:12.314718008 CEST49729443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:12.314740896 CEST44349729188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:12.457675934 CEST44349729188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:12.457840919 CEST44349729188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:12.458013058 CEST49729443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:12.458458900 CEST49729443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:12.462236881 CEST4972880192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:12.463442087 CEST4973080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:12.467367887 CEST8049728132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:12.467456102 CEST4972880192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:12.468455076 CEST8049730132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:12.468534946 CEST4973080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:12.468640089 CEST4973080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:12.473402977 CEST8049730132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:13.132738113 CEST8049730132.226.247.73192.168.2.6
                    Sep 25, 2024 21:23:13.134279013 CEST49731443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:13.134344101 CEST44349731188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:13.134433031 CEST49731443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:13.134824038 CEST49731443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:13.134855032 CEST44349731188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:13.186115026 CEST4973080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:23:13.611454964 CEST44349731188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:13.614247084 CEST49731443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:13.614281893 CEST44349731188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:13.856520891 CEST44349731188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:13.856610060 CEST44349731188.114.96.3192.168.2.6
                    Sep 25, 2024 21:23:13.856700897 CEST49731443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:23:13.857502937 CEST49731443192.168.2.6188.114.96.3
                    Sep 25, 2024 21:24:18.132623911 CEST8049730132.226.247.73192.168.2.6
                    Sep 25, 2024 21:24:18.132739067 CEST4973080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:24:53.139954090 CEST4973080192.168.2.6132.226.247.73
                    Sep 25, 2024 21:24:53.145081997 CEST8049730132.226.247.73192.168.2.6

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Sep 25, 2024 21:23:02.755228043 CEST5071753192.168.2.61.1.1.1
                    Sep 25, 2024 21:23:02.762825966 CEST53507171.1.1.1192.168.2.6
                    Sep 25, 2024 21:23:03.746956110 CEST5745853192.168.2.61.1.1.1
                    Sep 25, 2024 21:23:03.758234978 CEST53574581.1.1.1192.168.2.6

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Sep 25, 2024 21:23:02.755228043 CEST192.168.2.61.1.1.10x5e98Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                    Sep 25, 2024 21:23:03.746956110 CEST192.168.2.61.1.1.10x9c4Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Sep 25, 2024 21:23:02.762825966 CEST1.1.1.1192.168.2.60x5e98No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                    Sep 25, 2024 21:23:02.762825966 CEST1.1.1.1192.168.2.60x5e98No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                    Sep 25, 2024 21:23:02.762825966 CEST1.1.1.1192.168.2.60x5e98No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                    Sep 25, 2024 21:23:02.762825966 CEST1.1.1.1192.168.2.60x5e98No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                    Sep 25, 2024 21:23:02.762825966 CEST1.1.1.1192.168.2.60x5e98No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                    Sep 25, 2024 21:23:02.762825966 CEST1.1.1.1192.168.2.60x5e98No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                    Sep 25, 2024 21:23:03.758234978 CEST1.1.1.1192.168.2.60x9c4No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                    Sep 25, 2024 21:23:03.758234978 CEST1.1.1.1192.168.2.60x9c4No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • reallyfreegeoip.org
                    • checkip.dyndns.org

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.649713132.226.247.73803608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    Sep 25, 2024 21:23:02.776833057 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 25, 2024 21:23:03.489649057 CEST320INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:03 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 804b1ae3d3d2d1511bcd783df199990d
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Sep 25, 2024 21:23:03.494705915 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Sep 25, 2024 21:23:03.703701019 CEST320INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:03 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 052dd1bef98266901aadce6e92fc5e5d
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                    Sep 25, 2024 21:23:04.526335001 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Sep 25, 2024 21:23:04.734488964 CEST320INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:04 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 9abae6f0b4531e6ea0c9092f1338326d
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.649717132.226.247.73803608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    Sep 25, 2024 21:23:05.522512913 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Sep 25, 2024 21:23:06.225425005 CEST320INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:06 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 8c4ee0d28d0905652c342c6da787b4f1
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.649720132.226.247.73803608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    Sep 25, 2024 21:23:06.890543938 CEST127OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Sep 25, 2024 21:23:07.650901079 CEST320INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:07 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 159f16cfc17414786b016b4888277c2f
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.649723132.226.247.73803608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    Sep 25, 2024 21:23:08.412394047 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 25, 2024 21:23:09.128407001 CEST320INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:09 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: d8e461e21f50466b2448e19238bb79a2
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.649725132.226.247.73803608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    Sep 25, 2024 21:23:09.765295982 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 25, 2024 21:23:10.457246065 CEST320INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:10 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 1ed656112581cda1a63d673d3e009ab7
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.649728132.226.247.73803608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    Sep 25, 2024 21:23:11.111948013 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 25, 2024 21:23:11.811682940 CEST320INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:11 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 1d6ca77f1ab52a12f410ae6cce3f9ba6
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.649730132.226.247.73803608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    Sep 25, 2024 21:23:12.468640089 CEST151OUTGET / HTTP/1.1
                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                    Host: checkip.dyndns.org
                    Connection: Keep-Alive
                    Sep 25, 2024 21:23:13.132738113 CEST320INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:13 GMT
                    Content-Type: text/html
                    Content-Length: 103
                    Connection: keep-alive
                    Cache-Control: no-cache
                    Pragma: no-cache
                    X-Request-ID: 0eee4283a6b528e2d31b4c4583c7c228
                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.649715188.114.96.34433608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    2024-09-25 19:23:04 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-09-25 19:23:04 UTC676INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:04 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 44243
                    Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N6n3iuGothliDYLuN5zL2Stp%2BmwRGAAkGUuv7fWAJqKmWgWGXVn1x8DQqynYSizK2hZ2yv07ZXBsIg4KfVeFrn2J1DdhNMJRityYnj8HV%2BXDcT8vDfHX2f16320K3NZWk%2FQFoUrP"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c8d62f8cb817288-EWR
                    2024-09-25 19:23:04 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-25 19:23:04 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.649716188.114.96.34433608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    2024-09-25 19:23:05 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-09-25 19:23:05 UTC678INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:05 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 44244
                    Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6WtgWZJlEQ%2FQ3WFCnCHKMVsZQNqaNrTkn63HkmekeM0%2FHWC5UB9d2aQLw2zIYG7zM0vdGb4c%2BzxeSrxxYytQF35T3UWnaAvlCHTvAsUi9WLNU%2FJHnAASMdqmGmD5EeU3za1EerhE"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c8d62fedbb50f80-EWR
                    2024-09-25 19:23:05 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-25 19:23:05 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.649719188.114.96.34433608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    2024-09-25 19:23:06 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-09-25 19:23:06 UTC676INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:06 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 44245
                    Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LSeCHj9njiwmG5%2F3k%2FA%2BqSJwnpcTC0inIUZoX3rhHLIkhDFXsvwWtEpimmjcMaQdoCzcEIis76Z5K63SdBEyXpp6mGfHGjHLBZNJQ1HJWphOS9GCVu6dmRZaZWyIP6P8TFMs5Bm2"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c8d63076bf28ccd-EWR
                    2024-09-25 19:23:06 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-25 19:23:06 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.649722188.114.96.34433608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    2024-09-25 19:23:08 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-09-25 19:23:08 UTC680INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:08 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 44247
                    Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FB5ddEJZM4IJohUyKrSKKHg9nrwLJy3A3FsMT1EKB%2BKdiAw9NwbrtSokcdYHHi8%2FbSe%2BhH8%2FT0cUd5IWklDmOhXk24hWAB%2BOHMuqbhkm1yyXwjOHVDkI2AC2JLCsrzTtenqd2Fgj"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c8d63112dac420a-EWR
                    2024-09-25 19:23:08 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-25 19:23:08 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.649724188.114.96.34433608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    2024-09-25 19:23:09 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-09-25 19:23:09 UTC688INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:09 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 44248
                    Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4NniymVAFWFvWe4OrCOcAu5CE9swc8Mi5UW%2Bu21LA8xOQl%2FQjHiZgSyYkWgjktVajof4Mrc49V0EcJVmaqn4%2F%2FK0aQm4hss%2FUa%2B6CP%2FPlX8WQktH%2FMaQxulga%2FIxZb6VINjGzQ7K"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c8d63197f635e78-EWR
                    2024-09-25 19:23:09 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-25 19:23:09 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.649727188.114.96.34433608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    2024-09-25 19:23:10 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-09-25 19:23:11 UTC678INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:11 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 44250
                    Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CarXyulSgW%2BcsmYdC5Lz0%2Bf4UcCA%2BGXHEJ1Rs8Jl71PpcCORxwIwcKY8rVIc2cBWYOUzsEc%2FZrpeRWA7wUbmR1cKzSLzdTI5rJxY6Ie1IKmgRFpEyUFvoFNpZcSpdR2d8SFzeXep"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c8d6321f977c34f-EWR
                    2024-09-25 19:23:11 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-25 19:23:11 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.649729188.114.96.34433608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    2024-09-25 19:23:12 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    Connection: Keep-Alive
                    2024-09-25 19:23:12 UTC676INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:12 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 44251
                    Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bzrYiiIbiYMN7TW47EoEhOs465NkCsqhtOwAcX4Gf27KFgZoSQqFMfxV3dudyHUHAWrSeIvRrG0NsYcfX8%2FNkk8st0oHqT1QfL%2F7X1QzuLf247sLDY%2B9qtvILFpEIiIgRUKhdMEs"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c8d632a7b0c429e-EWR
                    2024-09-25 19:23:12 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-25 19:23:12 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.649731188.114.96.34433608C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    TimestampBytes transferredDirectionData
                    2024-09-25 19:23:13 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                    Host: reallyfreegeoip.org
                    2024-09-25 19:23:13 UTC688INHTTP/1.1 200 OK
                    Date: Wed, 25 Sep 2024 19:23:13 GMT
                    Content-Type: application/xml
                    Transfer-Encoding: chunked
                    Connection: close
                    access-control-allow-origin: *
                    vary: Accept-Encoding
                    Cache-Control: max-age=86400
                    CF-Cache-Status: HIT
                    Age: 44252
                    Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=otb3w%2BEUhcVXUVeM0Vc%2Bj63AF3wPl9C4jls8XUVOIXMj%2B%2F75OHCs08To56Jg4wvJDf3GliN%2FadJxDjgQ9BDYjbi2%2F2MOFZDMrPnnSJ3HuDpv3CDfrO%2BwFPOr5%2FLjh%2FiNpSxJOabk"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8c8d6332acca43be-EWR
                    2024-09-25 19:23:13 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                    2024-09-25 19:23:13 UTC5INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:15:23:00
                    Start date:25/09/2024
                    Path:C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
                    Imagebase:0x810000
                    File size:648'192 bytes
                    MD5 hash:B37FBC315B7E7BB63BE8DF480DC06E9E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:3
                    Start time:15:23:00
                    Start date:25/09/2024
                    Path:C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
                    Imagebase:0x360000
                    File size:648'192 bytes
                    MD5 hash:B37FBC315B7E7BB63BE8DF480DC06E9E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:4
                    Start time:15:23:00
                    Start date:25/09/2024
                    Path:C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
                    Imagebase:0xd10000
                    File size:648'192 bytes
                    MD5 hash:B37FBC315B7E7BB63BE8DF480DC06E9E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4622343107.0000000003316000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                    • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:10.1%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:3%
                      Total number of Nodes:270
                      Total number of Limit Nodes:13
                      execution_graph 53815 72bc518 53816 72bc6a3 53815->53816 53818 72bc53e 53815->53818 53818->53816 53819 72baa78 53818->53819 53820 72bc798 PostMessageW 53819->53820 53821 72bc804 53820->53821 53821->53818 53476 72ba02d 53477 72b9e4e 53476->53477 53478 72b9e7b 53477->53478 53482 72bb191 53477->53482 53502 72bb206 53477->53502 53523 72bb1a0 53477->53523 53483 72bb194 53482->53483 53492 72bb1c2 53483->53492 53543 72bb709 53483->53543 53548 72bb8f5 53483->53548 53553 72bbf35 53483->53553 53558 72bb670 53483->53558 53563 72bb833 53483->53563 53568 72bb63d 53483->53568 53573 72bb858 53483->53573 53578 72bb9ba 53483->53578 53583 72bbe44 53483->53583 53588 72bb7c5 53483->53588 53593 72bbc4c 53483->53593 53598 72bbced 53483->53598 53604 72bb8ad 53483->53604 53608 72bba4e 53483->53608 53612 72bb7ef 53483->53612 53617 72bb968 53483->53617 53621 72bbd49 53483->53621 53492->53477 53503 72bb194 53502->53503 53504 72bb209 53502->53504 53505 72bb709 2 API calls 53503->53505 53506 72bbd49 2 API calls 53503->53506 53507 72bb968 3 API calls 53503->53507 53508 72bb7ef 2 API calls 53503->53508 53509 72bba4e 2 API calls 53503->53509 53510 72bb8ad 2 API calls 53503->53510 53511 72bbced 4 API calls 53503->53511 53512 72bbc4c 2 API calls 53503->53512 53513 72bb7c5 2 API calls 53503->53513 53514 72bbe44 3 API calls 53503->53514 53515 72bb9ba 3 API calls 53503->53515 53516 72bb1c2 53503->53516 53517 72bb858 3 API calls 53503->53517 53518 72bb63d 2 API calls 53503->53518 53519 72bb833 2 API calls 53503->53519 53520 72bb670 2 API calls 53503->53520 53521 72bbf35 3 API calls 53503->53521 53522 72bb8f5 2 API calls 53503->53522 53505->53516 53506->53516 53507->53516 53508->53516 53509->53516 53510->53516 53511->53516 53512->53516 53513->53516 53514->53516 53515->53516 53516->53477 53517->53516 53518->53516 53519->53516 53520->53516 53521->53516 53522->53516 53524 72bb1ba 53523->53524 53525 72bb709 2 API calls 53524->53525 53526 72bbd49 2 API calls 53524->53526 53527 72bb968 3 API calls 53524->53527 53528 72bb7ef 2 API calls 53524->53528 53529 72bba4e 2 API calls 53524->53529 53530 72bb8ad 2 API calls 53524->53530 53531 72bbced 4 API calls 53524->53531 53532 72bbc4c 2 API calls 53524->53532 53533 72bb1c2 53524->53533 53534 72bb7c5 2 API calls 53524->53534 53535 72bbe44 3 API calls 53524->53535 53536 72bb9ba 3 API calls 53524->53536 53537 72bb858 3 API calls 53524->53537 53538 72bb63d 2 API calls 53524->53538 53539 72bb833 2 API calls 53524->53539 53540 72bb670 2 API calls 53524->53540 53541 72bbf35 3 API calls 53524->53541 53542 72bb8f5 2 API calls 53524->53542 53525->53533 53526->53533 53527->53533 53528->53533 53529->53533 53530->53533 53531->53533 53532->53533 53533->53477 53534->53533 53535->53533 53536->53533 53537->53533 53538->53533 53539->53533 53540->53533 53541->53533 53542->53533 53544 72bb64c 53543->53544 53626 72b9a38 53544->53626 53630 72b9a2d 53544->53630 53549 72bb8f9 53548->53549 53634 72b9560 53549->53634 53638 72b9568 53549->53638 53550 72bb925 53550->53492 53554 72bbe89 53553->53554 53642 72b97a8 53554->53642 53649 72b97b0 53554->53649 53555 72bbde9 53559 72bb6a6 53558->53559 53561 72b9a38 CreateProcessA 53559->53561 53562 72b9a2d CreateProcessA 53559->53562 53560 72bb747 53560->53492 53561->53560 53562->53560 53564 72bb852 53563->53564 53566 72b9568 ResumeThread 53564->53566 53567 72b9560 ResumeThread 53564->53567 53565 72bb925 53565->53492 53566->53565 53567->53565 53569 72bb674 53568->53569 53571 72b9a38 CreateProcessA 53569->53571 53572 72b9a2d CreateProcessA 53569->53572 53570 72bb747 53570->53492 53571->53570 53572->53570 53574 72bb85e 53573->53574 53576 72b97a8 2 API calls 53574->53576 53577 72b97b0 WriteProcessMemory 53574->53577 53575 72bb832 53576->53575 53577->53575 53579 72bb86f 53578->53579 53580 72bb832 53579->53580 53581 72b97a8 2 API calls 53579->53581 53582 72b97b0 WriteProcessMemory 53579->53582 53581->53580 53582->53580 53584 72bbe89 53583->53584 53585 72bbde9 53584->53585 53586 72b97a8 2 API calls 53584->53586 53587 72b97b0 WriteProcessMemory 53584->53587 53586->53585 53587->53585 53589 72bbd50 53588->53589 53653 72b9898 53589->53653 53657 72b98a0 53589->53657 53590 72bbac2 53590->53492 53595 72bb7ee 53593->53595 53594 72bb925 53594->53492 53595->53594 53596 72b9568 ResumeThread 53595->53596 53597 72b9560 ResumeThread 53595->53597 53596->53594 53597->53594 53599 72bbe56 53598->53599 53601 72b97a8 2 API calls 53599->53601 53661 72b96f0 53599->53661 53665 72b96e8 53599->53665 53600 72bbe74 53601->53600 53669 72b9618 53604->53669 53673 72b9610 53604->53673 53605 72bb8c7 53605->53492 53610 72b9618 Wow64SetThreadContext 53608->53610 53611 72b9610 Wow64SetThreadContext 53608->53611 53609 72bba68 53609->53492 53610->53609 53611->53609 53613 72bb809 53612->53613 53615 72b9568 ResumeThread 53613->53615 53616 72b9560 ResumeThread 53613->53616 53614 72bb925 53614->53492 53615->53614 53616->53614 53619 72b97a8 2 API calls 53617->53619 53620 72b97b0 WriteProcessMemory 53617->53620 53618 72bb961 53618->53492 53619->53618 53620->53618 53622 72bbd4f 53621->53622 53623 72bbac2 53622->53623 53624 72b9898 ReadProcessMemory 53622->53624 53625 72b98a0 ReadProcessMemory 53622->53625 53623->53492 53624->53623 53625->53623 53627 72b9ac1 CreateProcessA 53626->53627 53629 72b9c83 53627->53629 53631 72b9a38 CreateProcessA 53630->53631 53633 72b9c83 53631->53633 53635 72b95a8 ResumeThread 53634->53635 53637 72b95d9 53635->53637 53637->53550 53639 72b95a8 ResumeThread 53638->53639 53641 72b95d9 53639->53641 53641->53550 53643 72b9731 VirtualAllocEx 53642->53643 53645 72b97ae WriteProcessMemory 53642->53645 53646 72b976d 53643->53646 53648 72b984f 53645->53648 53646->53555 53648->53555 53650 72b97f8 WriteProcessMemory 53649->53650 53652 72b984f 53650->53652 53652->53555 53654 72b98a0 ReadProcessMemory 53653->53654 53656 72b992f 53654->53656 53656->53590 53658 72b98eb ReadProcessMemory 53657->53658 53660 72b992f 53658->53660 53660->53590 53662 72b9730 VirtualAllocEx 53661->53662 53664 72b976d 53662->53664 53664->53600 53666 72b96f0 VirtualAllocEx 53665->53666 53668 72b976d 53666->53668 53668->53600 53670 72b965d Wow64SetThreadContext 53669->53670 53672 72b96a5 53670->53672 53672->53605 53674 72b9618 Wow64SetThreadContext 53673->53674 53676 72b96a5 53674->53676 53676->53605 53787 126acb0 53790 126ada8 53787->53790 53788 126acbf 53791 126addc 53790->53791 53793 126adb9 53790->53793 53791->53788 53792 126afe0 GetModuleHandleW 53794 126b00d 53792->53794 53793->53791 53793->53792 53794->53788 53677 dbd01c 53678 dbd034 53677->53678 53679 dbd08e 53678->53679 53682 5122818 53678->53682 53687 5122808 53678->53687 53683 5122845 53682->53683 53684 5122877 53683->53684 53692 5122d88 53683->53692 53697 5122da8 53683->53697 53688 5122818 53687->53688 53689 5122877 53688->53689 53690 5122d88 2 API calls 53688->53690 53691 5122da8 2 API calls 53688->53691 53690->53689 53691->53689 53694 5122da8 53692->53694 53693 5122e48 53693->53684 53702 5122e60 53694->53702 53705 5122e50 53694->53705 53698 5122dbc 53697->53698 53700 5122e50 2 API calls 53698->53700 53701 5122e60 2 API calls 53698->53701 53699 5122e48 53699->53684 53700->53699 53701->53699 53703 5122e71 53702->53703 53709 5124023 53702->53709 53703->53693 53706 5122e60 53705->53706 53707 5122e71 53706->53707 53708 5124023 2 API calls 53706->53708 53707->53693 53708->53707 53713 5124040 53709->53713 53717 5124050 53709->53717 53710 512403a 53710->53703 53714 5124050 53713->53714 53715 51240ea CallWindowProcW 53714->53715 53716 5124099 53714->53716 53715->53716 53716->53710 53718 5124092 53717->53718 53720 5124099 53717->53720 53719 51240ea CallWindowProcW 53718->53719 53718->53720 53719->53720 53720->53710 53721 6ec63a0 53722 6ec63a1 53721->53722 53725 6ec322c 53722->53725 53724 6ec63f0 53726 6ec3237 53725->53726 53727 6ec651b 53726->53727 53730 6ec678f 53726->53730 53736 6ec67a0 53726->53736 53727->53724 53732 6ec679c 53730->53732 53731 6ec6829 53731->53727 53732->53731 53742 6ec69c8 53732->53742 53747 6ec69d8 53732->53747 53733 6ec681f 53733->53727 53737 6ec67a1 53736->53737 53738 6ec6829 53737->53738 53740 6ec69c8 CloseHandle 53737->53740 53741 6ec69d8 CloseHandle 53737->53741 53738->53727 53739 6ec681f 53739->53727 53740->53739 53741->53739 53744 6ec69cc 53742->53744 53743 6ec6b3f 53743->53733 53744->53743 53752 6ec6e60 53744->53752 53757 6ec6e51 53744->53757 53748 6ec69d9 53747->53748 53749 6ec6b3f 53748->53749 53750 6ec6e60 CloseHandle 53748->53750 53751 6ec6e51 CloseHandle 53748->53751 53749->53733 53750->53749 53751->53749 53753 6ec6e61 53752->53753 53756 6ec6e8d 53753->53756 53762 6ec32b4 53753->53762 53756->53743 53758 6ec6e54 53757->53758 53759 6ec32b4 CloseHandle 53758->53759 53761 6ec6e8d 53758->53761 53760 6ec6e89 53759->53760 53760->53743 53761->53743 53763 6ec6fd8 CloseHandle 53762->53763 53765 6ec6e89 53763->53765 53765->53743 53766 1264668 53767 126467a 53766->53767 53768 1264686 53767->53768 53770 1264778 53767->53770 53771 126479d 53770->53771 53775 1264878 53771->53775 53779 1264888 53771->53779 53776 1264882 53775->53776 53777 126498c 53776->53777 53783 12644e0 53776->53783 53780 12648af 53779->53780 53781 12644e0 CreateActCtxA 53780->53781 53782 126498c 53780->53782 53781->53782 53784 1265918 CreateActCtxA 53783->53784 53786 12659db 53784->53786 53795 72b9ff5 53797 72b9e4e 53795->53797 53796 72b9e7b 53797->53796 53798 72bb191 13 API calls 53797->53798 53799 72bb1a0 13 API calls 53797->53799 53800 72bb206 13 API calls 53797->53800 53798->53797 53799->53797 53800->53797 53801 126d438 53802 126d47e 53801->53802 53806 126d618 53802->53806 53809 126d609 53802->53809 53803 126d56b 53808 126d646 53806->53808 53812 126b790 53806->53812 53808->53803 53810 126b790 DuplicateHandle 53809->53810 53811 126d646 53810->53811 53811->53803 53813 126d680 DuplicateHandle 53812->53813 53814 126d716 53813->53814 53814->53808

                      Executed Functions

                      Function 072B97A8 Relevance: 3.1, APIs: 2, Instructions: 108memoryinjectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072B975E
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072B9840
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: AllocMemoryProcessVirtualWrite
                      • String ID:
                      • API String ID: 645232735-0
                      • Opcode ID: 920b73aafff7a5afe030050de9ceba52503b5a65f786813254460e14bd157939
                      • Instruction ID: 413afc8128030ec01dee1e14a4c51438c5b3384ca311e4ccf876626e016a74cc
                      • Opcode Fuzzy Hash: 920b73aafff7a5afe030050de9ceba52503b5a65f786813254460e14bd157939
                      • Instruction Fuzzy Hash: F04148B291030ADFDF10CFA9C8417DEBBF5BF88310F148429E659A7250C779A554DBA0
                      Function 06EC1998 Relevance: .9, Instructions: 931COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178817214.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6ec0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fc4ecd0ac46addec7523367e42047747d97bc55ce68a165945c94a8e5fa68db4
                      • Instruction ID: f7ee4b060566833894e4d027c1f71bfba74a99c3f6d23ddbbef881d303af98c5
                      • Opcode Fuzzy Hash: fc4ecd0ac46addec7523367e42047747d97bc55ce68a165945c94a8e5fa68db4
                      • Instruction Fuzzy Hash: 3EA21531E102598FCB15DB68C8987EDB7B1FF89300F1586A9D90AA7250EF74AE95CF40
                      Function 072B0006 Relevance: .3, Instructions: 282COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 721c3b305965f132ecf55789087d787afd74d42618f9ec0c067992b088646370
                      • Instruction ID: c0f89629ecef0a087d2b60d78e1de55df797c88b8418bc85785174901cb9158a
                      • Opcode Fuzzy Hash: 721c3b305965f132ecf55789087d787afd74d42618f9ec0c067992b088646370
                      • Instruction Fuzzy Hash: E6B102B0D24258CFDB25CFA9C8446EEBBF6FF8A340F14926AD409AB215D7745986CF10
                      Function 072B0040 Relevance: .3, Instructions: 264COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7f18a5dd70991afe6212f66899aec136180bf63c6577d61b3a9400bd1d8db48f
                      • Instruction ID: 36e1a77a1d12c1e3031e06ff634141b5177714aadbb3ce4aa89641cfb38558db
                      • Opcode Fuzzy Hash: 7f18a5dd70991afe6212f66899aec136180bf63c6577d61b3a9400bd1d8db48f
                      • Instruction Fuzzy Hash: 87B1E1B4D24218CBDB25CFA9C4446EEFBF6BF89340F10962AD409B7215D7B45986CF10
                      Function 072BBBC6 Relevance: .0, Instructions: 20COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ff149957076078200cf1a071582778970899edd7f7bfc456ade48848a70712d8
                      • Instruction ID: cdfa3a7b25346c4fcf0bf0d51ef6170b2b8efd92c0223419aab9eb26a88589d7
                      • Opcode Fuzzy Hash: ff149957076078200cf1a071582778970899edd7f7bfc456ade48848a70712d8
                      • Instruction Fuzzy Hash: 1CE08CA4C3D248CFC321AF2494485F4BAB8BF0B341F4431A9C10DA7212E67049008A29
                      Function 072B9A2D Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1251 72b9a2d-72b9acd 1254 72b9acf-72b9ad9 1251->1254 1255 72b9b06-72b9b26 1251->1255 1254->1255 1256 72b9adb-72b9add 1254->1256 1260 72b9b28-72b9b32 1255->1260 1261 72b9b5f-72b9b8e 1255->1261 1258 72b9adf-72b9ae9 1256->1258 1259 72b9b00-72b9b03 1256->1259 1262 72b9aeb 1258->1262 1263 72b9aed-72b9afc 1258->1263 1259->1255 1260->1261 1264 72b9b34-72b9b36 1260->1264 1271 72b9b90-72b9b9a 1261->1271 1272 72b9bc7-72b9c81 CreateProcessA 1261->1272 1262->1263 1263->1263 1265 72b9afe 1263->1265 1266 72b9b59-72b9b5c 1264->1266 1267 72b9b38-72b9b42 1264->1267 1265->1259 1266->1261 1269 72b9b46-72b9b55 1267->1269 1270 72b9b44 1267->1270 1269->1269 1273 72b9b57 1269->1273 1270->1269 1271->1272 1274 72b9b9c-72b9b9e 1271->1274 1283 72b9c8a-72b9d10 1272->1283 1284 72b9c83-72b9c89 1272->1284 1273->1266 1276 72b9bc1-72b9bc4 1274->1276 1277 72b9ba0-72b9baa 1274->1277 1276->1272 1278 72b9bae-72b9bbd 1277->1278 1279 72b9bac 1277->1279 1278->1278 1280 72b9bbf 1278->1280 1279->1278 1280->1276 1294 72b9d12-72b9d16 1283->1294 1295 72b9d20-72b9d24 1283->1295 1284->1283 1294->1295 1298 72b9d18 1294->1298 1296 72b9d26-72b9d2a 1295->1296 1297 72b9d34-72b9d38 1295->1297 1296->1297 1299 72b9d2c 1296->1299 1300 72b9d3a-72b9d3e 1297->1300 1301 72b9d48-72b9d4c 1297->1301 1298->1295 1299->1297 1300->1301 1302 72b9d40 1300->1302 1303 72b9d5e-72b9d65 1301->1303 1304 72b9d4e-72b9d54 1301->1304 1302->1301 1305 72b9d7c 1303->1305 1306 72b9d67-72b9d76 1303->1306 1304->1303 1307 72b9d7d 1305->1307 1306->1305 1307->1307
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072B9C6E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 6e4571a4bc5bf449f97266b88f7450420f95f5d0b7694a1fae3c5395f496a8af
                      • Instruction ID: 7b1dd28c661ccbfdf5a08476283ff59a1c9b542cf416ac3923caf8006f0553d6
                      • Opcode Fuzzy Hash: 6e4571a4bc5bf449f97266b88f7450420f95f5d0b7694a1fae3c5395f496a8af
                      • Instruction Fuzzy Hash: E9A18CB1D1021ACFEF24DF69C8417EEBBB2BF48350F148569E948A7240DB74A985CF91
                      Function 072B9A38 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1309 72b9a38-72b9acd 1311 72b9acf-72b9ad9 1309->1311 1312 72b9b06-72b9b26 1309->1312 1311->1312 1313 72b9adb-72b9add 1311->1313 1317 72b9b28-72b9b32 1312->1317 1318 72b9b5f-72b9b8e 1312->1318 1315 72b9adf-72b9ae9 1313->1315 1316 72b9b00-72b9b03 1313->1316 1319 72b9aeb 1315->1319 1320 72b9aed-72b9afc 1315->1320 1316->1312 1317->1318 1321 72b9b34-72b9b36 1317->1321 1328 72b9b90-72b9b9a 1318->1328 1329 72b9bc7-72b9c81 CreateProcessA 1318->1329 1319->1320 1320->1320 1322 72b9afe 1320->1322 1323 72b9b59-72b9b5c 1321->1323 1324 72b9b38-72b9b42 1321->1324 1322->1316 1323->1318 1326 72b9b46-72b9b55 1324->1326 1327 72b9b44 1324->1327 1326->1326 1330 72b9b57 1326->1330 1327->1326 1328->1329 1331 72b9b9c-72b9b9e 1328->1331 1340 72b9c8a-72b9d10 1329->1340 1341 72b9c83-72b9c89 1329->1341 1330->1323 1333 72b9bc1-72b9bc4 1331->1333 1334 72b9ba0-72b9baa 1331->1334 1333->1329 1335 72b9bae-72b9bbd 1334->1335 1336 72b9bac 1334->1336 1335->1335 1337 72b9bbf 1335->1337 1336->1335 1337->1333 1351 72b9d12-72b9d16 1340->1351 1352 72b9d20-72b9d24 1340->1352 1341->1340 1351->1352 1355 72b9d18 1351->1355 1353 72b9d26-72b9d2a 1352->1353 1354 72b9d34-72b9d38 1352->1354 1353->1354 1356 72b9d2c 1353->1356 1357 72b9d3a-72b9d3e 1354->1357 1358 72b9d48-72b9d4c 1354->1358 1355->1352 1356->1354 1357->1358 1359 72b9d40 1357->1359 1360 72b9d5e-72b9d65 1358->1360 1361 72b9d4e-72b9d54 1358->1361 1359->1358 1362 72b9d7c 1360->1362 1363 72b9d67-72b9d76 1360->1363 1361->1360 1364 72b9d7d 1362->1364 1363->1362 1364->1364
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072B9C6E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 15e18368adeb925bf7f3652a629373a5b9556211bdf918e15d404478cbd25fb0
                      • Instruction ID: 68d0c7f8a26509e6d221da4eb826e5ffcf0a9b74ab98ef34611428923ea3e971
                      • Opcode Fuzzy Hash: 15e18368adeb925bf7f3652a629373a5b9556211bdf918e15d404478cbd25fb0
                      • Instruction Fuzzy Hash: EF917DB1D1021ACFEF24DF69C841BEDBBB2BF48350F148569E948A7240DB74A985CF91
                      Function 0126ADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1366 126ada8-126adb7 1367 126ade3-126ade7 1366->1367 1368 126adb9-126adc6 call 126a100 1366->1368 1369 126adfb-126ae3c 1367->1369 1370 126ade9-126adf3 1367->1370 1375 126addc 1368->1375 1376 126adc8 1368->1376 1377 126ae3e-126ae46 1369->1377 1378 126ae49-126ae57 1369->1378 1370->1369 1375->1367 1424 126adce call 126b030 1376->1424 1425 126adce call 126b040 1376->1425 1377->1378 1379 126ae7b-126ae7d 1378->1379 1380 126ae59-126ae5e 1378->1380 1383 126ae80-126ae87 1379->1383 1384 126ae60-126ae67 call 126a10c 1380->1384 1385 126ae69 1380->1385 1381 126add4-126add6 1381->1375 1382 126af18-126af2f 1381->1382 1399 126af31-126af90 1382->1399 1387 126ae94-126ae9b 1383->1387 1388 126ae89-126ae91 1383->1388 1386 126ae6b-126ae79 1384->1386 1385->1386 1386->1383 1390 126ae9d-126aea5 1387->1390 1391 126aea8-126aeb1 call 126a11c 1387->1391 1388->1387 1390->1391 1397 126aeb3-126aebb 1391->1397 1398 126aebe-126aec3 1391->1398 1397->1398 1400 126aec5-126aecc 1398->1400 1401 126aee1-126aeee 1398->1401 1417 126af92-126afd8 1399->1417 1400->1401 1402 126aece-126aede call 126a12c call 126a13c 1400->1402 1406 126aef0-126af0e 1401->1406 1407 126af11-126af17 1401->1407 1402->1401 1406->1407 1419 126afe0-126b00b GetModuleHandleW 1417->1419 1420 126afda-126afdd 1417->1420 1421 126b014-126b028 1419->1421 1422 126b00d-126b013 1419->1422 1420->1419 1422->1421 1424->1381 1425->1381
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0126AFFE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2175490511.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1260000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 7666790323aa2dd1422a941154d9faa8491bb7888bac45b68a2eff515cf4415d
                      • Instruction ID: 2ee624ece97c5da23419d4c22b94993290ee1a1476bf6c80792eb5d3ee056161
                      • Opcode Fuzzy Hash: 7666790323aa2dd1422a941154d9faa8491bb7888bac45b68a2eff515cf4415d
                      • Instruction Fuzzy Hash: E7714770A10B068FD724DF29D44176ABBF5FF88300F00892DE54AE7A91DB75E985CB91
                      Function 012644E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1426 12644e0-12659d9 CreateActCtxA 1429 12659e2-1265a3c 1426->1429 1430 12659db-12659e1 1426->1430 1437 1265a3e-1265a41 1429->1437 1438 1265a4b-1265a4f 1429->1438 1430->1429 1437->1438 1439 1265a60 1438->1439 1440 1265a51-1265a5d 1438->1440 1442 1265a61 1439->1442 1440->1439 1442->1442
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 012659C9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2175490511.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1260000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 63d6d1253ee5b4dec8acd898fb499391e0b0115ad7a3ed97525b946cc89f305f
                      • Instruction ID: b254d430e681ef3d2a617ed619620cc93fe4eca09b69c8f1950013e61632ea6f
                      • Opcode Fuzzy Hash: 63d6d1253ee5b4dec8acd898fb499391e0b0115ad7a3ed97525b946cc89f305f
                      • Instruction Fuzzy Hash: B841F171C1071DCBDB24CFA9C984BDEBBB5BF48304F20806AD508AB291DBB56945CF90
                      Function 0126590D Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1443 126590d-12659d9 CreateActCtxA 1445 12659e2-1265a3c 1443->1445 1446 12659db-12659e1 1443->1446 1453 1265a3e-1265a41 1445->1453 1454 1265a4b-1265a4f 1445->1454 1446->1445 1453->1454 1455 1265a60 1454->1455 1456 1265a51-1265a5d 1454->1456 1458 1265a61 1455->1458 1456->1455 1458->1458
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 012659C9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2175490511.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1260000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: bcdf9dd1f5dad549502a849a664bb6e1c853be4111feed75f5de85b37c1fa121
                      • Instruction ID: 24a901ad3a0a6e55299e4e869d83845e082f9f48ab65f850ef2f720a61e9976d
                      • Opcode Fuzzy Hash: bcdf9dd1f5dad549502a849a664bb6e1c853be4111feed75f5de85b37c1fa121
                      • Instruction Fuzzy Hash: B941F1B1C00719CBDB24CFA9C9857CDBBF5BF48304F20806AD508AB251DB756946CF90
                      Function 05124050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1459 5124050-512408c 1460 5124092-5124097 1459->1460 1461 512413c-512415c 1459->1461 1462 51240ea-5124122 CallWindowProcW 1460->1462 1463 5124099-51240d0 1460->1463 1467 512415f-512416c 1461->1467 1464 5124124-512412a 1462->1464 1465 512412b-512413a 1462->1465 1470 51240d2-51240d8 1463->1470 1471 51240d9-51240e8 1463->1471 1464->1465 1465->1467 1470->1471 1471->1467
                      APIs
                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05124111
                      Memory Dump Source
                      • Source File: 00000000.00000002.2177695174.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5120000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: CallProcWindow
                      • String ID:
                      • API String ID: 2714655100-0
                      • Opcode ID: 4410e6a4394c0edc9114a46318d36bbe43d8c63607fa88013102276b44995cd9
                      • Instruction ID: 1014b8eb8d8f55b8821be788f21284c6073e31a213232aa1017be94c945e9527
                      • Opcode Fuzzy Hash: 4410e6a4394c0edc9114a46318d36bbe43d8c63607fa88013102276b44995cd9
                      • Instruction Fuzzy Hash: 7D4129B5900319CFCB14CF99C848AAEBBF6FF88314F248459D519AB321D7B5A851CFA0
                      Function 072B97B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1473 72b97b0-72b97fe 1475 72b980e-72b984d WriteProcessMemory 1473->1475 1476 72b9800-72b980c 1473->1476 1478 72b984f-72b9855 1475->1478 1479 72b9856-72b9886 1475->1479 1476->1475 1478->1479
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072B9840
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 4ff9b2e33db1d3fc36c95125bc505bb01b4692286b43a653e7a1fffd146b885b
                      • Instruction ID: 643e911375b1173de1cd1ef78fd35c20a1fd1fe4dc2cdcc890fa93f2383046a9
                      • Opcode Fuzzy Hash: 4ff9b2e33db1d3fc36c95125bc505bb01b4692286b43a653e7a1fffd146b885b
                      • Instruction Fuzzy Hash: 4B2128B191034ADFDB10CFA9C881BDEBBF5FF48310F108429E558A7241C778A554CBA4
                      Function 072B9610 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1483 72b9610-72b9663 1486 72b9673-72b96a3 Wow64SetThreadContext 1483->1486 1487 72b9665-72b9671 1483->1487 1489 72b96ac-72b96dc 1486->1489 1490 72b96a5-72b96ab 1486->1490 1487->1486 1490->1489
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072B9696
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 9df6963cc5d8ab5c91de920d103bfcd08205cfd0093122aa13b1d6cc6e3b600e
                      • Instruction ID: 8fc2ef41ad85e796b65270c3cb39df8e29b6bcc133d960f90c29f34e19c1d6ee
                      • Opcode Fuzzy Hash: 9df6963cc5d8ab5c91de920d103bfcd08205cfd0093122aa13b1d6cc6e3b600e
                      • Instruction Fuzzy Hash: F62159B19003099FDB10DFAAC8817EEBBF4EF48360F148429D559A7241D778A544CBA5
                      Function 072B9898 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1494 72b9898-72b992d ReadProcessMemory 1498 72b992f-72b9935 1494->1498 1499 72b9936-72b9966 1494->1499 1498->1499
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072B9920
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: b9424c8f867df40748d4b90c70eb008f0d2b254413edd72836e3df7581631167
                      • Instruction ID: 28b10c240ddc7552c3a0ea69c64bfb53f0c30f0e4c7b8392f3cd6e1d7afdb246
                      • Opcode Fuzzy Hash: b9424c8f867df40748d4b90c70eb008f0d2b254413edd72836e3df7581631167
                      • Instruction Fuzzy Hash: 2F2119B18003499FDF10DFAAC885BEEBBF5FF48320F10842AE559A7251C779A550CBA5
                      Function 0126B790 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1503 126b790-126d714 DuplicateHandle 1505 126d716-126d71c 1503->1505 1506 126d71d-126d73a 1503->1506 1505->1506
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0126D646,?,?,?,?,?), ref: 0126D707
                      Memory Dump Source
                      • Source File: 00000000.00000002.2175490511.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1260000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 2f2edbb89460525ffbcdf18654690fe9d78ba7bf878c11c36af9ee9bc1a433bd
                      • Instruction ID: 6b93688abb612d6b2ceaed0772a4cb32e216486310466d308935e41a44fd9f80
                      • Opcode Fuzzy Hash: 2f2edbb89460525ffbcdf18654690fe9d78ba7bf878c11c36af9ee9bc1a433bd
                      • Instruction Fuzzy Hash: A12105B591024DDFDB10CF9AD884ADEBBF8EB48310F14841AE954A3350D378A950CFA5
                      Function 0126D679 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1509 126d679-126d67e 1510 126d680-126d714 DuplicateHandle 1509->1510 1511 126d716-126d71c 1510->1511 1512 126d71d-126d73a 1510->1512 1511->1512
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0126D646,?,?,?,?,?), ref: 0126D707
                      Memory Dump Source
                      • Source File: 00000000.00000002.2175490511.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1260000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: e65fc400f56d8f436b513bd084a1fb6ab940a0c1d8f895ed3ca2609714800c5a
                      • Instruction ID: 63684728b594e32c031f45091cae08ebd7615c584083535ae09d6e0ed3a1933c
                      • Opcode Fuzzy Hash: e65fc400f56d8f436b513bd084a1fb6ab940a0c1d8f895ed3ca2609714800c5a
                      • Instruction Fuzzy Hash: 8221E3B5D002499FDB10CF9AD984ADEBFF9EB48320F14841AE914A3250D378A954CFA5
                      Function 072B9618 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1515 72b9618-72b9663 1517 72b9673-72b96a3 Wow64SetThreadContext 1515->1517 1518 72b9665-72b9671 1515->1518 1520 72b96ac-72b96dc 1517->1520 1521 72b96a5-72b96ab 1517->1521 1518->1517 1521->1520
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072B9696
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: aeadcd1bb724e4ac8f65b713698cfa8453e1e5a63fb691caee06509e6f575a11
                      • Instruction ID: 897e3da65b2503611eabbf1ba324f53f1d20b0583dda495a763421c46b2658f0
                      • Opcode Fuzzy Hash: aeadcd1bb724e4ac8f65b713698cfa8453e1e5a63fb691caee06509e6f575a11
                      • Instruction Fuzzy Hash: EF213AB1D003098FDB10DFAAC4857EEBBF4AF48350F14842DD559A7240D778A544CFA5
                      Function 072B98A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072B9920
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: a0f4d25aac7aa4c035f7855f77c7f1af924a7e90a8b75c948cdbfffe2324d3d6
                      • Instruction ID: bdc011e9d9d77f311b3b207fb6923b319e09b45666d0092a4138d8c27f69710f
                      • Opcode Fuzzy Hash: a0f4d25aac7aa4c035f7855f77c7f1af924a7e90a8b75c948cdbfffe2324d3d6
                      • Instruction Fuzzy Hash: 602116B18003499FDB10DFAAC881BEEBBF5FF48310F108429E558A7250C778A950CBA5
                      Function 072B96E8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072B975E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 2d0bc973ae5394887afd918538f84c30e1f2c7d9a838e93e9fe274495765e972
                      • Instruction ID: ad1d3cf6c436e9e87fca7c2e2eac90610ee1c96c79c74724371b62d2d8db9a3e
                      • Opcode Fuzzy Hash: 2d0bc973ae5394887afd918538f84c30e1f2c7d9a838e93e9fe274495765e972
                      • Instruction Fuzzy Hash: 311147B2904349DFDB10DFAAC844BEEBFF5AF88320F248419E555A7250C775A550CBA1
                      Function 072B96F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072B975E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 3bbf06047d5d7afbbcdb6b124dedb3ac034fd12594d13b41ceaa886a6fbca591
                      • Instruction ID: 9d42877a3323f898162d519d00d82a0ab9bb0ee18d1c09de9064b9f29d6d47f6
                      • Opcode Fuzzy Hash: 3bbf06047d5d7afbbcdb6b124dedb3ac034fd12594d13b41ceaa886a6fbca591
                      • Instruction Fuzzy Hash: F61126B2900349DFDB20DFAAC845BDEBBF5EF88720F248819E519A7250C775A550CBA1
                      Function 072B9560 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: e5bebfcd342e3c5259d0deb081720784fd079642341584bdf7036ecd0592c809
                      • Instruction ID: 5664817be38365cc9360ef7d18eca175c04b91d45fc3b7fe908ff651e673f1fc
                      • Opcode Fuzzy Hash: e5bebfcd342e3c5259d0deb081720784fd079642341584bdf7036ecd0592c809
                      • Instruction Fuzzy Hash: FB115BB1904349CFDB20DFAAC8457EEFBF5AF88324F24881ED119A7240C779A544CBA5
                      Function 072B9568 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 59a09bf2865f4c1a3dd6320129682c25d931541ae8ad71b03d85060336f7d689
                      • Instruction ID: bbf70bca6220327acc879da28b19567cf9d168d608074d862f2c273b1b613b85
                      • Opcode Fuzzy Hash: 59a09bf2865f4c1a3dd6320129682c25d931541ae8ad71b03d85060336f7d689
                      • Instruction Fuzzy Hash: CB1158B19003498FDB20DFAAC8457DEFBF4AF88320F208819D519A7240CB75A540CBA4
                      Function 0126AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0126AFFE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2175490511.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1260000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 619517c52f472d7ef62bc9dc2aa7b462f7e756b8ab749bdcc6071497a43d0187
                      • Instruction ID: 5448af22834b741cb32184ecd29409a379a45115c75c9b2086e056932cb1414b
                      • Opcode Fuzzy Hash: 619517c52f472d7ef62bc9dc2aa7b462f7e756b8ab749bdcc6071497a43d0187
                      • Instruction Fuzzy Hash: C811E3B5D047498FDB14CF9AC844BDEFBF8AF88324F10841AD529A7250D3B5A545CFA1
                      Function 072BC790 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 072BC7F5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: e96e7c51ad5aabe612e7a400743ea6605fbbbc8ffbb7d0dc3c395dd870d6f5e7
                      • Instruction ID: a2710ee51a095a1c029047df9e8ff1175d079de3ef2b02ae4d72ee3421c00038
                      • Opcode Fuzzy Hash: e96e7c51ad5aabe612e7a400743ea6605fbbbc8ffbb7d0dc3c395dd870d6f5e7
                      • Instruction Fuzzy Hash: 4711F5B580428A9FDB20DF99D985BDEBBF4EB48324F20845AE518A7210C3B56594CFA0
                      Function 072BAA78 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 072BC7F5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 1a288399e811b08cbf433b56dd20c5a9cf045c2b075e815b45aa7129afb504b6
                      • Instruction ID: 1c63831de072ca25df20e5857148cb24ff95e6f7f6bc9ec3cf438851a62c288e
                      • Opcode Fuzzy Hash: 1a288399e811b08cbf433b56dd20c5a9cf045c2b075e815b45aa7129afb504b6
                      • Instruction Fuzzy Hash: 3C1106B5814349DFDB20DF99C884BDEBBF8EB48320F108459E518A7310C3B5A944CFA1
                      Function 06EC6FD1 Relevance: 1.3, APIs: 1, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,06EC6E89,?,?), ref: 06EC7030
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178817214.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6ec0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 5772c6aaa39b9b9a3e05eb746c9183e2b79c4f8bb4da9359f7ceb036fb0d5d0c
                      • Instruction ID: 983d805700dc6f81406b33594d54c1502eb11b51d62e1b1cfd539e1e565e3148
                      • Opcode Fuzzy Hash: 5772c6aaa39b9b9a3e05eb746c9183e2b79c4f8bb4da9359f7ceb036fb0d5d0c
                      • Instruction Fuzzy Hash: C11128B5C003498FDB50DF99C945BEEBBF4EB48320F209419D558A7340D779A545CFA1
                      Function 06EC32B4 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,06EC6E89,?,?), ref: 06EC7030
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178817214.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6ec0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: b33ee11d316bdae6509614bcdfb1416ae37088fda4c2f1b3297983bacd9b8a55
                      • Instruction ID: 14776eb77953f27d052697432f6e4c4661b8a4ab304d9ed6f1a6ea5941bdce0a
                      • Opcode Fuzzy Hash: b33ee11d316bdae6509614bcdfb1416ae37088fda4c2f1b3297983bacd9b8a55
                      • Instruction Fuzzy Hash: C31128B1804349CFDB50DF99C545BDEBBF4EB48320F109419D958A7340D779A944CFA5
                      Function 00DAD1FC Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174788797.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_dad000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 78810b9e6f556af6c5d2e6103f7f8407c76743ff9f8e856861f73e38d360ffc6
                      • Instruction ID: 1524f7668ec75602c2987409d9a81187be0529bfea717f60b8603c8858355281
                      • Opcode Fuzzy Hash: 78810b9e6f556af6c5d2e6103f7f8407c76743ff9f8e856861f73e38d360ffc6
                      • Instruction Fuzzy Hash: 7B2122B2504240EFDB05DF14D9C0B2ABF66FB89310F24C5A9ED4A0B656C376D816CBB2
                      Function 00DAD4C4 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174788797.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_dad000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 79f77c181f6348bed78ee6eebb0cd19405db08d9390b4572e97f36deeab4501d
                      • Instruction ID: b90bec9c7ba06074f6279862862c43b4bf07ec7bc6dc76aa2ae8191f23b20c7f
                      • Opcode Fuzzy Hash: 79f77c181f6348bed78ee6eebb0cd19405db08d9390b4572e97f36deeab4501d
                      • Instruction Fuzzy Hash: 7D214872904240DFCB04DF14D9C0B26BF62FB8A318F24C569E94A0B656C336D816CBB1
                      Function 00DBD01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174843970.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_dbd000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8994753c787148e771c10f70c946c9fa98fd203fade796ec0265cde7d5e6f4d9
                      • Instruction ID: 53fbe39eaa790f8e6b194e7632c36979ee6215b880b032b9821ff94266ecee62
                      • Opcode Fuzzy Hash: 8994753c787148e771c10f70c946c9fa98fd203fade796ec0265cde7d5e6f4d9
                      • Instruction Fuzzy Hash: 56212275604200EFCB14EF14D9C0B66BB62FB88314F24C56DE94A0B292D77AD807CA71
                      Function 00DBD1D4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174843970.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_dbd000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8918c572d726b36c18775bbcfa05c2aec6cf1a2b20e20bcd1894b73a089cd43e
                      • Instruction ID: 2de7dbce5963ba1a8fb34c6012a446c3940e917215a403333327705a241d471d
                      • Opcode Fuzzy Hash: 8918c572d726b36c18775bbcfa05c2aec6cf1a2b20e20bcd1894b73a089cd43e
                      • Instruction Fuzzy Hash: 8E213475504380EFDB04DF14D9C0B6ABBA2FB84314F24C56DE94A4B292D376D806CB71
                      Function 00DBD005 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174843970.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_dbd000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fedf055d808158233a3bdd024c8df8a704546d8c5c097382a5ef646992ecceb4
                      • Instruction ID: a5187591184483a8d701d660305b6cdf7db6a6b5dfedbdde70b0e0d745815216
                      • Opcode Fuzzy Hash: fedf055d808158233a3bdd024c8df8a704546d8c5c097382a5ef646992ecceb4
                      • Instruction Fuzzy Hash: 50217C75509380CFCB02DF20D990755BF72AB46214F28C5EAD8498B2A7C33A980ACB62
                      Function 00DAD1F7 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174788797.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_dad000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                      • Instruction ID: 2a07fa10e626c2cdf7f9781dd1adce0e976fe4b237f7f2b24f23ae27e41c5ac0
                      • Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                      • Instruction Fuzzy Hash: 7121B1B6504284DFCB06CF50D9C4B56BF72FB85314F28C5A9DC490B656C33AD826CBA1
                      Function 00DAD4BF Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174788797.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_dad000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                      • Instruction ID: f34702fdcbee21ed653bff2becfe95015f763f5bb958f78276089b4be4dcb67a
                      • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                      • Instruction Fuzzy Hash: 3C11E676904280CFCB15CF10D5C4B1ABF72FB95318F28C6A9D84A0B656C33AD856CBA1
                      Function 00DBD1CF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2174843970.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_dbd000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                      • Instruction ID: b06c25e2ab197d2ed32b64941b26905e3b2d91676b927999ed7d273e0395bd41
                      • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                      • Instruction Fuzzy Hash: BD118B75504284DFCB15CF10D5C4B55BBA2FB84314F28C6A9D84A4B6A6D33AD84ACB61

                      Non-executed Functions

                      Function 072B6938 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID: !"*_
                      • API String ID: 0-2528904580
                      • Opcode ID: 18048405d7f4d78882251ffceda5a0eedfbe173d6598d99836cde5b7c59cde1e
                      • Instruction ID: 77f0f92851d1fbed674455969e420745d79e6695cc3830a2b86b1c1a3c58a13f
                      • Opcode Fuzzy Hash: 18048405d7f4d78882251ffceda5a0eedfbe173d6598d99836cde5b7c59cde1e
                      • Instruction Fuzzy Hash: 03E10CB4E102598FDB14DFA9C590AAEFBB2FF89304F248269D414AB355D770AD42CF60
                      Function 072B8CE8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID: k+Yc
                      • API String ID: 0-1186582752
                      • Opcode ID: bbf4746d252a55704b6e6ff1097b4fd5cf2beb481d4f68a49021a6173acefc91
                      • Instruction ID: a7d11c3eac3056a939bd096de643829019caaa92dca36ac72b73b39e652c61d9
                      • Opcode Fuzzy Hash: bbf4746d252a55704b6e6ff1097b4fd5cf2beb481d4f68a49021a6173acefc91
                      • Instruction Fuzzy Hash: 89E11CB4E101598FDB14DFA8C580AAEFBB6FF89304F248269D418A7355D730AD42CFA0
                      Function 072B6D6F Relevance: .3, Instructions: 320COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4e4454c34965af01694ed450dcf815c26eebf7391f147da4cfe376117e1dd76a
                      • Instruction ID: e47ede4af4e2e324fd7e58404289bc5dd19db19ecf07a1cebb7e3430ea63a56f
                      • Opcode Fuzzy Hash: 4e4454c34965af01694ed450dcf815c26eebf7391f147da4cfe376117e1dd76a
                      • Instruction Fuzzy Hash: A6E10CB4E102598FDB14DFA9C580AAEFBB2FF89304F24825AD415A7355D731AD42CF60
                      Function 05120040 Relevance: .3, Instructions: 315COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2177695174.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5120000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b941d2baf65fa440b3e2a0b1028ea82cbed87b7f0d0112a49f4aa743f83458fb
                      • Instruction ID: c64ec3413aa28c3625b1a8b10b6df4007f431d57e961911a9f26cca555434b8f
                      • Opcode Fuzzy Hash: b941d2baf65fa440b3e2a0b1028ea82cbed87b7f0d0112a49f4aa743f83458fb
                      • Instruction Fuzzy Hash: 1612B7B0DA1B458AD338CF25EA4C39A3AA1F7443A4FD25B09D1615A2E1EFB4116ECF44
                      Function 072B75F0 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5467cac9e266be7aaeba247a7027f1a2c8ed0be3fc1d555e106278c88c283fb3
                      • Instruction ID: d725ffa9c09940f530fd2c7afa530ae57f601c0225d3348fe8016f043157d3f5
                      • Opcode Fuzzy Hash: 5467cac9e266be7aaeba247a7027f1a2c8ed0be3fc1d555e106278c88c283fb3
                      • Instruction Fuzzy Hash: 20E1FCB4E102598FDB14DFA9C580AAEFBB2FF89344F24826AD415A7355D730AD42CF60
                      Function 072B71B8 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6595bdae7b07debe50ad0da6286077a47659914d88213899679fa5cb6f9aca13
                      • Instruction ID: e5b004300d38b0337ebadb1dd91b998b243ab18863658735d0444fd8d6c849a9
                      • Opcode Fuzzy Hash: 6595bdae7b07debe50ad0da6286077a47659914d88213899679fa5cb6f9aca13
                      • Instruction Fuzzy Hash: 61E1FDB4E101598FDB14DFA9C580AAEFBB2FF89304F24826AD814A7355D770AD46CF60
                      Function 072BE848 Relevance: .3, Instructions: 298COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178988964.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 052a92663c147623650d93f2e752d0f6ac43c67253d79b0c9eb6bafbcf7ede14
                      • Instruction ID: 63368e904d607d575a9344bfaa328f0c1775cce9e335dfecd23d8aced35d5c72
                      • Opcode Fuzzy Hash: 052a92663c147623650d93f2e752d0f6ac43c67253d79b0c9eb6bafbcf7ede14
                      • Instruction Fuzzy Hash: A0D1C574A10605CFDB18DF69C598AE9B7F1BF8D740F2680A9E506AB361DB31AD40CF60
                      Function 06EC9513 Relevance: .3, Instructions: 265COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178817214.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6ec0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3b04c131b39c9c112404a09f880fb6ce9b821b6520ff6f0eddc3cdf6ae34dcf8
                      • Instruction ID: eab1ab0959e94afbea8ae02bc9f01c8cccf82e29081c43fb1e2b2b63663282d8
                      • Opcode Fuzzy Hash: 3b04c131b39c9c112404a09f880fb6ce9b821b6520ff6f0eddc3cdf6ae34dcf8
                      • Instruction Fuzzy Hash: C0D1E435920B5ACACB50EF64D990A9AB7B1FFD6300F10979AE10977214EF706AC4CB91
                      Function 0126D364 Relevance: .3, Instructions: 264COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2175490511.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1260000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c060a80aefe270de4e7d20f9f3504d7e5e2d33c47f49e612d512834d6deb391d
                      • Instruction ID: 219cd56ecddfad0599aac2f98236f75230ec0234515f0646a3543a9dfd643042
                      • Opcode Fuzzy Hash: c060a80aefe270de4e7d20f9f3504d7e5e2d33c47f49e612d512834d6deb391d
                      • Instruction Fuzzy Hash: A9A1C332E2021ACFCF05DFB4D5505AEBBB6FF85300B15856AE901AB2A5DB31ED45CB40
                      Function 06EC9518 Relevance: .3, Instructions: 264COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178817214.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6ec0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 87cdf01fb336916bc149721e5fbb190270f3db6b305e8b2317cdbab0dd5936be
                      • Instruction ID: 910ad0e6699b3432580e68e0683a2a99759f7f6a3a1ed16b52e95326cf1ccc89
                      • Opcode Fuzzy Hash: 87cdf01fb336916bc149721e5fbb190270f3db6b305e8b2317cdbab0dd5936be
                      • Instruction Fuzzy Hash: B5D1E435920B5ACACB50EF64D990A9AB7B1FFD6300F10979AE10977214EF706AC4CB91
                      Function 05120006 Relevance: .2, Instructions: 235COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2177695174.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5120000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bedc83ca025e792fe4486712bab3be67417e0209ffbd88d90efde20c4b8f142
                      • Instruction ID: c54e44ab0ff8a96bc5ca7027b78590499715d3e48b054a39335fa4073e5b0ceb
                      • Opcode Fuzzy Hash: 4bedc83ca025e792fe4486712bab3be67417e0209ffbd88d90efde20c4b8f142
                      • Instruction Fuzzy Hash: ADC13CB0CA1B458AD728CF25E94839A3B71FB453A4FD25B09D1616B2D1EFB4146ECF40
                      Function 06ECF12B Relevance: .2, Instructions: 204COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178817214.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6ec0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e228759f2e8fa580961de31c287ae29035aaee6728b3b5decc99d52b24ea8949
                      • Instruction ID: 8ee091e78d8b1f56a99c6a86146381eacea1ca7f345d78a25e1082273d5cf458
                      • Opcode Fuzzy Hash: e228759f2e8fa580961de31c287ae29035aaee6728b3b5decc99d52b24ea8949
                      • Instruction Fuzzy Hash: 568105B4D04318DFEB54CFAAD9846EDBBB6BF89324F10A029E419B7251DB34494ACF40
                      Function 06ECF138 Relevance: .2, Instructions: 201COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2178817214.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_6ec0000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 674c9048db5f38151e9649944fcb511b4aa4987445d7569967b0559fc4b3dcd2
                      • Instruction ID: 511ba5b3cb5ac656c865c2ab6b271e8f344cbda09bf7c08e0a59b940939bf37e
                      • Opcode Fuzzy Hash: 674c9048db5f38151e9649944fcb511b4aa4987445d7569967b0559fc4b3dcd2
                      • Instruction Fuzzy Hash: 0A8106B4D04318DFEB54CFAAD9846EDBBB6BF89324F10A029E419B7251DB34494ACF40

                      Executed Functions

                      Function 01769858 Relevance: .9, Instructions: 871COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3dab4d646dabb03e4d8c4923809aeda31571c1fc6f2eaa5a49b96fed9291b54d
                      • Instruction ID: b35059c676289822bd3eb67ea5c6f5c73a99e40af447b9da4802b13c1d9238b0
                      • Opcode Fuzzy Hash: 3dab4d646dabb03e4d8c4923809aeda31571c1fc6f2eaa5a49b96fed9291b54d
                      • Instruction Fuzzy Hash: E6729071A00209DFCB15CF68C984AAEFBFAFF89314F158559E905AB3A6D730E941CB50
                      Function 0176E431 Relevance: .7, Instructions: 716COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9fb5232d88dc11cd922374a64b2fbbe2f02e01ca515983e72bf8e835909da863
                      • Instruction ID: b635ec09d56ac6bcdf0f5de5f9c3154e033f647adc9743af003cd8eee1d8b80a
                      • Opcode Fuzzy Hash: 9fb5232d88dc11cd922374a64b2fbbe2f02e01ca515983e72bf8e835909da863
                      • Instruction Fuzzy Hash: 4972BD78E012698FDB65CF69C884BEDFBB6BB49300F1481E9D809A7255DB349E81CF50
                      Function 01766108 Relevance: .5, Instructions: 512COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c9b61918760807a5a3ddbeaef569355ca4b336e1a295d3557264ca28ccc1df7a
                      • Instruction ID: f0c54b92585b3e88f5bf11350e5e33318f697fc6b9b8e8b5d50c8a7a589d81ca
                      • Opcode Fuzzy Hash: c9b61918760807a5a3ddbeaef569355ca4b336e1a295d3557264ca28ccc1df7a
                      • Instruction Fuzzy Hash: 5812AE70A002199FDB15DFA9C844AAEBBFAFFC8310F608569E905DB395DB349D41CB90
                      Function 01766880 Relevance: .3, Instructions: 340COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a8fc100cd781f6bbab8f71be545eaa2bd16fc0e5cfe30594d6fbe40c9a031791
                      • Instruction ID: e1f4a79e753b2752faa5082088a945a75d3631e66657660d72dd6b71f9362531
                      • Opcode Fuzzy Hash: a8fc100cd781f6bbab8f71be545eaa2bd16fc0e5cfe30594d6fbe40c9a031791
                      • Instruction Fuzzy Hash: AEE12C70A00219DFDB15CFA9C984AADFBBAFF89314FA48059F905AB265D730E941CB50
                      Function 0176F778 Relevance: .3, Instructions: 296COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c04ed9d57a9db5805436fc4b76b32a340c3b8767a8be261844b2079ddc07537a
                      • Instruction ID: 4d667d59eef4371a5b5f802369c12ad6c592b75a790a457b4aa8d78a2abe7c3c
                      • Opcode Fuzzy Hash: c04ed9d57a9db5805436fc4b76b32a340c3b8767a8be261844b2079ddc07537a
                      • Instruction Fuzzy Hash: 80D1D174E01218CFDB24DFA9D994B9DBBB2BF89300F2081A9D809AB355DB355E85CF50
                      Function 0176B4A0 Relevance: .2, Instructions: 224COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 798eb650e7982ad054acb94f69b185c225dd2ca1fda9f09ef6ea1f94b7da582a
                      • Instruction ID: 5c15fb3b99bd92a01b0c28728220d4adf880a68a5dfe9c3c3c387a73c26f83d7
                      • Opcode Fuzzy Hash: 798eb650e7982ad054acb94f69b185c225dd2ca1fda9f09ef6ea1f94b7da582a
                      • Instruction Fuzzy Hash: 72A1C574E00218CFDB54CFAAD884A9DFBB6BF89310F1580AAD809EB365DB349841CF51
                      Function 01763875 Relevance: .2, Instructions: 215COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 00bc3f237dbba6f207f579348d2ea4727292e7fcd56146df40f058a143b8903d
                      • Instruction ID: 949fa66bbc7d8baf27e7ecaae9eef6c19d9565d671e52cb2915f74f794bc063c
                      • Opcode Fuzzy Hash: 00bc3f237dbba6f207f579348d2ea4727292e7fcd56146df40f058a143b8903d
                      • Instruction Fuzzy Hash: EE810575E41349CFCB58DFA9D4548EDBBB6FF89210B20806AE819AB314DB359C42CF51
                      Function 0176C470 Relevance: .2, Instructions: 202COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0ac052ed1e8221c4bbb3f52649a6169b5e11f6a47b4c7f37599e4288b8ab0abe
                      • Instruction ID: e70f4e6feaf5fcc705d2644ab3cf07f3e2da2328a8345f94a7a7a5d119c8378b
                      • Opcode Fuzzy Hash: 0ac052ed1e8221c4bbb3f52649a6169b5e11f6a47b4c7f37599e4288b8ab0abe
                      • Instruction Fuzzy Hash: AC911674E00208CFDB15CFAAD844A9DFBF6BF89310F2091A9D859AB365DB309942CF11
                      Function 0176BBB8 Relevance: .2, Instructions: 200COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f7525c4bc01a8880e5c9094959088588cc1b2a601e6eb3938370e8e5c4687d6b
                      • Instruction ID: 3f247a310683fcf281b7ef6fcdb31fe48d5fa1858aae47190cbb820124dc8deb
                      • Opcode Fuzzy Hash: f7525c4bc01a8880e5c9094959088588cc1b2a601e6eb3938370e8e5c4687d6b
                      • Instruction Fuzzy Hash: 9091E274E00218CFDB54CFAAD884A9DFBF6BF89310F1480AAD909AB365DB345985CF51
                      Function 0176C754 Relevance: .2, Instructions: 194COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d26989383a97c1e3cbaa92e1261e2d6f90335d9d8c24abd151a61d42dec30a48
                      • Instruction ID: 5a009e17d98c8b567d0bddfc14295a777ccb303bcadb3069fa5db7467a79a0e0
                      • Opcode Fuzzy Hash: d26989383a97c1e3cbaa92e1261e2d6f90335d9d8c24abd151a61d42dec30a48
                      • Instruction Fuzzy Hash: AC81E574E00218CFDB55CFAAD884A9DFBF6BF89310F149069E859AB365DB349941CF10
                      Function 0176C190 Relevance: .2, Instructions: 189COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 00de92fb3c8af8fad11f4f70e2cd54459156af11a14f42ec04f6020437fc9621
                      • Instruction ID: 230065c51deef53e0734635e9b67a38368524e749e253ecb4885de928381465b
                      • Opcode Fuzzy Hash: 00de92fb3c8af8fad11f4f70e2cd54459156af11a14f42ec04f6020437fc9621
                      • Instruction Fuzzy Hash: DA81D474E00208CFDB55DFAAD884A9DFBF6BF88310F108069E859AB365DB349981CF11
                      Function 0176BEB0 Relevance: .2, Instructions: 187COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 46711b7c77d85388179ec33291066ce3a3427eb812862602c447ccca6f5db9c5
                      • Instruction ID: 600a8743ebfee86c45dad70630a964751e804f0cadd8e0fbb59c25e3b28c649b
                      • Opcode Fuzzy Hash: 46711b7c77d85388179ec33291066ce3a3427eb812862602c447ccca6f5db9c5
                      • Instruction Fuzzy Hash: BD81E374E00208CFDB55DFAAD984A9DFBF6BF89300F109069D809AB365DB349981CF11
                      Function 0176CA34 Relevance: .2, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4f93483d3c99ec2129db632740f7eef13ef6402ee8fa71d355f9a2a5ad498ca9
                      • Instruction ID: 400cf279e99aa1e49ee5cbda4c9936c4c24b24cfdd361b29a2de3c5d60eb58e3
                      • Opcode Fuzzy Hash: 4f93483d3c99ec2129db632740f7eef13ef6402ee8fa71d355f9a2a5ad498ca9
                      • Instruction Fuzzy Hash: 8D81D474E00218CFDB15CFAAD984A9DFBF6BF88300F1480A9E859AB365DB349941CF10
                      Function 01764AD9 Relevance: .2, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b1df379c87d73836be126f82cb8b1febb220f5ed9c5f566be7c05b7e57a2c87d
                      • Instruction ID: bbfa49fecf42281d780d732e5c06266b8be48f39741efe9d242b6c3e3a9b1875
                      • Opcode Fuzzy Hash: b1df379c87d73836be126f82cb8b1febb220f5ed9c5f566be7c05b7e57a2c87d
                      • Instruction Fuzzy Hash: 8B81C374E00218CFDB54CFAAD984A9DFBF2BF88300F149069D819AB365DB749981CF11
                      Function 017677F0 Relevance: .7, Instructions: 704COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 15f41689f2094b4a0d16e8503bcb1a8512ec3a70d0a82c4217684ae72bd5cdf2
                      • Instruction ID: 8fe110e0a6eeb331f2a87f2d8a9c1a56b9a6d792624352e836c561d7c2d3982a
                      • Opcode Fuzzy Hash: 15f41689f2094b4a0d16e8503bcb1a8512ec3a70d0a82c4217684ae72bd5cdf2
                      • Instruction Fuzzy Hash: E7521074A00219CFEB559BE4C860B9EBB76FF84300F1081A9C61A6B395DF349D85DF62
                      Function 01766E58 Relevance: .5, Instructions: 477COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 62a73c10f834aaaf205f5121b5c6bd775c2718bfbb5dee62d742d5b8614453d7
                      • Instruction ID: 56ac6cc5805989dd3fbe6f3111d2e22f085b05d329e779e7b6715395e6e66c2f
                      • Opcode Fuzzy Hash: 62a73c10f834aaaf205f5121b5c6bd775c2718bfbb5dee62d742d5b8614453d7
                      • Instruction Fuzzy Hash: 3E124930A00249DFDB19DF69D884A9EBBFAFF88358F148599E905DB261DB30ED41CB50
                      Function 0176A818 Relevance: .4, Instructions: 412COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6ee4eba59d71f7ff45f827449c8557b20e5250b424e3e09a0888f55484c5717d
                      • Instruction ID: e920fc7bae76176589acce4a1b500c21a130c34c892bdb26d388ccd2016f91d8
                      • Opcode Fuzzy Hash: 6ee4eba59d71f7ff45f827449c8557b20e5250b424e3e09a0888f55484c5717d
                      • Instruction Fuzzy Hash: 54F12D75A002158FCB15CF6DC98499DFBFAFF89310B1A8469E919AB362CB35EC41CB50
                      Function 01760C8F Relevance: .4, Instructions: 410COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9b6061a3e0afe5fca7150b5eff5ec46a1613c98ee39aa7658635fc48bad1fda5
                      • Instruction ID: 5820a78a8b3ee2d2c2441c0dc64923fca47f4c7705d958116aa38efcab207cf5
                      • Opcode Fuzzy Hash: 9b6061a3e0afe5fca7150b5eff5ec46a1613c98ee39aa7658635fc48bad1fda5
                      • Instruction Fuzzy Hash: A1222C75A1020ACFCB94DF69E984ADDBBB6FF88301F1091A9D819AB314DB345E85CF41
                      Function 01760CA0 Relevance: .4, Instructions: 395COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a7a0f970777c8bd336107c509c9a8cadaa52a5ab790ca50cd8ce46837fd41bd3
                      • Instruction ID: 2daba8476bcc8aaeb716b59a3d81bd6286e8161f61e13cfa2de5396bc75c0eae
                      • Opcode Fuzzy Hash: a7a0f970777c8bd336107c509c9a8cadaa52a5ab790ca50cd8ce46837fd41bd3
                      • Instruction Fuzzy Hash: 40223F75A1021ACFCB94DF69E984ACDBBB6FF88301F1091A9D819AB314DB345E85CF41
                      Function 017687E9 Relevance: .3, Instructions: 336COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8c43d42c391403bb2038a5e58f59a7810b9404a6de094bb29b8fd13f8c0c23eb
                      • Instruction ID: ff4a4236209c5396bb4609bbff0cdf814a41303f41db84c8d55351859d66a915
                      • Opcode Fuzzy Hash: 8c43d42c391403bb2038a5e58f59a7810b9404a6de094bb29b8fd13f8c0c23eb
                      • Instruction Fuzzy Hash: 16B154B07543018FEB165A2CC958B3DBA9EEF85604F1844AAEE06DF3A5EA64CC41C753
                      Function 017656A8 Relevance: .3, Instructions: 265COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 085526060d53791096eba2c75fdc4bfc9d11cba4d420d01ba565ef2abf5579d3
                      • Instruction ID: 30ee5ed6528f5b251f493fc7ba98fe862199c0404d0637cc8fc30a9be1b67f96
                      • Opcode Fuzzy Hash: 085526060d53791096eba2c75fdc4bfc9d11cba4d420d01ba565ef2abf5579d3
                      • Instruction Fuzzy Hash: 9791BD307042018FDB169F78D858B6EBBE6BBC9250F188569E906CB395DF389C41DB91
                      Function 01765C08 Relevance: .2, Instructions: 232COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a59b1dd84e09daaf19ce28b8cb2d791343db4243fcfa1d0dad6017c85839eb71
                      • Instruction ID: 56ec11b6234d5369412ad33ef1721270349fbc237a70f477a2c3495e07850eb1
                      • Opcode Fuzzy Hash: a59b1dd84e09daaf19ce28b8cb2d791343db4243fcfa1d0dad6017c85839eb71
                      • Instruction Fuzzy Hash: 2181B130A00106DFCB14CF6DC88896DFBBAFF89290B148169D905DB3A5D731EC42DB90
                      Function 01767438 Relevance: .2, Instructions: 201COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b7ed327943162c26d6166b5603c2353394be936fc8e711dac70e09b28ae82f9f
                      • Instruction ID: 9ee948c1bc77c7c9c764cfd489c13b3724da70324b524a98e0d19faf30ee7142
                      • Opcode Fuzzy Hash: b7ed327943162c26d6166b5603c2353394be936fc8e711dac70e09b28ae82f9f
                      • Instruction Fuzzy Hash: 0D710D347002458FDB19DF2CC498A6DBBE9AF49798F2540A9E906CB3B1DB74DC41CB91
                      Function 0176CEC7 Relevance: .2, Instructions: 174COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 88ae427b50987ade4264eb5cdea428cf865825c4da09ea776cdb916bb536f216
                      • Instruction ID: 200d28ebb37ea7cc8b061c09e1b3a07cf9ae21a416bfa09f2eb473980b8a9f94
                      • Opcode Fuzzy Hash: 88ae427b50987ade4264eb5cdea428cf865825c4da09ea776cdb916bb536f216
                      • Instruction Fuzzy Hash: 6651CE300B5306CFC2743BA4E1AC56EBBA1FB0F377722BD05A41EA9499AB705449DF20
                      Function 0176CED8 Relevance: .2, Instructions: 167COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 935d3785b91c9429436794a803ec02204e2cb5eb51b710aebee0c73858441758
                      • Instruction ID: 8c20918b4a41764324b8a1ae151add673cdf844ae21776feef8ea5318858b80f
                      • Opcode Fuzzy Hash: 935d3785b91c9429436794a803ec02204e2cb5eb51b710aebee0c73858441758
                      • Instruction Fuzzy Hash: E451BD301B5306CFC2343BA4E1AC56EBBA5FB0F377762BD01A42E99499AB705449DF20
                      Function 01769390 Relevance: .2, Instructions: 157COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 146697b7fcbfdd4d818902b0627a75bcfb29f882cb9b2ddf86dc4c35a13b1fc3
                      • Instruction ID: ba0f2c04dd41ae7cebfc518d54763e4979f0d5b36f7ba0a0a3ff11bc4fe5a08b
                      • Opcode Fuzzy Hash: 146697b7fcbfdd4d818902b0627a75bcfb29f882cb9b2ddf86dc4c35a13b1fc3
                      • Instruction Fuzzy Hash: 68516F307002459FDB11DE69C844B6FBFEAAB88354F1484A6EE08CB296DB75DC45CB91
                      Function 0176D59F Relevance: .2, Instructions: 155COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e73e03ab7735c1f956d8d9b4401ad0a71f3c3e9d3fe96f7bc471c35ed40f3847
                      • Instruction ID: 7661bd2521c74d86b2d49b2fc4996fdabbc39bbdbe998209e96cc0c51dd39334
                      • Opcode Fuzzy Hash: e73e03ab7735c1f956d8d9b4401ad0a71f3c3e9d3fe96f7bc471c35ed40f3847
                      • Instruction Fuzzy Hash: 2E610174E01219CFDB25DFE5D858AEDBBB2FF88300F208129D805AB295DB756A45CF40
                      Function 0176CD10 Relevance: .1, Instructions: 139COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1d516d0f0c28f46f5313a9b1933ba48e74807c03eddefdab6acf45f1c92d4e8a
                      • Instruction ID: 8e372697d00f79a5e2ada2e51faad64a65ff5b3082f88618dd0599257f720fc1
                      • Opcode Fuzzy Hash: 1d516d0f0c28f46f5313a9b1933ba48e74807c03eddefdab6acf45f1c92d4e8a
                      • Instruction Fuzzy Hash: 81519274E01208DFDB54DFAAD5849DDBBF2BF89310F20816AE819AB365DB319845CF50
                      Function 01763908 Relevance: .1, Instructions: 134COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 191b5da44f8598307031a9c16c2d4ba3fe2d9b0f287325c5c2e482d718ea247a
                      • Instruction ID: 9692674581a1dc4ef9e990d413c76c1469d7e3940b09217501d409e3b6ad1154
                      • Opcode Fuzzy Hash: 191b5da44f8598307031a9c16c2d4ba3fe2d9b0f287325c5c2e482d718ea247a
                      • Instruction Fuzzy Hash: 3851A275E01208CFCB48DFAAD59499DBBB6FF8D301B609069E805AB324DB35AD41CF40
                      Function 0176A650 Relevance: .1, Instructions: 128COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 923ed69b838a9b511ab06b1ab6c83ec8cd81ef15ca0490dc3a841dc6cccd8712
                      • Instruction ID: fa686946af816200952638a3fd96ab23d2358f598ec325d9bd1e93b241dd387d
                      • Opcode Fuzzy Hash: 923ed69b838a9b511ab06b1ab6c83ec8cd81ef15ca0490dc3a841dc6cccd8712
                      • Instruction Fuzzy Hash: 9F4105357042059FCB159B79D8546AEBFFABBC8720F24806DDA16E7395CE309C01CBA0
                      Function 01769A63 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9090c7ec85f55827b37b1e1596d15bb8ac139bf69846409839d2993accd38497
                      • Instruction ID: a110f68084819a9f88eb7dbd2aec888e2d9b479eb69f43655700589def2e1dfb
                      • Opcode Fuzzy Hash: 9090c7ec85f55827b37b1e1596d15bb8ac139bf69846409839d2993accd38497
                      • Instruction Fuzzy Hash: E9519131A04249DFCF12CFA8C844A9DFFF6AF89318F148556EE159B2A6D331D914CBA0
                      Function 01766730 Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 557c6c2444ddb05272c577e7879a734ecb9f951f40677882181cc976de284ae1
                      • Instruction ID: a07c62903f46603a53a5791a0e1cd0619d8fe4f6a03baac90f60ff62b1912e99
                      • Opcode Fuzzy Hash: 557c6c2444ddb05272c577e7879a734ecb9f951f40677882181cc976de284ae1
                      • Instruction Fuzzy Hash: 1441C231A0434ADFCB158F68C804BAEBFBAEB85314F44846AF855DB252D778DC45CBA1
                      Function 01763428 Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1814495dd29a432b261eaa4f52beb40133090d2b8911004ed3de47453276ac59
                      • Instruction ID: 6fe21be933cf0c34f67e2381ac0cba0190a54fc9891166cedad9affa9e108018
                      • Opcode Fuzzy Hash: 1814495dd29a432b261eaa4f52beb40133090d2b8911004ed3de47453276ac59
                      • Instruction Fuzzy Hash: 4131A375B042158BEB194979599427EED9EBBC4220F28403ADD1AC7385DFB4CC45C7A1
                      Function 01764DC8 Relevance: .1, Instructions: 101COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 70489a4ee95885abd62d406f9f15dc90a9dd135f2bb85b62325a303121c5f201
                      • Instruction ID: 5fa8fb4bcf7af4403e00b02df7cd29ba2488262ea3f9a396e7364ff6e2df9956
                      • Opcode Fuzzy Hash: 70489a4ee95885abd62d406f9f15dc90a9dd135f2bb85b62325a303121c5f201
                      • Instruction Fuzzy Hash: 7A31953564810ADFCF159F64E854AAF7BABFB8C210F108425FD168B295CB34CC61DBA1
                      Function 017692DC Relevance: .1, Instructions: 100COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a68c9338aeaf169098339c6f9513af0214e76228762cf478fc4b931e7376af3d
                      • Instruction ID: 35eb3da50fabd98f348200a3a88ea7b9e10eac0a950149f98f358528faf9e120
                      • Opcode Fuzzy Hash: a68c9338aeaf169098339c6f9513af0214e76228762cf478fc4b931e7376af3d
                      • Instruction Fuzzy Hash: 5731D030604345DFCB12CF59D8849AAFFB9FF89320B6485A2EE44DB255C331E9168BA1
                      Function 017676D0 Relevance: .1, Instructions: 98COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7339eaeb373c689328267fbebe52a97862992fd9f1f4372da8ad08eae380ccff
                      • Instruction ID: fb634203663d972e61532c9f20f891dbdd45480682183a8aa03bfea180a1ad6d
                      • Opcode Fuzzy Hash: 7339eaeb373c689328267fbebe52a97862992fd9f1f4372da8ad08eae380ccff
                      • Instruction Fuzzy Hash: C221A6343042414BEB1E163D8C94A3DBB9EAFC969D71440B5DE06CB79AEE29CC42A7D1
                      Function 0176A809 Relevance: .1, Instructions: 93COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: acb221d510cc2f886afb478f4726069375a911487d58a9e5de7d809fe7dfdb5b
                      • Instruction ID: f25aae365a349e41ce823c6f1dac7f1dd10e8bfff6d7c41559781e21d17a62b9
                      • Opcode Fuzzy Hash: acb221d510cc2f886afb478f4726069375a911487d58a9e5de7d809fe7dfdb5b
                      • Instruction Fuzzy Hash: 80319670A406068FCB05CF6DC8849AEFBFBBF85350B258159D915E73A6CB349C02CB90
                      Function 017676E0 Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d0bdacc2d5a7a3ac20d37298d85e6a485d52e28044d25e1bb9af97ec62ca573d
                      • Instruction ID: e03d6f5ba885adeae00f4b43e4fa723f7b3fe419b64c3643f2638d5039afb45b
                      • Opcode Fuzzy Hash: d0bdacc2d5a7a3ac20d37298d85e6a485d52e28044d25e1bb9af97ec62ca573d
                      • Instruction Fuzzy Hash: DF21CB3430020147EB1916398894A3EB58FAFC879CF148074DE06CB799EE69CC41E3C0
                      Function 01762060 Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7246d002c9404e5c665f77c8a430e9074b6402673555d6e9df04e7869076fbdb
                      • Instruction ID: 466a4fcfd51cd812d6b567263d870d0044832c90acd3bc9082886bca766f8a39
                      • Opcode Fuzzy Hash: 7246d002c9404e5c665f77c8a430e9074b6402673555d6e9df04e7869076fbdb
                      • Instruction Fuzzy Hash: C821F435A00209EFCB54DF24D8409AEB7AAEF8C350B50C099EC099B381DB35EE41CBD1
                      Function 0157D4F0 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4621760384.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_157d000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 73526d3b2c09200a54d7e7377cf11455963c984c61f4704c2c0f73d30829e527
                      • Instruction ID: a78ee0545414569da2daecf33ca5647f812eeee91c54824a2d5feb1ce87db5f6
                      • Opcode Fuzzy Hash: 73526d3b2c09200a54d7e7377cf11455963c984c61f4704c2c0f73d30829e527
                      • Instruction Fuzzy Hash: 0A2103B2504204DFDB05DF54E9C1B2ABFB5FF88328F208569E90A0E256C336D456CAA1
                      Function 01765A70 Relevance: .1, Instructions: 74COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b1fbcb39b6369f0e883a9a9d24c16b202a64cdc5be7de849f3a9932d07337756
                      • Instruction ID: 557e9d17673c294d1e2f56dc41a5697bf12a495cb9fd1322d98b374e09276959
                      • Opcode Fuzzy Hash: b1fbcb39b6369f0e883a9a9d24c16b202a64cdc5be7de849f3a9932d07337756
                      • Instruction Fuzzy Hash: C92190357416128BD7299A29D49852EFBABFFC86A1B158179ED16CB394CE30DC029BC0
                      Function 0158D044 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4621806555.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_158d000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9aa952e958d86bfd30519b4b07f7191512cff6142d1b18583a927023eef0ee1f
                      • Instruction ID: 3b4e92922aa4a12c24086fe6a421a64ebda6ff691a2a12039941fddd9c15bba3
                      • Opcode Fuzzy Hash: 9aa952e958d86bfd30519b4b07f7191512cff6142d1b18583a927023eef0ee1f
                      • Instruction Fuzzy Hash: 63212FB1104204EFCB14EF64C980B2ABBF1FB84314F20C96DE9495F292D77AD447CA61
                      Function 0176215C Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e153817456060c4b362eaaf37d2fe54d1303ab98b3f0511b42bcbe3f05062a22
                      • Instruction ID: a355080f55881df13dfc042760994d1a07e606a9bca01010c1a3cd579629adfe
                      • Opcode Fuzzy Hash: e153817456060c4b362eaaf37d2fe54d1303ab98b3f0511b42bcbe3f05062a22
                      • Instruction Fuzzy Hash: 8B119235E08349DBCB019BF89C104DEFB34FF853107258796D616B7152EA311906C791
                      Function 0176D4C0 Relevance: .1, Instructions: 66COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d19f25cabd87e975647a5e3ab1bf07a42ae3eed05f87862ea0e69f67022c2e1a
                      • Instruction ID: ef3fdf89c5dea3d29fd35526bd0bd4e67bd885801b2cfab5f773e98dff30d0a6
                      • Opcode Fuzzy Hash: d19f25cabd87e975647a5e3ab1bf07a42ae3eed05f87862ea0e69f67022c2e1a
                      • Instruction Fuzzy Hash: 3721B07090424ADFDB06DFB8D84069DBFF5FB81300F0491AAC954EB256EB745E4ACB81
                      Function 01768EC1 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e7767f712d8f9842ccb58f0c2d3904c3d667c8cbbe451a57067aa1503914b82f
                      • Instruction ID: 50d780236e334e34ed2a3359daa92eff25f13a8294e566324b28911a544a7a1e
                      • Opcode Fuzzy Hash: e7767f712d8f9842ccb58f0c2d3904c3d667c8cbbe451a57067aa1503914b82f
                      • Instruction Fuzzy Hash: CF213D70A00249DFDB15DFA5E550AEEBFBAFF48300F248069E911E6291DB359941DF60
                      Function 01764DC5 Relevance: .1, Instructions: 64COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a03f6265a6171919b6b361f54ee387a137858a3597c25eefe5c7e49b1c786859
                      • Instruction ID: a94eced1526b080756c34327fbb28e90133773007f285c87667c047f8bf9d3d9
                      • Opcode Fuzzy Hash: a03f6265a6171919b6b361f54ee387a137858a3597c25eefe5c7e49b1c786859
                      • Instruction Fuzzy Hash: 84218735648106DFDB159F68E84866B7BAAFB88710F104035F9168B295CB34CC55C7D1
                      Function 01761F61 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4023308a380188240ea06143142064705f0a5ee3dd9736c9d18cd33c3366fcc6
                      • Instruction ID: c5ae597bd4074d50ff7a200e8ddf6a3f360f8dc105202d0d2b4bb60ff0d7e560
                      • Opcode Fuzzy Hash: 4023308a380188240ea06143142064705f0a5ee3dd9736c9d18cd33c3366fcc6
                      • Instruction Fuzzy Hash: C5211FB4D0524A8FCB01EFA8D8445EDBFF4BF4A210F1041AAD805B7226EB301A45CBA2
                      Function 01761F08 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e1cda54385dcfb68256a10e71a12315e89da93460ede8a296eccb23c73c17e2e
                      • Instruction ID: 5103b5ebb5fd8102a516194d766d9b8ec8b60e3fd1bfab39a20b53e8b6c6e977
                      • Opcode Fuzzy Hash: e1cda54385dcfb68256a10e71a12315e89da93460ede8a296eccb23c73c17e2e
                      • Instruction Fuzzy Hash: 88214770C042498FCB11EFB8C4884EDBFB0BF49310F5441AED805B7254EB305A84CBA2
                      Function 0157D4EB Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4621760384.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_157d000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                      • Instruction ID: 598b3104c4af5f02df29eb80a8d1230b0a2e362206d152095a4b840939d52d53
                      • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                      • Instruction Fuzzy Hash: 2611AF76504284CFDB16CF54D5C4B1ABF71FB84314F2486A9D8090B257C33AD45ACBA1
                      Function 0176D4D0 Relevance: .1, Instructions: 54COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bbb981816e6913a288dc3b446158271ee9f975fc4a0077ea526f1043d4c03f07
                      • Instruction ID: 40d1e4752ff8f2a0d881f100d43582476430234e089265cfbec582044305371d
                      • Opcode Fuzzy Hash: bbb981816e6913a288dc3b446158271ee9f975fc4a0077ea526f1043d4c03f07
                      • Instruction Fuzzy Hash: 41113A7090020ADFEB45EFA9D54079EBFF5FB84304F1092A9C514AB254EB745E469B81
                      Function 0158D03F Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4621806555.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_158d000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                      • Instruction ID: 9e63c551a2dcfc1cd78f337b680cd5f3b9d1707f2c73f6c721c912829429a468
                      • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                      • Instruction Fuzzy Hash: CA11A975504284CFCB12DF54C9C4B19BBB2FB84314F24C6A9D8494B292C33AD44ACB62
                      Function 01765607 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7d7e71475f2574fca960e12ba4609188faf253d1deb796b165e4d9c1ce045dd6
                      • Instruction ID: 83b8cfb2523eeed6f34ee6fda74e3ce202afa3d32b57e25bea62aaeec273a363
                      • Opcode Fuzzy Hash: 7d7e71475f2574fca960e12ba4609188faf253d1deb796b165e4d9c1ce045dd6
                      • Instruction Fuzzy Hash: 1501F9717041055FDB019E64A8106FEBFEBEFC8791B18806AF905D7294CA71CC12D761
                      Function 01769709 Relevance: .0, Instructions: 47COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9f067371d27fa502d9fd6293562f9a569b7eb30d50899998f1f54ad55921d46f
                      • Instruction ID: 7f2a2aa674f40a7a87fd578725b42cf714d9c308095f92c499901604fd46ffef
                      • Opcode Fuzzy Hash: 9f067371d27fa502d9fd6293562f9a569b7eb30d50899998f1f54ad55921d46f
                      • Instruction Fuzzy Hash: 8D014F75B0411A9FEB04DEA8D884BFFF7BDEB98314F048469EA01D7241D639DD418BA0
                      Function 01762010 Relevance: .0, Instructions: 30COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a75499dc8e2b456a6764df4ba20d9bad0a8c1266c78240ab7b02910d66feab3b
                      • Instruction ID: 2adb4ba4a1c93562a8dd215734ba9556fca5defa98205482d33e27c74fe28986
                      • Opcode Fuzzy Hash: a75499dc8e2b456a6764df4ba20d9bad0a8c1266c78240ab7b02910d66feab3b
                      • Instruction Fuzzy Hash: 4BF0E535D293966BCB1397A0DC184DEFF39ED53210B455597E9607B053EB20250AC7B1
                      Function 01762020 Relevance: .0, Instructions: 19COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7fd91c9b48a02ac705872d7821dba4f0581a29ce56b934a80bd8758dd51c2681
                      • Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
                      • Opcode Fuzzy Hash: 7fd91c9b48a02ac705872d7821dba4f0581a29ce56b934a80bd8758dd51c2681
                      • Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0
                      Function 01768258 Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                      • Instruction ID: a0d63a13605ba922a45f832f593bb3b164ea77e1c7829523a4fe2ff83d93ce22
                      • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                      • Instruction Fuzzy Hash: 59C0123320C2282AA725108F7C40AA7AB8CC2C12B4A250277FA1CA3200A8429C8001AA
                      Function 0176A70D Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f22583549074c85ff43fb586602757c255b2673f09129f1e8e658d01ae058728
                      • Instruction ID: 3a27bcc505ebacc7d4549f2bf11f30eaa3f089ccbb6a757f499ee19ba4ff111f
                      • Opcode Fuzzy Hash: f22583549074c85ff43fb586602757c255b2673f09129f1e8e658d01ae058728
                      • Instruction Fuzzy Hash: 04D0677AB511089FCB149F98E8409DDB7B6FB9C221B148126E915A3264C6319921DB50
                      Function 01765EA8 Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f706f2fcb0b9c1632f7fca628470c303e2c4eaa04978bfee5c43d499afc3d66c
                      • Instruction ID: 6bd7a5f5c8869d165daa00d40854afc4d94e824f9e8c35c5b6abca42a7563f65
                      • Opcode Fuzzy Hash: f706f2fcb0b9c1632f7fca628470c303e2c4eaa04978bfee5c43d499afc3d66c
                      • Instruction Fuzzy Hash: 00D05E7050834B8BD61AF335FA1A4593F39FBC0204F80959DAA084E056EEFD5C8A67E2
                      Function 01765EB8 Relevance: .0, Instructions: 12COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000004.00000002.4622096695.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_4_2_1760000_z95g0YV3PKzM3LA5zt.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6a0970cb98997ef3e71e9486302b1866f13f80b9d399041a9956ef909bbd67ef
                      • Instruction ID: 6bb7ebf3258cab650330dd0912cfada1f6561f44122ad9bccb698a812f62016f
                      • Opcode Fuzzy Hash: 6a0970cb98997ef3e71e9486302b1866f13f80b9d399041a9956ef909bbd67ef
                      • Instruction Fuzzy Hash: FFC0803010030BC7D549F776F9469593B6EF6C0310F409518B1090E155DFFC1C855791