Edit tour

Windows Analysis Report
z1MB267382625AE.exe

Overview

General Information

Sample name:	z1MB267382625AE.exe
Analysis ID:	1560033
MD5:	b996196f91e1480ba0a4bb0304a1f960
SHA1:	417edfb082a48d152475e0a174162d05e9581045
SHA256:	f6b094d042f1ccc79ef5060b18495c6bee55585630fac2c3d3f32a8c9c174de6
Tags:	exeuser-Porcupine
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

z1MB267382625AE.exe (PID: 3400 cmdline: "C:\Users\user\Desktop\z1MB267382625AE.exe" MD5: B996196F91E1480BA0A4BB0304A1F960)

powershell.exe (PID: 7152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6556 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 3916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6464 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

z1MB267382625AE.exe (PID: 2536 cmdline: "C:\Users\user\Desktop\z1MB267382625AE.exe" MD5: B996196F91E1480BA0A4BB0304A1F960)

pNgFqm.exe (PID: 5840 cmdline: C:\Users\user\AppData\Roaming\pNgFqm.exe MD5: B996196F91E1480BA0A4BB0304A1F960)

schtasks.exe (PID: 3664 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

pNgFqm.exe (PID: 5764 cmdline: "C:\Users\user\AppData\Roaming\pNgFqm.exe" MD5: B996196F91E1480BA0A4BB0304A1F960)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "FTP", "FTP Server": "ftp://cpanel2-nl.thcservers.com/", "FTP Username": "snup@lifechangerscare.com", "Password": "Uvob2G1Tc73ZCus02X", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.3891998369.000000000041C000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3891998369.000000000041A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x8b5:$x1: $%SMTPDV$ 0x98b:$x4: $%TelegramDv$ 0x881:$m2: Clipboard Logs ID 0xadb:$m2: Screenshot Logs ID 0xbeb:$m2: keystroke Logs ID 0xec5:$m3: SnakePW 0xab3:$m4: \SnakeKeylogger\
00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.3891998922.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6919:$a1: get_encryptedPassword 0x6c05:$a2: get_encryptedUsername 0x6725:$a3: get_timePasswordChanged 0x6820:$a4: get_passwordField 0x692f:$a5: set_encryptedPassword 0x7fab:$a7: get_logins 0x7f0e:$a10: KeyLoggerEventArgs 0x7b79:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.3894344951.00000000031A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b9d99:$a1: get_encryptedPassword 0x1da7b9:$a1: get_encryptedPassword 0x1fafd9:$a1: get_encryptedPassword 0x1ba085:$a2: get_encryptedUsername 0x1daaa5:$a2: get_encryptedUsername 0x1fb2c5:$a2: get_encryptedUsername 0x1b9ba5:$a3: get_timePasswordChanged 0x1da5c5:$a3: get_timePasswordChanged 0x1fade5:$a3: get_timePasswordChanged 0x1b9ca0:$a4: get_passwordField 0x1da6c0:$a4: get_passwordField 0x1faee0:$a4: get_passwordField 0x1b9daf:$a5: set_encryptedPassword 0x1da7cf:$a5: set_encryptedPassword 0x1fafef:$a5: set_encryptedPassword 0x1bb42b:$a7: get_logins 0x1dbe4b:$a7: get_logins 0x1fc66b:$a7: get_logins 0x1bb38e:$a10: KeyLoggerEventArgs 0x1dbdae:$a10: KeyLoggerEventArgs 0x1fc5ce:$a10: KeyLoggerEventArgs
00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1bed35:$x1: $%SMTPDV$ 0x1df755:$x1: $%SMTPDV$ 0x1fff75:$x1: $%SMTPDV$ 0x1bd6d0:$x2: $#TheHashHere%& 0x1de0f0:$x2: $#TheHashHere%& 0x1fe910:$x2: $#TheHashHere%& 0x1bd67c:$x3: %FTPDV$ 0x1de09c:$x3: %FTPDV$ 0x1fe8bc:$x3: %FTPDV$ 0x1bee0b:$x4: $%TelegramDv$ 0x1df82b:$x4: $%TelegramDv$ 0x20004b:$x4: $%TelegramDv$ 0x1baff9:$x5: KeyLoggerEventArgs 0x1bb38e:$x5: KeyLoggerEventArgs 0x1dba19:$x5: KeyLoggerEventArgs 0x1dbdae:$x5: KeyLoggerEventArgs 0x1fc239:$x5: KeyLoggerEventArgs 0x1fc5ce:$x5: KeyLoggerEventArgs 0x1bed01:$m2: Clipboard Logs ID 0x1bef5b:$m2: Screenshot Logs ID 0x1bf06b:$m2: keystroke Logs ID
Process Memory Space: z1MB267382625AE.exe PID: 3400	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: z1MB267382625AE.exe PID: 3400	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: z1MB267382625AE.exe PID: 3400	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: z1MB267382625AE.exe PID: 3400	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x784af:$a1: get_encryptedPassword 0x78791:$a2: get_encryptedUsername 0x782c5:$a3: get_timePasswordChanged 0x783c0:$a4: get_passwordField 0x784c5:$a5: set_encryptedPassword 0x7a99b:$a7: get_logins 0x7a8fe:$a10: KeyLoggerEventArgs 0x7a569:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: z1MB267382625AE.exe PID: 3400	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7a569:$x5: KeyLoggerEventArgs 0x7a8fe:$x5: KeyLoggerEventArgs 0x7b4d7:$x5: KeyLoggerEventArgs 0x7b838:$x5: KeyLoggerEventArgs 0x7cb46:$m2: Clipboard Logs ID 0x7cc5a:$m2: Screenshot Logs ID 0x7ccb0:$m2: keystroke Logs ID 0x7cde5:$m3: SnakePW 0x7cc46:$m4: \SnakeKeylogger\
Process Memory Space: z1MB267382625AE.exe PID: 2536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: z1MB267382625AE.exe PID: 2536	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: pNgFqm.exe PID: 5840	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: pNgFqm.exe PID: 5764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: pNgFqm.exe PID: 5764	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: pNgFqm.exe PID: 5764	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4358d:$a1: get_encryptedPassword 0x4386f:$a2: get_encryptedUsername 0x433a3:$a3: get_timePasswordChanged 0x4349e:$a4: get_passwordField 0x435a3:$a5: set_encryptedPassword 0x45a79:$a7: get_logins 0x459dc:$a10: KeyLoggerEventArgs 0x45647:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: pNgFqm.exe PID: 5764	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x45647:$x5: KeyLoggerEventArgs 0x459dc:$x5: KeyLoggerEventArgs 0x465b5:$x5: KeyLoggerEventArgs 0x46916:$x5: KeyLoggerEventArgs 0x24363:$m2: Clipboard Logs ID 0x24477:$m2: Screenshot Logs ID 0x244cd:$m2: keystroke Logs ID 0x24602:$m3: SnakePW 0x24463:$m4: \SnakeKeylogger\
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.z1MB267382625AE.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.z1MB267382625AE.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.z1MB267382625AE.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c487:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6b9:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baec:$a4: \Orbitum\User Data\Default\Login Data 0x1cb2b:$a5: \Kometa\User Data\Default\Login Data
0.2.z1MB267382625AE.exe.38fe280.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z1MB267382625AE.exe.38fe280.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.z1MB267382625AE.exe.38fe280.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d19:$a1: get_encryptedPassword 0x13005:$a2: get_encryptedUsername 0x12b25:$a3: get_timePasswordChanged 0x12c20:$a4: get_passwordField 0x12d2f:$a5: set_encryptedPassword 0x143ab:$a7: get_logins 0x1430e:$a10: KeyLoggerEventArgs 0x13f79:$a11: KeyLoggerEventArgsEventHandler
0.2.z1MB267382625AE.exe.38fe280.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a687:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198b9:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cec:$a4: \Orbitum\User Data\Default\Login Data 0x1ad2b:$a5: \Kometa\User Data\Default\Login Data
0.2.z1MB267382625AE.exe.38fe280.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13908:$s1: UnHook 0x1390f:$s2: SetHook 0x13917:$s3: CallNextHook 0x13924:$s4: _hook
0.2.z1MB267382625AE.exe.38fe280.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cb5:$x1: $%SMTPDV$ 0x16650:$x2: $#TheHashHere%& 0x165fc:$x3: %FTPDV$ 0x17d8b:$x4: $%TelegramDv$ 0x13f79:$x5: KeyLoggerEventArgs 0x1430e:$x5: KeyLoggerEventArgs 0x17c81:$m2: Clipboard Logs ID 0x17edb:$m2: Screenshot Logs ID 0x17feb:$m2: keystroke Logs ID 0x182c5:$m3: SnakePW 0x17eb3:$m4: \SnakeKeylogger\
0.2.z1MB267382625AE.exe.391eca0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z1MB267382625AE.exe.391eca0.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.z1MB267382625AE.exe.391eca0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d19:$a1: get_encryptedPassword 0x13005:$a2: get_encryptedUsername 0x12b25:$a3: get_timePasswordChanged 0x12c20:$a4: get_passwordField 0x12d2f:$a5: set_encryptedPassword 0x143ab:$a7: get_logins 0x1430e:$a10: KeyLoggerEventArgs 0x13f79:$a11: KeyLoggerEventArgsEventHandler
0.2.z1MB267382625AE.exe.391eca0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a687:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198b9:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cec:$a4: \Orbitum\User Data\Default\Login Data 0x1ad2b:$a5: \Kometa\User Data\Default\Login Data
0.2.z1MB267382625AE.exe.391eca0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13908:$s1: UnHook 0x1390f:$s2: SetHook 0x13917:$s3: CallNextHook 0x13924:$s4: _hook
0.2.z1MB267382625AE.exe.391eca0.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cb5:$x1: $%SMTPDV$ 0x16650:$x2: $#TheHashHere%& 0x165fc:$x3: %FTPDV$ 0x17d8b:$x4: $%TelegramDv$ 0x13f79:$x5: KeyLoggerEventArgs 0x1430e:$x5: KeyLoggerEventArgs 0x17c81:$m2: Clipboard Logs ID 0x17edb:$m2: Screenshot Logs ID 0x17feb:$m2: keystroke Logs ID 0x182c5:$m3: SnakePW 0x17eb3:$m4: \SnakeKeylogger\
0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b19:$a1: get_encryptedPassword 0x35539:$a1: get_encryptedPassword 0x55d59:$a1: get_encryptedPassword 0x14e05:$a2: get_encryptedUsername 0x35825:$a2: get_encryptedUsername 0x56045:$a2: get_encryptedUsername 0x14925:$a3: get_timePasswordChanged 0x35345:$a3: get_timePasswordChanged 0x55b65:$a3: get_timePasswordChanged 0x14a20:$a4: get_passwordField 0x35440:$a4: get_passwordField 0x55c60:$a4: get_passwordField 0x14b2f:$a5: set_encryptedPassword 0x3554f:$a5: set_encryptedPassword 0x55d6f:$a5: set_encryptedPassword 0x161ab:$a7: get_logins 0x36bcb:$a7: get_logins 0x573eb:$a7: get_logins 0x1610e:$a10: KeyLoggerEventArgs 0x36b2e:$a10: KeyLoggerEventArgs 0x5734e:$a10: KeyLoggerEventArgs
0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c487:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cea7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d6c7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6b9:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c0d9:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c8f9:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baec:$a4: \Orbitum\User Data\Default\Login Data 0x3c50c:$a4: \Orbitum\User Data\Default\Login Data 0x5cd2c:$a4: \Orbitum\User Data\Default\Login Data 0x1cb2b:$a5: \Kometa\User Data\Default\Login Data 0x3d54b:$a5: \Kometa\User Data\Default\Login Data 0x5dd6b:$a5: \Kometa\User Data\Default\Login Data
0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15708:$s1: UnHook 0x36128:$s1: UnHook 0x56948:$s1: UnHook 0x1570f:$s2: SetHook 0x3612f:$s2: SetHook 0x5694f:$s2: SetHook 0x15717:$s3: CallNextHook 0x36137:$s3: CallNextHook 0x56957:$s3: CallNextHook 0x15724:$s4: _hook 0x36144:$s4: _hook 0x56964:$s4: _hook
0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ab5:$x1: $%SMTPDV$ 0x3a4d5:$x1: $%SMTPDV$ 0x5acf5:$x1: $%SMTPDV$ 0x18450:$x2: $#TheHashHere%& 0x38e70:$x2: $#TheHashHere%& 0x59690:$x2: $#TheHashHere%& 0x183fc:$x3: %FTPDV$ 0x38e1c:$x3: %FTPDV$ 0x5963c:$x3: %FTPDV$ 0x19b8b:$x4: $%TelegramDv$ 0x3a5ab:$x4: $%TelegramDv$ 0x5adcb:$x4: $%TelegramDv$ 0x15d79:$x5: KeyLoggerEventArgs 0x1610e:$x5: KeyLoggerEventArgs 0x36799:$x5: KeyLoggerEventArgs 0x36b2e:$x5: KeyLoggerEventArgs 0x56fb9:$x5: KeyLoggerEventArgs 0x5734e:$x5: KeyLoggerEventArgs 0x19a81:$m2: Clipboard Logs ID 0x19cdb:$m2: Screenshot Logs ID 0x19deb:$m2: keystroke Logs ID
0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b19:$a1: get_encryptedPassword 0x35339:$a1: get_encryptedPassword 0x14e05:$a2: get_encryptedUsername 0x35625:$a2: get_encryptedUsername 0x14925:$a3: get_timePasswordChanged 0x35145:$a3: get_timePasswordChanged 0x14a20:$a4: get_passwordField 0x35240:$a4: get_passwordField 0x14b2f:$a5: set_encryptedPassword 0x3534f:$a5: set_encryptedPassword 0x161ab:$a7: get_logins 0x369cb:$a7: get_logins 0x1610e:$a10: KeyLoggerEventArgs 0x3692e:$a10: KeyLoggerEventArgs 0x15d79:$a11: KeyLoggerEventArgsEventHandler 0x36599:$a11: KeyLoggerEventArgsEventHandler
0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c487:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cca7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6b9:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bed9:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baec:$a4: \Orbitum\User Data\Default\Login Data 0x3c30c:$a4: \Orbitum\User Data\Default\Login Data 0x1cb2b:$a5: \Kometa\User Data\Default\Login Data 0x3d34b:$a5: \Kometa\User Data\Default\Login Data
0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15708:$s1: UnHook 0x35f28:$s1: UnHook 0x1570f:$s2: SetHook 0x35f2f:$s2: SetHook 0x15717:$s3: CallNextHook 0x35f37:$s3: CallNextHook 0x15724:$s4: _hook 0x35f44:$s4: _hook
0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ab5:$x1: $%SMTPDV$ 0x3a2d5:$x1: $%SMTPDV$ 0x18450:$x2: $#TheHashHere%& 0x38c70:$x2: $#TheHashHere%& 0x183fc:$x3: %FTPDV$ 0x38c1c:$x3: %FTPDV$ 0x19b8b:$x4: $%TelegramDv$ 0x3a3ab:$x4: $%TelegramDv$ 0x15d79:$x5: KeyLoggerEventArgs 0x1610e:$x5: KeyLoggerEventArgs 0x36599:$x5: KeyLoggerEventArgs 0x3692e:$x5: KeyLoggerEventArgs 0x19a81:$m2: Clipboard Logs ID 0x19cdb:$m2: Screenshot Logs ID 0x19deb:$m2: keystroke Logs ID 0x3a2a1:$m2: Clipboard Logs ID 0x3a4fb:$m2: Screenshot Logs ID 0x3a60b:$m2: keystroke Logs ID 0x1a0c5:$m3: SnakePW 0x3a8e5:$m3: SnakePW 0x19cb3:$m4: \SnakeKeylogger\
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1MB267382625AE.exe", ParentImage: C:\Users\user\Desktop\z1MB267382625AE.exe, ParentProcessId: 3400, ParentProcessName: z1MB267382625AE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe", ProcessId: 7152, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\pNgFqm.exe, ParentImage: C:\Users\user\AppData\Roaming\pNgFqm.exe, ParentProcessId: 5840, ParentProcessName: pNgFqm.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp", ProcessId: 3664, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z1MB267382625AE.exe", ParentImage: C:\Users\user\Desktop\z1MB267382625AE.exe, ParentProcessId: 3400, ParentProcessName: z1MB267382625AE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp", ProcessId: 6464, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1MB267382625AE.exe", ParentImage: C:\Users\user\Desktop\z1MB267382625AE.exe, ParentProcessId: 3400, ParentProcessName: z1MB267382625AE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe", ProcessId: 7152, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z1MB267382625AE.exe", ParentImage: C:\Users\user\Desktop\z1MB267382625AE.exe, ParentProcessId: 3400, ParentProcessName: z1MB267382625AE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp", ProcessId: 6464, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T10:32:35.144011+0100	2803305	3	Unknown Traffic	192.168.2.11	49707	188.114.97.3	443	TCP
2024-11-21T10:32:38.354159+0100	2803305	3	Unknown Traffic	192.168.2.11	49711	188.114.97.3	443	TCP
2024-11-21T10:32:39.900242+0100	2803305	3	Unknown Traffic	192.168.2.11	49712	188.114.97.3	443	TCP
2024-11-21T10:32:43.024536+0100	2803305	3	Unknown Traffic	192.168.2.11	49716	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T10:32:30.951226+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49705	132.226.247.73	80	TCP
2024-11-21T10:32:33.560633+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49705	132.226.247.73	80	TCP
2024-11-21T10:32:35.919985+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49708	132.226.247.73	80	TCP
2024-11-21T10:32:36.638732+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49709	132.226.247.73	80	TCP
2024-11-21T10:32:38.201238+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49708	132.226.247.73	80	TCP
2024-11-21T10:32:39.873116+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49713	132.226.247.73	80	TCP
2024-11-21T10:32:41.388725+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49715	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.3891998369.000000000041A000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "FTP", "FTP Server": "ftp://cpanel2-nl.thcservers.com/", "FTP Username": "snup@lifechangerscare.com", "Password": "Uvob2G1Tc73ZCus02X", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\pNgFqm.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: z1MB267382625AE.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\pNgFqm.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: z1MB267382625AE.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: z1MB267382625AE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49706 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49710 version: TLS 1.0

Source: z1MB267382625AE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wJIQ.pdb source: z1MB267382625AE.exe, pNgFqm.exe.0.dr
Source:	Binary string: wJIQ.pdbSHA256 source: z1MB267382625AE.exe, pNgFqm.exe.0.dr

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 0101F1F6h	8_2_0101F007
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 0101FB80h	8_2_0101F007
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0101E528
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0101EB5B
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0101ED3C
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06758945h	8_2_06758608
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 067565C9h	8_2_06756320
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 067558C1h	8_2_06755618
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06756171h	8_2_06755EC8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06756A21h	8_2_06756778
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06757751h	8_2_067574A8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06750741h	8_2_06750498
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06758001h	8_2_06757D58
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06750FF1h	8_2_06750D48
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06755D19h	8_2_06755A70
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06756E79h	8_2_06756BD0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_067533B8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_067533A8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 067572FAh	8_2_06757050
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 067502E9h	8_2_06750040
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06750B99h	8_2_067508F0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06757BA9h	8_2_06757900
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06758459h	8_2_067581B0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 4x nop then jmp 06755441h	8_2_06755198
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 0150F1F6h	13_2_0150F007
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 0150FB80h	13_2_0150F007
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	13_2_0150E528
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C48945h	13_2_06C48608
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_06C436CE
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C46171h	13_2_06C45EC8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C458C1h	13_2_06C45618
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C46A21h	13_2_06C46778
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C40741h	13_2_06C40498
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C47751h	13_2_06C474A8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C40FF1h	13_2_06C40D48
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C48001h	13_2_06C47D58
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C45D19h	13_2_06C45A70
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C46E79h	13_2_06C46BD0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_06C433A8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_06C433B8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C465C9h	13_2_06C46320
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C40B99h	13_2_06C408F0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C402E9h	13_2_06C40040
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C472FAh	13_2_06C47050
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C45441h	13_2_06C45198
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C48459h	13_2_06C481B0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 4x nop then jmp 06C47BA9h	13_2_06C47900

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49709 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49705 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49713 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49715 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49708 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49712 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49711 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49716 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49707 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49706 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49710 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003098000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000316D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: z1MB267382625AE.exe, 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: pNgFqm.exe, 0000000D.00000002.3897961690.00000000067B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.c
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: z1MB267382625AE.exe, 00000000.00000002.1463110656.0000000002751000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000A.00000002.1512536121.0000000002611000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: z1MB267382625AE.exe, 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.z1MB267382625AE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000D.00000002.3891998922.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 0_2_00B8D55C	0_2_00B8D55C
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_01016108	8_2_01016108
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101C193	8_2_0101C193
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101F007	8_2_0101F007
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101B328	8_2_0101B328
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101C470	8_2_0101C470
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_01016730	8_2_01016730
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101C753	8_2_0101C753
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_01019858	8_2_01019858
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101BBD3	8_2_0101BBD3
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101CA33	8_2_0101CA33
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_01014AD9	8_2_01014AD9
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101BEB7	8_2_0101BEB7
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101E517	8_2_0101E517
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101E528	8_2_0101E528
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_01013573	8_2_01013573
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0101B4F3	8_2_0101B4F3
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675D670	8_2_0675D670
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06758608	8_2_06758608
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675B6E8	8_2_0675B6E8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675A408	8_2_0675A408
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675BD38	8_2_0675BD38
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675AA58	8_2_0675AA58
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06758B58	8_2_06758B58
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06756320	8_2_06756320
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675C388	8_2_0675C388
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675D028	8_2_0675D028
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675B0A0	8_2_0675B0A0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675C9D8	8_2_0675C9D8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_067511A0	8_2_067511A0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675D663	8_2_0675D663
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06755618	8_2_06755618
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06755609	8_2_06755609
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675B6D9	8_2_0675B6D9
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06755EC8	8_2_06755EC8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06755EB8	8_2_06755EB8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06756778	8_2_06756778
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675676A	8_2_0675676A
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06753730	8_2_06753730
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06754430	8_2_06754430
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_067574A8	8_2_067574A8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06757497	8_2_06757497
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06750498	8_2_06750498
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06750488	8_2_06750488
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06757D58	8_2_06757D58
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06750D48	8_2_06750D48
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06757D48	8_2_06757D48
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06750D39	8_2_06750D39
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675BD28	8_2_0675BD28
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_067585FC	8_2_067585FC
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06755A70	8_2_06755A70
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06755A60	8_2_06755A60
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675AA48	8_2_0675AA48
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675C378	8_2_0675C378
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06756310	8_2_06756310
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675A3F8	8_2_0675A3F8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06756BD0	8_2_06756BD0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06756BC1	8_2_06756BC1
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_067533B8	8_2_067533B8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_067533A8	8_2_067533A8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06757050	8_2_06757050
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06750040	8_2_06750040
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06757040	8_2_06757040
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06752818	8_2_06752818
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675D018	8_2_0675D018
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06750007	8_2_06750007
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06752807	8_2_06752807
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_067508F0	8_2_067508F0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_067578F0	8_2_067578F0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_067508E0	8_2_067508E0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675B08F	8_2_0675B08F
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06757900	8_2_06757900
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675C9C8	8_2_0675C9C8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_067581B0	8_2_067581B0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_067581A0	8_2_067581A0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06751191	8_2_06751191
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_06755198	8_2_06755198
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_0675518A	8_2_0675518A
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 10_2_0244D55C	10_2_0244D55C
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_01506108	13_2_01506108
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150C190	13_2_0150C190
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150F007	13_2_0150F007
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150B328	13_2_0150B328
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150C470	13_2_0150C470
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150C752	13_2_0150C752
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_01509858	13_2_01509858
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_01506880	13_2_01506880
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150BBD2	13_2_0150BBD2
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150CA32	13_2_0150CA32
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_01504AD9	13_2_01504AD9
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150BEB0	13_2_0150BEB0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_01503572	13_2_01503572
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150E517	13_2_0150E517
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150E528	13_2_0150E528
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_0150B4F2	13_2_0150B4F2
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4B6E8	13_2_06C4B6E8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4D670	13_2_06C4D670
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C48608	13_2_06C48608
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C48C5B	13_2_06C48C5B
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4A408	13_2_06C4A408
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4BD38	13_2_06C4BD38
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4AA58	13_2_06C4AA58
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4C388	13_2_06C4C388
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4B0A0	13_2_06C4B0A0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4D028	13_2_06C4D028
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4C9D8	13_2_06C4C9D8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C411A0	13_2_06C411A0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C45EC8	13_2_06C45EC8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4B6E3	13_2_06C4B6E3
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C45EB8	13_2_06C45EB8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4D66B	13_2_06C4D66B
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4560A	13_2_06C4560A
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C45618	13_2_06C45618
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4676A	13_2_06C4676A
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C46778	13_2_06C46778
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C43730	13_2_06C43730
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C40488	13_2_06C40488
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C47497	13_2_06C47497
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C40498	13_2_06C40498
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C474A8	13_2_06C474A8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C44430	13_2_06C44430
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C485FC	13_2_06C485FC
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C40D48	13_2_06C40D48
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C47D48	13_2_06C47D48
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C47D58	13_2_06C47D58
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4BD33	13_2_06C4BD33
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C40D39	13_2_06C40D39
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4AA4B	13_2_06C4AA4B
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C45A60	13_2_06C45A60
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C45A70	13_2_06C45A70
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C46BC1	13_2_06C46BC1
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C46BD0	13_2_06C46BD0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4A3F8	13_2_06C4A3F8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4C383	13_2_06C4C383
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C433A8	13_2_06C433A8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C433B8	13_2_06C433B8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C46312	13_2_06C46312
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C46320	13_2_06C46320
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C408E0	13_2_06C408E0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C408F0	13_2_06C408F0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C478F0	13_2_06C478F0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4B09B	13_2_06C4B09B
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C40040	13_2_06C40040
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C47040	13_2_06C47040
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C47050	13_2_06C47050
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C40006	13_2_06C40006
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C42807	13_2_06C42807
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C42818	13_2_06C42818
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4D023	13_2_06C4D023
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4C9D3	13_2_06C4C9D3
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C4518A	13_2_06C4518A
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C41191	13_2_06C41191
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C45198	13_2_06C45198
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C481A0	13_2_06C481A0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C481B0	13_2_06C481B0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C47900	13_2_06C47900

Source: z1MB267382625AE.exe, 00000000.00000002.1476561328.00000000050F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewJIQ.exe: vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000000.1425507637.0000000000302000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewJIQ.exe: vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1457878096.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1478303769.0000000005C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1463110656.000000000276B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1470193070.0000000004C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1463110656.0000000002751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000008.00000002.3891998369.000000000041C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000008.00000002.3892251456.0000000000B37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe	Binary or memory string: OriginalFilenamewJIQ.exe: vs z1MB267382625AE.exe

Source: z1MB267382625AE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.z1MB267382625AE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000D.00000002.3891998922.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: z1MB267382625AE.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: pNgFqm.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, e8OsT9IkGEmBGJinVc.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, e8OsT9IkGEmBGJinVc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, e8OsT9IkGEmBGJinVc.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, dZ0gV3u5ACxDwCEBtl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, dZ0gV3u5ACxDwCEBtl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, e8OsT9IkGEmBGJinVc.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, e8OsT9IkGEmBGJinVc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, e8OsT9IkGEmBGJinVc.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

File created: C:\Users\user\AppData\Roaming\pNgFqm.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_03
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

File created: C:\Users\user\AppData\Local\Temp\tmpCA64.tmp

Jump to behavior

Source: z1MB267382625AE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: z1MB267382625AE.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002C25000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3897007503.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003215000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3896656638.000000000406B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003267000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003233000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: z1MB267382625AE.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

File read: C:\Users\user\Desktop\z1MB267382625AE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z1MB267382625AE.exe "C:\Users\user\Desktop\z1MB267382625AE.exe"
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Users\user\Desktop\z1MB267382625AE.exe "C:\Users\user\Desktop\z1MB267382625AE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\pNgFqm.exe C:\Users\user\AppData\Roaming\pNgFqm.exe
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process created: C:\Users\user\AppData\Roaming\pNgFqm.exe "C:\Users\user\AppData\Roaming\pNgFqm.exe"
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Users\user\Desktop\z1MB267382625AE.exe "C:\Users\user\Desktop\z1MB267382625AE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process created: C:\Users\user\AppData\Roaming\pNgFqm.exe "C:\Users\user\AppData\Roaming\pNgFqm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: z1MB267382625AE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: z1MB267382625AE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: z1MB267382625AE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wJIQ.pdb source: z1MB267382625AE.exe, pNgFqm.exe.0.dr
Source:	Binary string: wJIQ.pdbSHA256 source: z1MB267382625AE.exe, pNgFqm.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, e8OsT9IkGEmBGJinVc.cs	.Net Code: QNSgyL9ZSf System.Reflection.Assembly.Load(byte[])
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, e8OsT9IkGEmBGJinVc.cs	.Net Code: QNSgyL9ZSf System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Code function: 8_2_010124B9 push 8BFFFFFFh; retf	8_2_010124BF
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C497E9 push ss; ret	13_2_06C497EA
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C497F8 push ss; ret	13_2_06C49896
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C48C51 push cs; ret	13_2_06C48C52
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C49A4B push ss; ret	13_2_06C49A4E
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Code function: 13_2_06C49999 push ss; ret	13_2_06C4999A

Source: z1MB267382625AE.exe	Static PE information: section name: .text entropy: 7.796333260791543
Source: pNgFqm.exe.0.dr	Static PE information: section name: .text entropy: 7.796333260791543

Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, NJrKCeQ3un60MZ1QKE.cs	High entropy of concatenated method names: 'NQBsNNYweq', 'ybpsbdbKEI', 'HhR1tCoL9M', 'f1s1lpEgSl', 'QHc1TuDsRW', 'UCJ1U5x0XT', 'gvp1JgeoDP', 'muy1d6j0EV', 'pqk15OxwKG', 'lLw1qHdpOH'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, fSyZE5rDZvdJn9DXtY.cs	High entropy of concatenated method names: 'G0lpjuTuZs', 'iLZpAjJArR', 'nUhaFPW2P4', 'FdBaBdYiPl', 'Ed6pHnRAaU', 'smopDMiwQI', 'Vw2pVf9E4U', 'PTZpfHwZ40', 'ok9pCJMQpZ', 'BIcpOmbDL1'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, C7p1976WpxdpiE3qDH.cs	High entropy of concatenated method names: 'RBq14uGoTe', 'bfg1Gx8wCb', 'fvD1uAWiQt', 'TAo16T9TZk', 'E8I1ZTjw3c', 'Jkf18VgOfd', 'uGj1pleFD1', 'CHZ1a8gEba', 'NX3175SnZ2', 'QVV12UkS8O'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, YZDwvZBBnDdGi69nQnm.cs	High entropy of concatenated method names: 'UW52AtWkm0', 'i6i2zrJFH1', 'mwFRFCiw9r', 'BOORBNJpSB', 'XkORW9CDx1', 'U6fRoJqpww', 'tvYRgdydxF', 'MBaRhNm1CD', 'F1eRPY9ZMC', 'VHGRE5XLGt'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, LDDoBh5m2tPpAyxati.cs	High entropy of concatenated method names: 'gEPvKS2M5P', 'bl9v3yP2fn', 'TSnvyCpaQZ', 'Bhkv4ViQWM', 'kZpvNavwlF', 'GohvGxFy04', 'fADvbDoeSK', 'w7evuJ1KDp', 'Fkuv6v2TDJ', 'pNSvQal7i8'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, dZ0gV3u5ACxDwCEBtl.cs	High entropy of concatenated method names: 'EgkEfKmGPr', 'AscECAlHA5', 'MDmEO0Dmrv', 'raGEXb3ooO', 'LSFEnPtUde', 'UukErr2XOQ', 'rXYExiXdkW', 'anbEj6ZVnw', 'YcjE0tJl4x', 'RgAEAwH5nM'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, VV1gciVI4BL7lT53tl.cs	High entropy of concatenated method names: 'aA9euDFQD5', 'in3e6mTopO', 's30emXqCqk', 'L2KeYGcF2k', 'vldel2LoH2', 'JBeeT15I28', 'RExeJZwdsf', 'iv9edXao92', 'JH5eq1TJmj', 'jymeHMWwP5'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, wiUCrRJON8iBnF8uWx.cs	High entropy of concatenated method names: 'plZvPjTi1h', 'nQ0v16JBxh', 'UX5vL4X6rR', 'sWZLAYyCa5', 'AqULzbvAc6', 'KZYvFFZq4j', 'zc5vBU40xV', 'rUOvWpIvKK', 'in3voiIsBo', 'oYrvg6518Y'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, G3BWbf0bZM0Mx69pbj.cs	High entropy of concatenated method names: 'NSG7mPm9sM', 'DxS7Y3Ssix', 'ool7tutOUy', 'nAu7lvvlXI', 'DFj7TMwHED', 'Xj47UNGLt3', 'I6D7JSuOFJ', 'hd17dwfpy3', 'V5e75lcBL4', 'mZE7q4L0vO'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, vZDPAsz2Q0dRk9j1J3.cs	High entropy of concatenated method names: 'lcB2GEMQW5', 'Xv72uy4yG6', 'W3726bMS9T', 'Rsh2m2eeT0', 'jrW2YAWWr5', 'vnT2ltn6sA', 'k652TtidTu', 'fAS2cftEyo', 'hGV2KxXcWe', 'BQP23HFMtX'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, JVZcpDAGO2p5Cx1j8e.cs	High entropy of concatenated method names: 'z2s21cGVVN', 'yp22sQXBrx', 'cPC2LVJ3Sd', 'epn2vf1evV', 'ohg27oExdY', 'wOj2I6w8hi', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, QKTkR7BFhU60XmjIbn6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'I4s2HKUAQn', 'BX72DTj8rX', 'JgE2Vqn2dW', 'VTp2fRVdCZ', 'fNH2CYcECm', 'prJ2OBt6aH', 'W9F2XRpWSv'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, QpkwaDxGqb3Tn7ojrp.cs	High entropy of concatenated method names: 'hgx7Z2epbL', 'fwA7pNne3M', 'ufn77e6m7E', 'OCP7RM2UGD', 'mfT7Sa7Rg9', 'Bqw7cN1mTD', 'Dispose', 'YgHaPaAsIp', 'f4eaEcPqmr', 'z4fa14loyX'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, TSSuwX1321RDOYSMDs.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Dl6W0p8sJZ', 'z76WABEKlb', 'tGOWzka0NU', 'h2CoFY4Mfm', 'gpQoB7J3hy', 'TMMoWS48aT', 'HkvooGywPk', 'wFxe2lGwiXKVhl7Fyo7'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, z0JtUNmrWRDPjyBNi5.cs	High entropy of concatenated method names: 'H1ULhoyi1n', 'RreLEFwjgY', 'DpkLs5POE8', 'Oc6Lvbm1In', 'HgVLIILKGw', 'Hhisnh6yBM', 'wxAsrdFm1N', 'MdksxJvqlu', 'AmrsjQYOvA', 'Figs0cU2o6'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, zHqVqmBgPs2cdio7TdG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TtYk7ZmdfI', 'Q2qk2IphcL', 'mJdkRy7QpQ', 'Ul4kki7NXW', 'AnCkSQrnTb', 'ELkk9aemVf', 'jrHkcwe7CE'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, lkFS2dEPctdY0uI2Y8.cs	High entropy of concatenated method names: 'Dispose', 'C3TB0n7ojr', 'PAdWY3VAIF', 'SaQy1akG4S', 'qj4BA64JMY', 'In0BzE9sWY', 'ProcessDialogKey', 'vGmWF3BWbf', 'CZMWB0Mx69', 'qbjWWTVZcp'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, LRPDjNgp89N91EAp0v.cs	High entropy of concatenated method names: 'fMoBvZ0gV3', 'NACBIxDwCE', 'rWpBwxdpiE', 'yqDBMH5JrK', 'o1QBZKEy0J', 'IUNB8rWRDP', 'x9N9cn2nvAf4yeGxva', 'HjuE8GH1jR71Q7O0vW', 'EAKBBDcP7r', 'kSuBoZcC1k'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, pF3wvQBWHey0f0bWYau.cs	High entropy of concatenated method names: 'ToString', 'sSiRuOSdht', 'zyvR6SixqC', 'KmSRQBRCM2', 'l8ERmlvwH6', 'TpPRYsJ42l', 'e60RtkA4O4', 'ya2RlLwKPo', 'aFeOXFwEUBZGxJBm8AH', 'bi3BCYwWO5pP2aySBU5'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, e8OsT9IkGEmBGJinVc.cs	High entropy of concatenated method names: 'mZOohvXAbW', 'IvKoPEMyaZ', 'J3noEiGlUC', 'RBJo16GR4e', 'UKSospics3', 'oYfoLxVpa9', 'Sf4ov5mk6f', 'oehoInl7we', 'GDwoif9H6m', 'd0CowrYpui'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, uKLxFGWqQk5xT6QMyj.cs	High entropy of concatenated method names: 'OelyM5GSY', 'jXb42we54', 'JGuGGNW2Y', 'lM7bWQYqf', 'mHC6nI1XK', 'MOQQjkBem', 'c6x1qDo6mXfHrr32oi', 'AwOYYmKktZYLwJndmJ', 'C3saqvcUw', 'ca72uCgP6'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, NJrKCeQ3un60MZ1QKE.cs	High entropy of concatenated method names: 'NQBsNNYweq', 'ybpsbdbKEI', 'HhR1tCoL9M', 'f1s1lpEgSl', 'QHc1TuDsRW', 'UCJ1U5x0XT', 'gvp1JgeoDP', 'muy1d6j0EV', 'pqk15OxwKG', 'lLw1qHdpOH'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, fSyZE5rDZvdJn9DXtY.cs	High entropy of concatenated method names: 'G0lpjuTuZs', 'iLZpAjJArR', 'nUhaFPW2P4', 'FdBaBdYiPl', 'Ed6pHnRAaU', 'smopDMiwQI', 'Vw2pVf9E4U', 'PTZpfHwZ40', 'ok9pCJMQpZ', 'BIcpOmbDL1'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, C7p1976WpxdpiE3qDH.cs	High entropy of concatenated method names: 'RBq14uGoTe', 'bfg1Gx8wCb', 'fvD1uAWiQt', 'TAo16T9TZk', 'E8I1ZTjw3c', 'Jkf18VgOfd', 'uGj1pleFD1', 'CHZ1a8gEba', 'NX3175SnZ2', 'QVV12UkS8O'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, YZDwvZBBnDdGi69nQnm.cs	High entropy of concatenated method names: 'UW52AtWkm0', 'i6i2zrJFH1', 'mwFRFCiw9r', 'BOORBNJpSB', 'XkORW9CDx1', 'U6fRoJqpww', 'tvYRgdydxF', 'MBaRhNm1CD', 'F1eRPY9ZMC', 'VHGRE5XLGt'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, LDDoBh5m2tPpAyxati.cs	High entropy of concatenated method names: 'gEPvKS2M5P', 'bl9v3yP2fn', 'TSnvyCpaQZ', 'Bhkv4ViQWM', 'kZpvNavwlF', 'GohvGxFy04', 'fADvbDoeSK', 'w7evuJ1KDp', 'Fkuv6v2TDJ', 'pNSvQal7i8'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, dZ0gV3u5ACxDwCEBtl.cs	High entropy of concatenated method names: 'EgkEfKmGPr', 'AscECAlHA5', 'MDmEO0Dmrv', 'raGEXb3ooO', 'LSFEnPtUde', 'UukErr2XOQ', 'rXYExiXdkW', 'anbEj6ZVnw', 'YcjE0tJl4x', 'RgAEAwH5nM'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, VV1gciVI4BL7lT53tl.cs	High entropy of concatenated method names: 'aA9euDFQD5', 'in3e6mTopO', 's30emXqCqk', 'L2KeYGcF2k', 'vldel2LoH2', 'JBeeT15I28', 'RExeJZwdsf', 'iv9edXao92', 'JH5eq1TJmj', 'jymeHMWwP5'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, wiUCrRJON8iBnF8uWx.cs	High entropy of concatenated method names: 'plZvPjTi1h', 'nQ0v16JBxh', 'UX5vL4X6rR', 'sWZLAYyCa5', 'AqULzbvAc6', 'KZYvFFZq4j', 'zc5vBU40xV', 'rUOvWpIvKK', 'in3voiIsBo', 'oYrvg6518Y'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, G3BWbf0bZM0Mx69pbj.cs	High entropy of concatenated method names: 'NSG7mPm9sM', 'DxS7Y3Ssix', 'ool7tutOUy', 'nAu7lvvlXI', 'DFj7TMwHED', 'Xj47UNGLt3', 'I6D7JSuOFJ', 'hd17dwfpy3', 'V5e75lcBL4', 'mZE7q4L0vO'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, vZDPAsz2Q0dRk9j1J3.cs	High entropy of concatenated method names: 'lcB2GEMQW5', 'Xv72uy4yG6', 'W3726bMS9T', 'Rsh2m2eeT0', 'jrW2YAWWr5', 'vnT2ltn6sA', 'k652TtidTu', 'fAS2cftEyo', 'hGV2KxXcWe', 'BQP23HFMtX'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, JVZcpDAGO2p5Cx1j8e.cs	High entropy of concatenated method names: 'z2s21cGVVN', 'yp22sQXBrx', 'cPC2LVJ3Sd', 'epn2vf1evV', 'ohg27oExdY', 'wOj2I6w8hi', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, QKTkR7BFhU60XmjIbn6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'I4s2HKUAQn', 'BX72DTj8rX', 'JgE2Vqn2dW', 'VTp2fRVdCZ', 'fNH2CYcECm', 'prJ2OBt6aH', 'W9F2XRpWSv'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, QpkwaDxGqb3Tn7ojrp.cs	High entropy of concatenated method names: 'hgx7Z2epbL', 'fwA7pNne3M', 'ufn77e6m7E', 'OCP7RM2UGD', 'mfT7Sa7Rg9', 'Bqw7cN1mTD', 'Dispose', 'YgHaPaAsIp', 'f4eaEcPqmr', 'z4fa14loyX'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, TSSuwX1321RDOYSMDs.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Dl6W0p8sJZ', 'z76WABEKlb', 'tGOWzka0NU', 'h2CoFY4Mfm', 'gpQoB7J3hy', 'TMMoWS48aT', 'HkvooGywPk', 'wFxe2lGwiXKVhl7Fyo7'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, z0JtUNmrWRDPjyBNi5.cs	High entropy of concatenated method names: 'H1ULhoyi1n', 'RreLEFwjgY', 'DpkLs5POE8', 'Oc6Lvbm1In', 'HgVLIILKGw', 'Hhisnh6yBM', 'wxAsrdFm1N', 'MdksxJvqlu', 'AmrsjQYOvA', 'Figs0cU2o6'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, zHqVqmBgPs2cdio7TdG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TtYk7ZmdfI', 'Q2qk2IphcL', 'mJdkRy7QpQ', 'Ul4kki7NXW', 'AnCkSQrnTb', 'ELkk9aemVf', 'jrHkcwe7CE'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, lkFS2dEPctdY0uI2Y8.cs	High entropy of concatenated method names: 'Dispose', 'C3TB0n7ojr', 'PAdWY3VAIF', 'SaQy1akG4S', 'qj4BA64JMY', 'In0BzE9sWY', 'ProcessDialogKey', 'vGmWF3BWbf', 'CZMWB0Mx69', 'qbjWWTVZcp'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, LRPDjNgp89N91EAp0v.cs	High entropy of concatenated method names: 'fMoBvZ0gV3', 'NACBIxDwCE', 'rWpBwxdpiE', 'yqDBMH5JrK', 'o1QBZKEy0J', 'IUNB8rWRDP', 'x9N9cn2nvAf4yeGxva', 'HjuE8GH1jR71Q7O0vW', 'EAKBBDcP7r', 'kSuBoZcC1k'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, pF3wvQBWHey0f0bWYau.cs	High entropy of concatenated method names: 'ToString', 'sSiRuOSdht', 'zyvR6SixqC', 'KmSRQBRCM2', 'l8ERmlvwH6', 'TpPRYsJ42l', 'e60RtkA4O4', 'ya2RlLwKPo', 'aFeOXFwEUBZGxJBm8AH', 'bi3BCYwWO5pP2aySBU5'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, e8OsT9IkGEmBGJinVc.cs	High entropy of concatenated method names: 'mZOohvXAbW', 'IvKoPEMyaZ', 'J3noEiGlUC', 'RBJo16GR4e', 'UKSospics3', 'oYfoLxVpa9', 'Sf4ov5mk6f', 'oehoInl7we', 'GDwoif9H6m', 'd0CowrYpui'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, uKLxFGWqQk5xT6QMyj.cs	High entropy of concatenated method names: 'OelyM5GSY', 'jXb42we54', 'JGuGGNW2Y', 'lM7bWQYqf', 'mHC6nI1XK', 'MOQQjkBem', 'c6x1qDo6mXfHrr32oi', 'AwOYYmKktZYLwJndmJ', 'C3saqvcUw', 'ca72uCgP6'

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

File created: C:\Users\user\AppData\Roaming\pNgFqm.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pNgFqm.exe PID: 5840, type: MEMORYSTR

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Memory allocated: B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Memory allocated: 5DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Memory allocated: 6DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Memory allocated: 6F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Memory allocated: 7F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Memory allocated: 29D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Memory allocated: 49D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Memory allocated: 990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Memory allocated: 990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Memory allocated: 5C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Memory allocated: 6C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Memory allocated: 6D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Memory allocated: 7D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Memory allocated: 1500000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Memory allocated: 2F10000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598236	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597711	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597567	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599032
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598688
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598204
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598079
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597954
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597829
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597704
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597579
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597454
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597329
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597204
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597079
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596954
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596829
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596704
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596587
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596480
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596141
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596016
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595907
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595782
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595657
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595188
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594938
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594594
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594110

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7582	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 390	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5975	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Window / User API: threadDelayed 2177	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Window / User API: threadDelayed 7650	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Window / User API: threadDelayed 1703
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Window / User API: threadDelayed 8124

Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 3284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4228	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 628	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 4272	Thread sleep count: 2177 > 30	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 4272	Thread sleep count: 7650 > 30	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -598236s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -597829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -597711s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -597567s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 4220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 4484	Thread sleep count: 1703 > 30
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 4484	Thread sleep count: 8124 > 30
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -599657s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -599532s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -599407s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -599282s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -599157s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -599032s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -598922s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -598813s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -598688s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -598563s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -598438s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -598313s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -598204s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -598079s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -597954s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -597829s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -597704s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -597579s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -597454s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -597329s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -597204s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -597079s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -596954s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -596829s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -596704s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -596587s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -596480s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -596250s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -596141s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -596016s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -595907s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -595782s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -595657s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -595547s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -595438s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -595313s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -595188s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -595063s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -594938s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -594719s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -594594s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -594235s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208	Thread sleep time: -594110s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598236	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597711	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597567	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 599032
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598688
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598204
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 598079
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597954
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597829
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597704
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597579
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597454
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597329
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597204
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 597079
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596954
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596829
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596704
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596587
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596480
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596141
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 596016
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595907
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595782
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595657
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595188
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594938
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594594
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Thread delayed: delay time: 594110

Source: z1MB267382625AE.exe, 00000008.00000002.3892585173.0000000000D76000.00000004.00000020.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3892476294.00000000011B7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe"
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe"
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Process created: C:\Users\user\Desktop\z1MB267382625AE.exe "C:\Users\user\Desktop\z1MB267382625AE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Process created: C:\Users\user\AppData\Roaming\pNgFqm.exe "C:\Users\user\AppData\Roaming\pNgFqm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Users\user\Desktop\z1MB267382625AE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Users\user\Desktop\z1MB267382625AE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Users\user\AppData\Roaming\pNgFqm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Users\user\AppData\Roaming\pNgFqm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\z1MB267382625AE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 8.2.z1MB267382625AE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3891998369.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3894344951.00000000031A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: z1MB267382625AE.exe PID: 2536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\z1MB267382625AE.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 8.2.z1MB267382625AE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3891998369.000000000041C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: z1MB267382625AE.exe PID: 2536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 8.2.z1MB267382625AE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3891998369.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3894344951.00000000031A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: z1MB267382625AE.exe PID: 2536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
z1MB267382625AE.exe	32%	ReversingLabs
z1MB267382625AE.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\pNgFqm.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\pNgFqm.exe	32%	ReversingLabs

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.75	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.microsoft.c	pNgFqm.exe, 0000000D.00000002.3897961690.00000000067B0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003098000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000316D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	z1MB267382625AE.exe, 00000000.00000002.1463110656.0000000002751000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000A.00000002.1512536121.0000000002611000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.75$	z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	z1MB267382625AE.exe, 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	z1MB267382625AE.exe, 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560033
Start date and time:	2024-11-21 10:31:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z1MB267382625AE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 237 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target pNgFqm.exe, PID 5764 because it is empty
Execution Graph export aborted for target z1MB267382625AE.exe, PID 2536 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: z1MB267382625AE.exe

Simulations

Behavior and APIs

Time	Type	Description
04:32:24	API Interceptor	8430721x Sleep call for process: z1MB267382625AE.exe modified
04:32:27	API Interceptor	36x Sleep call for process: powershell.exe modified
04:32:30	API Interceptor	5857633x Sleep call for process: pNgFqm.exe modified
10:32:29	Task Scheduler	Run new task: pNgFqm path: C:\Users\user\AppData\Roaming\pNgFqm.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
132.226.247.73	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	INQUIRY_pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Kayla Dennis CV.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	132.226.8.169
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	132.226.247.73
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	193.122.6.168
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	96c27caf-3816-d26f-4af5-19e1d76e6c15.eml	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://cabinetstogollc-my.sharepoint.com/:b:/g/personal/store802_cabinetstogo_com/EYepBlB4QExJsG0U-4jKG4ABoZxLg7rdp0_zjjwabbUc1g?e=q4iRIE&com.microsoft.intune.mam.appmdmmgtstate=2&com.microsoft.intune.mam.policysource=2&com.microsoft.intune.mam.identity=mcle%40novozymes.com&com.microsoft.intune.mam.policy=1&com.micro	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://account.metasystemchat.com/	Get hash	malicious	Unknown	Browse	104.16.123.96
	+11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg	Get hash	malicious	HtmlDropper	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://rebrand.ly/gs02u8a	Get hash	malicious	Unknown	Browse	104.26.4.15
	test2.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	test2.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	DATASHEET.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
UTMEMUS	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	132.226.8.169
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	132.226.247.73
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	132.226.247.73
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	132.226.247.73
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Benefit Enrollment -16oy1xb.pdf	Get hash	malicious	Unknown	Browse	188.114.97.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	file.exe	Get hash	malicious	JasonRAT	Browse	188.114.97.3
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3

Process:	C:\Users\user\AppData\Roaming\pNgFqm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z1MB267382625AE.exe.log

Download File

Process:	C:\Users\user\Desktop\z1MB267382625AE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YUyus:fLHyIFKL3IZ2KRH9Oug8s
MD5:	FC2D360EC9CA945C562E3B5C1685B424
SHA1:	4B69CCEDE2E97E9F699C76EE0148C105E7D6FFA4
SHA-256:	7BB70E950D7A4B6C6047A44D4F722245B5E872228CF58FA2005FEE27979C25CF
SHA-512:	2C22E9797C5124D72B70493DBD64AA9C331A5B647BD2A0AD3E46DB8AAF10CFE3AD9274E525F83B19A8EDBC4E419DCCA32BA081E8D8D5D1F0D14A57639B0C50AD
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0lids2i0.t1m.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qt33czf.h1g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5t3f3ljf.e33.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3qkfkgz.2gb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbn0vzlk.3d4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eo233raw.kx0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndvlinkz.2qm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zowk15da.xvq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpCA64.tmp

Download File

Process:	C:\Users\user\Desktop\z1MB267382625AE.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.0789889576346425
Encrypted:	false
SSDEEP:	24:2di4+S2qhLX1a4y1mEBUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtihxvn:cgeTgYrFdOFzOzN33ODOiDdKrsuTOv
MD5:	809744A9F564C698F746F49D7AD49CEC
SHA1:	9721BFB93E54D9BE4D20ADC2ACC14FDB19BDADA5
SHA-256:	2A87AC3B54AEDDE6CD6670C4A698F2A77E6F1A829DE1CA9C58F01D70BC351505
SHA-512:	F177EDF16BEBF8578EC81D973BE1E888C321BACC931B93D34E0DBF0255508D0EFA24C54F30FC8646CD7A931FF9273B9EA71E8F68F30BC702C993EEF2949E691E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\pNgFqm.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.0789889576346425
Encrypted:	false
SSDEEP:	24:2di4+S2qhLX1a4y1mEBUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtihxvn:cgeTgYrFdOFzOzN33ODOiDdKrsuTOv
MD5:	809744A9F564C698F746F49D7AD49CEC
SHA1:	9721BFB93E54D9BE4D20ADC2ACC14FDB19BDADA5
SHA-256:	2A87AC3B54AEDDE6CD6670C4A698F2A77E6F1A829DE1CA9C58F01D70BC351505
SHA-512:	F177EDF16BEBF8578EC81D973BE1E888C321BACC931B93D34E0DBF0255508D0EFA24C54F30FC8646CD7A931FF9273B9EA71E8F68F30BC702C993EEF2949E691E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\pNgFqm.exe

Download File

Process:	C:\Users\user\Desktop\z1MB267382625AE.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	651776
Entropy (8bit):	7.787844330667463
Encrypted:	false
SSDEEP:	12288:1X3wtfRzxWW1odEy2OROXqt81WwzD7ZgJh9XxcALs5RFyu:1XMpzxWz2ORSq0zDF4hzcis5Rl
MD5:	B996196F91E1480BA0A4BB0304A1F960
SHA1:	417EDFB082A48D152475E0A174162D05E9581045
SHA-256:	F6B094D042F1CCC79EF5060B18495C6BEE55585630FAC2C3D3F32A8C9C174DE6
SHA-512:	DC33BE712BD0D7B9A85706206E93389209BFF95B7F1BF6D16537917B2267E6A628381D912C387300D780A46565A8FC35BE8873ED7BC5471279E15098C5FC76AB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.>g..............0.............".... ... ....@.. .......................`............@.....................................O.... .......................@..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............G......?....................................................0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+...0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..

C:\Users\user\AppData\Roaming\pNgFqm.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\z1MB267382625AE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.787844330667463
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	z1MB267382625AE.exe
File size:	651'776 bytes
MD5:	b996196f91e1480ba0a4bb0304a1f960
SHA1:	417edfb082a48d152475e0a174162d05e9581045
SHA256:	f6b094d042f1ccc79ef5060b18495c6bee55585630fac2c3d3f32a8c9c174de6
SHA512:	dc33be712bd0d7b9a85706206e93389209bff95b7f1bf6d16537917b2267e6a628381d912c387300d780a46565a8fc35be8873ed7bc5471279e15098c5fc76ab
SSDEEP:	12288:1X3wtfRzxWW1odEy2OROXqt81WwzD7ZgJh9XxcALs5RFyu:1XMpzxWz2ORSq0zDF4hzcis5Rl
TLSH:	8BD4F051E69C6BE1D42247FBEC21F2081736BB5E982CDA182DB3B5CB2571BC26521D0F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.>g..............0.............".... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4a0722
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673EDB6A [Thu Nov 21 07:04:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa06cd	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0x5f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9edf0	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9e728	0x9e800	67b92372476458bcad3317f5b0fbaf15	False	0.870400606269716	VAX-order 68K Blit (standalone) executable	7.796333260791543	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0x5f4	0x600	939c10956ac4cf0a0fd1f82081e5e74e	False	0.4361979166666667	data	4.175523813562637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	e5bb79bd1760c144728d521ff1901f5a	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa2090	0x364	data			0.4308755760368664
RT_MANIFEST	0xa2404	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-21T10:32:30.951226+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49705	132.226.247.73	80	TCP
2024-11-21T10:32:33.560633+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49705	132.226.247.73	80	TCP
2024-11-21T10:32:35.144011+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49707	188.114.97.3	443	TCP
2024-11-21T10:32:35.919985+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49708	132.226.247.73	80	TCP
2024-11-21T10:32:36.638732+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49709	132.226.247.73	80	TCP
2024-11-21T10:32:38.201238+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49708	132.226.247.73	80	TCP
2024-11-21T10:32:38.354159+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49711	188.114.97.3	443	TCP
2024-11-21T10:32:39.873116+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49713	132.226.247.73	80	TCP
2024-11-21T10:32:39.900242+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49712	188.114.97.3	443	TCP
2024-11-21T10:32:41.388725+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49715	132.226.247.73	80	TCP
2024-11-21T10:32:43.024536+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49716	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 10:32:28.902838945 CET	49705	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:29.022641897 CET	80	49705	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:29.022974014 CET	49705	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:29.023571968 CET	49705	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:29.143043995 CET	80	49705	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:30.374015093 CET	80	49705	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:30.383701086 CET	49705	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:30.503165960 CET	80	49705	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:30.817543030 CET	80	49705	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:30.951225996 CET	49705	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:31.148015976 CET	49706	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:31.148046017 CET	443	49706	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:31.148178101 CET	49706	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:31.155415058 CET	49706	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:31.155437946 CET	443	49706	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:32.373655081 CET	443	49706	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:32.373759031 CET	49706	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:32.381558895 CET	49706	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:32.381576061 CET	443	49706	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:32.381937981 CET	443	49706	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:32.451241970 CET	49706	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:32.582540989 CET	49706	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:32.627334118 CET	443	49706	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:32.910628080 CET	443	49706	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:32.910687923 CET	443	49706	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:32.910731077 CET	49706	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:32.982208967 CET	49706	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:32.993860006 CET	49705	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:33.114767075 CET	80	49705	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:33.426985025 CET	80	49705	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:33.430047035 CET	49707	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:33.430103064 CET	443	49707	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:33.430339098 CET	49707	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:33.430696964 CET	49707	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:33.430710077 CET	443	49707	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:33.560632944 CET	49705	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:33.867887974 CET	49708	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:33.987479925 CET	80	49708	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:33.987584114 CET	49708	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:33.987926960 CET	49708	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:34.107477903 CET	80	49708	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:34.686855078 CET	443	49707	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:34.689394951 CET	49707	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:34.689409018 CET	443	49707	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:35.143938065 CET	443	49707	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:35.144023895 CET	443	49707	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:35.145054102 CET	49707	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:35.145364046 CET	49707	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:35.150752068 CET	49705	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:35.150753975 CET	49709	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:35.270266056 CET	80	49709	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:35.270632029 CET	49709	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:35.270852089 CET	49709	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:35.270989895 CET	80	49705	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:35.271208048 CET	49705	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:35.383210897 CET	80	49708	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:35.390548944 CET	80	49709	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:35.432933092 CET	49708	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:35.552544117 CET	80	49708	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:35.875396967 CET	80	49708	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:35.919985056 CET	49708	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:35.923428059 CET	49710	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:35.923463106 CET	443	49710	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:35.923525095 CET	49710	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:35.929449081 CET	49710	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:35.929471970 CET	443	49710	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:36.586568117 CET	80	49709	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:36.587629080 CET	49711	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:36.587670088 CET	443	49711	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:36.587745905 CET	49711	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:36.588017941 CET	49711	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:36.588038921 CET	443	49711	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:36.638731956 CET	49709	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:37.236038923 CET	443	49710	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:37.236114979 CET	49710	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:37.237981081 CET	49710	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:37.237989902 CET	443	49710	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:37.238351107 CET	443	49710	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:37.279412985 CET	49710	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:37.300972939 CET	49710	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:37.343358040 CET	443	49710	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:37.711393118 CET	443	49710	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:37.711456060 CET	443	49710	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:37.711518049 CET	49710	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:37.715055943 CET	49710	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:37.718838930 CET	49708	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:37.838601112 CET	80	49708	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:37.891182899 CET	443	49711	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:37.893924952 CET	49711	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:37.893956900 CET	443	49711	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:38.161180019 CET	80	49708	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:38.163072109 CET	49712	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:38.163116932 CET	443	49712	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:38.163201094 CET	49712	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:38.164019108 CET	49712	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:38.164031029 CET	443	49712	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:38.201237917 CET	49708	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:38.354206085 CET	443	49711	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:38.354299068 CET	443	49711	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:38.354521036 CET	49711	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:38.354832888 CET	49711	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:38.358563900 CET	49709	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:38.360095978 CET	49713	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:38.478429079 CET	80	49709	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:38.478513002 CET	49709	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:38.479573965 CET	80	49713	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:38.479686022 CET	49713	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:38.479870081 CET	49713	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:38.600157022 CET	80	49713	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:39.428276062 CET	443	49712	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:39.432635069 CET	49712	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:39.432660103 CET	443	49712	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:39.831293106 CET	80	49713	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:39.832885981 CET	49714	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:39.832911968 CET	443	49714	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:39.833014011 CET	49714	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:39.833283901 CET	49714	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:39.833296061 CET	443	49714	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:39.873116016 CET	49713	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:39.900290012 CET	443	49712	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:39.900365114 CET	443	49712	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:39.900635958 CET	49712	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:39.900917053 CET	49712	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:39.904192924 CET	49708	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:39.905338049 CET	49715	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:40.025368929 CET	80	49715	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:40.025455952 CET	49715	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:40.025605917 CET	49715	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:40.027160883 CET	80	49708	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:40.027235031 CET	49708	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:40.145169973 CET	80	49715	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:41.137409925 CET	443	49714	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:41.139352083 CET	49714	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:41.139369965 CET	443	49714	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:41.336775064 CET	80	49715	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:41.366362095 CET	49716	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:41.366405010 CET	443	49716	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:41.366467953 CET	49716	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:41.366863012 CET	49716	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:41.366877079 CET	443	49716	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:41.388725042 CET	49715	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:41.606380939 CET	443	49714	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:41.606452942 CET	443	49714	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:41.606502056 CET	49714	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:41.606914997 CET	49714	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:41.611943007 CET	49717	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:41.731678963 CET	80	49717	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:41.731756926 CET	49717	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:41.731941938 CET	49717	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:41.851871967 CET	80	49717	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:42.580054045 CET	443	49716	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:42.581604958 CET	49716	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:42.581633091 CET	443	49716	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:43.024548054 CET	443	49716	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:43.024626017 CET	443	49716	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:43.024738073 CET	49716	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:43.025227070 CET	49716	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:43.029932976 CET	49719	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:43.128148079 CET	80	49717	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:43.129715919 CET	49720	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:43.129759073 CET	443	49720	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:43.129865885 CET	49720	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:43.130120039 CET	49720	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:43.130134106 CET	443	49720	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:43.149821997 CET	80	49719	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:43.149931908 CET	49719	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:43.150055885 CET	49719	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:43.170001984 CET	49717	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:43.269824028 CET	80	49719	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:44.353241920 CET	443	49720	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:44.354825974 CET	49720	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:44.354873896 CET	443	49720	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:44.545739889 CET	80	49719	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:44.547086954 CET	49722	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:44.547142029 CET	443	49722	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:44.547214031 CET	49722	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:44.547473907 CET	49722	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:44.547491074 CET	443	49722	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:44.591862917 CET	49719	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:44.799969912 CET	443	49720	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:44.800040960 CET	443	49720	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:44.800093889 CET	49720	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:44.800753117 CET	49720	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:44.803749084 CET	49717	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:44.804698944 CET	49723	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:44.923763037 CET	80	49717	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:44.923844099 CET	49717	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:44.924215078 CET	80	49723	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:44.924283028 CET	49723	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:44.924429893 CET	49723	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:45.044028044 CET	80	49723	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:45.802988052 CET	443	49722	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:45.805557966 CET	49722	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:45.805608034 CET	443	49722	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:46.262499094 CET	443	49722	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:46.262550116 CET	443	49722	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:46.262625933 CET	49722	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:46.263092995 CET	49722	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:46.266370058 CET	49719	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:46.267466068 CET	49726	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:46.277137041 CET	80	49723	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:46.278148890 CET	49727	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:46.278189898 CET	443	49727	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:46.278286934 CET	49727	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:46.278819084 CET	49727	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:46.278835058 CET	443	49727	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:46.326555014 CET	49723	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:46.386135101 CET	80	49719	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:46.386243105 CET	49719	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:46.386960983 CET	80	49726	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:46.387046099 CET	49726	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:46.387248039 CET	49726	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:46.506761074 CET	80	49726	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:47.584769964 CET	443	49727	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:47.594043970 CET	49727	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:47.594068050 CET	443	49727	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:47.691576958 CET	80	49726	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:47.692943096 CET	49728	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:47.692975998 CET	443	49728	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:47.693078041 CET	49728	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:47.693339109 CET	49728	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:47.693352938 CET	443	49728	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:47.732498884 CET	49726	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:48.050437927 CET	443	49727	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:48.050534964 CET	443	49727	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:48.050652981 CET	49727	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:48.051080942 CET	49727	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:48.054326057 CET	49723	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:48.055599928 CET	49729	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:48.174638987 CET	80	49723	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:48.174839020 CET	49723	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:48.175436020 CET	80	49729	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:48.175550938 CET	49729	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:48.175750017 CET	49729	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:48.295383930 CET	80	49729	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:49.003792048 CET	443	49728	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:49.013442993 CET	49728	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:49.013459921 CET	443	49728	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:49.467144012 CET	443	49728	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:49.467339039 CET	443	49728	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:49.467417002 CET	49728	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:49.467828035 CET	49728	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:49.470882893 CET	49726	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:49.471904039 CET	49730	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:49.483396053 CET	80	49729	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:49.484616995 CET	49731	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:49.484646082 CET	443	49731	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:49.484834909 CET	49731	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:49.484977961 CET	49731	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:49.484988928 CET	443	49731	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:49.529476881 CET	49729	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:49.590665102 CET	80	49726	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:49.590749025 CET	49726	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:49.591506004 CET	80	49730	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:49.591681957 CET	49730	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:49.591799974 CET	49730	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:49.711308956 CET	80	49730	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:50.788856983 CET	443	49731	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:50.790637970 CET	49731	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:50.790658951 CET	443	49731	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:50.945316076 CET	80	49730	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:50.946533918 CET	49732	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:50.946568966 CET	443	49732	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:50.946638107 CET	49732	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:50.946883917 CET	49732	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:50.946899891 CET	443	49732	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:50.998188972 CET	49730	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:51.251912117 CET	443	49731	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:51.251986027 CET	443	49731	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:51.252096891 CET	49731	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:51.252571106 CET	49731	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:51.255798101 CET	49729	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:51.256927013 CET	49733	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:51.375854015 CET	80	49729	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:51.376018047 CET	49729	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:51.376411915 CET	80	49733	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:51.376496077 CET	49733	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:51.376671076 CET	49733	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:51.496117115 CET	80	49733	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:52.254904032 CET	443	49732	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:52.256622076 CET	49732	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:52.256644964 CET	443	49732	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:52.717792034 CET	443	49732	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:52.717864037 CET	443	49732	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:52.717955112 CET	49732	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:52.718403101 CET	49732	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:52.721695900 CET	49730	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:52.723012924 CET	49734	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:52.726036072 CET	80	49733	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:52.727222919 CET	49735	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:52.727266073 CET	443	49735	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:52.727349043 CET	49735	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:52.727610111 CET	49735	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:52.727624893 CET	443	49735	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:52.779643059 CET	49733	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:52.841597080 CET	80	49730	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:52.841666937 CET	49730	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:52.842614889 CET	80	49734	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:52.842694998 CET	49734	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:52.842830896 CET	49734	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:52.962676048 CET	80	49734	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:54.032150984 CET	443	49735	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:54.033999920 CET	49735	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:54.034020901 CET	443	49735	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:54.146330118 CET	80	49734	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:54.147763014 CET	49736	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:54.147813082 CET	443	49736	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:54.147881031 CET	49736	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:54.148119926 CET	49736	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:54.148137093 CET	443	49736	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:54.201360941 CET	49734	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:54.495712996 CET	443	49735	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:54.495785952 CET	443	49735	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:54.496073008 CET	49735	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:54.496485949 CET	49735	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:55.363579035 CET	443	49736	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:55.365550995 CET	49736	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:55.365578890 CET	443	49736	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:55.938529968 CET	443	49736	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:55.938725948 CET	443	49736	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:55.938859940 CET	49736	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:55.939285994 CET	49736	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:55.942715883 CET	49734	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:55.943830967 CET	49737	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:56.062472105 CET	80	49734	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:56.062592030 CET	49734	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:56.063322067 CET	80	49737	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:56.063402891 CET	49737	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:56.063653946 CET	49737	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:56.184266090 CET	80	49737	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:57.419159889 CET	80	49737	132.226.247.73	192.168.2.11
Nov 21, 2024 10:32:57.420253038 CET	49738	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:57.420288086 CET	443	49738	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:57.420360088 CET	49738	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:57.420567989 CET	49738	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:57.420581102 CET	443	49738	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:57.466890097 CET	49737	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:32:58.728979111 CET	443	49738	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:58.730930090 CET	49738	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:58.730969906 CET	443	49738	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:59.192127943 CET	443	49738	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:59.192197084 CET	443	49738	188.114.97.3	192.168.2.11
Nov 21, 2024 10:32:59.192249060 CET	49738	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:32:59.192754030 CET	49738	443	192.168.2.11	188.114.97.3
Nov 21, 2024 10:33:44.830382109 CET	80	49713	132.226.247.73	192.168.2.11
Nov 21, 2024 10:33:44.830437899 CET	49713	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:33:46.335967064 CET	80	49715	132.226.247.73	192.168.2.11
Nov 21, 2024 10:33:46.336042881 CET	49715	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:33:57.726725101 CET	80	49733	132.226.247.73	192.168.2.11
Nov 21, 2024 10:33:57.726808071 CET	49733	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:34:02.419676065 CET	80	49737	132.226.247.73	192.168.2.11
Nov 21, 2024 10:34:02.419750929 CET	49737	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:34:32.732858896 CET	49733	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:34:32.852437973 CET	80	49733	132.226.247.73	192.168.2.11
Nov 21, 2024 10:34:37.421135902 CET	49737	80	192.168.2.11	132.226.247.73
Nov 21, 2024 10:34:37.540673018 CET	80	49737	132.226.247.73	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 10:32:28.669604063 CET	62023	53	192.168.2.11	1.1.1.1
Nov 21, 2024 10:32:28.896713972 CET	53	62023	1.1.1.1	192.168.2.11
Nov 21, 2024 10:32:30.920213938 CET	52512	53	192.168.2.11	1.1.1.1
Nov 21, 2024 10:32:31.147367954 CET	53	52512	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 10:32:28.669604063 CET	192.168.2.11	1.1.1.1	0x525a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:32:30.920213938 CET	192.168.2.11	1.1.1.1	0xc4ce	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 10:32:28.896713972 CET	1.1.1.1	192.168.2.11	0x525a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 10:32:28.896713972 CET	1.1.1.1	192.168.2.11	0x525a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:32:28.896713972 CET	1.1.1.1	192.168.2.11	0x525a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:32:28.896713972 CET	1.1.1.1	192.168.2.11	0x525a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:32:28.896713972 CET	1.1.1.1	192.168.2.11	0x525a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:32:28.896713972 CET	1.1.1.1	192.168.2.11	0x525a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:32:31.147367954 CET	1.1.1.1	192.168.2.11	0xc4ce	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:32:31.147367954 CET	1.1.1.1	192.168.2.11	0xc4ce	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49705	132.226.247.73	80	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:29.023571968 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:30.374015093 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 07d4c8632e04043fc351001099f993a1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 10:32:30.383701086 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 10:32:30.817543030 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 46aa7f1233c96b6c08e1bb8f808079de Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 10:32:32.993860006 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 10:32:33.426985025 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3802490b1ca6562fbf8cd7a6716ac503 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49708	132.226.247.73	80	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:33.987926960 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:35.383210897 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2d16923e93ae9b909d26989712dd8f25 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 10:32:35.432933092 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 10:32:35.875396967 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 42dcf93e693b408e641db964f4f82f84 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 10:32:37.718838930 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 10:32:38.161180019 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: eb354ecd7ac520f101ba75d688defc67 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49709	132.226.247.73	80	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:35.270852089 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 10:32:36.586568117 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:36 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3d568e53435eba49f37009cc2b28f5ed Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49713	132.226.247.73	80	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:38.479870081 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 10:32:39.831293106 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:39 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7c45f41dc102eba16fde6d0a67f996aa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49715	132.226.247.73	80	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:40.025605917 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 10:32:41.336775064 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:41 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: df42849b173a2169bdf23f2dddd4d4c3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49717	132.226.247.73	80	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:41.731941938 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:43.128148079 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 32ce816fbefff222bb09be285190ee41 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49719	132.226.247.73	80	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:43.150055885 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:44.545739889 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:44 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0c5bd9ff30d267d257c9bec9d4a22065 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49723	132.226.247.73	80	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:44.924429893 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:46.277137041 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:46 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d4c8b4a0033316ccecff2ef70d6b8e33 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49726	132.226.247.73	80	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:46.387248039 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:47.691576958 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:47 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e5a8fd400ed191f8e9bbd71bdd78876d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49729	132.226.247.73	80	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:48.175750017 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:49.483396053 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:49 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 81f81762436bc9730869c95d813b9481 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49730	132.226.247.73	80	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:49.591799974 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:50.945316076 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:50 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee92b12c1eb6244930b7549cc9b5e527 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.11	49733	132.226.247.73	80	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:51.376671076 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:52.726036072 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:52 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b58dc17bb35fe22665b1449e49abf621 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.11	49734	132.226.247.73	80	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:52.842830896 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:54.146330118 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:53 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3ede11b5fb8812667cb682428104f1d4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.11	49737	132.226.247.73	80	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:32:56.063653946 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:32:57.419159889 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:57 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2c1a6d5064f74ed7b0c050bab6d8dc2b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49706	188.114.97.3	443	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:32 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:32 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:32 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145461 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zg9FE6UKkaSiM0r9KVcGzOJVrD0wZu5QGgsr%2Fly2AJnCchWuxgZiYLr%2FYBdpmEFme0%2BvUOVv%2Fr8asbzolB%2FQodGeEfCm5yzmoRvQRn8rzdn4Ul%2Bio6MgM9KzX4avBa3Oi0Nio6pg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fac509d5c4238-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1700&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1572428&cwnd=244&unsent_bytes=0&cid=fb5aa64cba99d55d&ts=549&x=0"
2024-11-21 09:32:32 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49707	188.114.97.3	443	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:34 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 09:32:35 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:34 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145463 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J0fYLe%2F%2FSig8Lm3schP8gNAEz6KFSlZkWktyZuj0XQlLmJvSHfpLtgYxaslGOTxfi8lw5%2FZ8sUmsybzJHS6%2BwMkJ3ml8OflJtRFjFwhJG%2B6xhVokMJYstMNA0eA4FkRtI4hcB%2BKi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fac5e982a6a4f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1617&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1819314&cwnd=252&unsent_bytes=0&cid=c037fb8dbc9ae0be&ts=460&x=0"
2024-11-21 09:32:35 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49710	188.114.97.3	443	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:37 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:37 UTC	849	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:37 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145466 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fgY0nwzlf57QegIbuXNaqmND7pZ8mI15Pb1pMVIM19GhlxpNLvJsafiim5NQ7W3HAXvDObMBKb7rGBHAYVfekgEXGQLzpwvBBPHWjhKI%2FknpQFQxYMjZnFvrK6ubluATn5a%2BpKaf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fac6e8c9432dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1984&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1447694&cwnd=241&unsent_bytes=0&cid=0e184f64be872873&ts=481&x=0"
2024-11-21 09:32:37 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49711	188.114.97.3	443	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:37 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 09:32:38 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:38 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145467 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gq%2FAVuK%2BpoYFKCzooQH5ql7bxhk5FBOy43dyk0QS9za4EeL5I7tlDHi3QR%2FMNLWuMqzgkzcUltKqGNlgtMy%2FsPpnyTG%2BxwzonS5q2hhALfsKxvM5BfrMIlN2P8P1LmlOD%2FzYxxhz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fac729f94c466-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1667&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1644144&cwnd=244&unsent_bytes=0&cid=63781fe211277fb0&ts=468&x=0"
2024-11-21 09:32:38 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49712	188.114.97.3	443	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:39 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 09:32:39 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:39 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145468 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GvWZxcJKJYsdMdU7DugM8Yx0NG8zoXx9%2FUVLbWYjs3oZKw0CpgKESozhc3IydnVw3PEQYF%2BmGsGxTrQjRgV8z79%2BcLE02zlkzMZwovcLqIqv2KR68Us5C2DCvb9Jortd4adqPxsG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fac7c2b540f84-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2070&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1417475&cwnd=242&unsent_bytes=0&cid=575559f5712c75f9&ts=476&x=0"
2024-11-21 09:32:39 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49714	188.114.97.3	443	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:41 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:41 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:41 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145470 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3hPfekD6eb7EJ9%2BWScMM8W4DqxwlZGBDBNPBcuUQgwafg76Y%2Fxq3ucAvo7lpJrY2dtFAma5yBMuMsu%2ByxTylcQq2lyY6Y2YXWmv685jLID3jxTTUpBEeLfvfWKUK%2BjNHZwgVsZWz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fac86ef1a7d00-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2197&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1490556&cwnd=241&unsent_bytes=0&cid=692c07ab0f84c100&ts=473&x=0"
2024-11-21 09:32:41 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49716	188.114.97.3	443	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:42 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 09:32:43 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:42 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145471 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bb47EpwuLf8ttMNzseMYIdG9ZsNcNf%2FDGopeRluKq4T3t7DcF0KkhIZLPIdeSYlWzv7QWB0hXaNW0t7JmFedUgq72kJR8tEGZwLz0ewZXOHMwWn3smPgVgVaEn%2FtS6P07rZnMwi2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fac8fd99843c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2051&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1390476&cwnd=191&unsent_bytes=0&cid=53272118b195b7fb&ts=449&x=0"
2024-11-21 09:32:43 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49720	188.114.97.3	443	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:44 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:44 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:44 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145473 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ls%2FCJbH2TUKI0bfqe5dSciaJokmy31SjAHRTD%2FHXrILOEt9QDNersTzjVrd47ZlOEaY%2BsQpTg4mwJnPxcQJmTYiAjnxP3r5KJrBvli6Dao4Pol69mKLP9Rwt9CTAuUH0y1dVCFEI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fac9aeeab0f80-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2120&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1378008&cwnd=190&unsent_bytes=0&cid=ffda18e74ec617a7&ts=451&x=0"
2024-11-21 09:32:44 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49722	188.114.97.3	443	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:45 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:46 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:46 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145475 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8OrKN%2F66uiTEUuafO5p41R5mr%2F0oKPUr9RqvZRc5Aw9LLRC%2FxVwBnWZ4G1gnWxsCfHaAvj6fJ5ro6LbfUPmZ%2B00Fl8z6HY%2FQMpKsrgSGYC4K6YYkgcjuP6P0oiDobo5lNJVWOT9N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5faca3fc330f7d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1700&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1703617&cwnd=235&unsent_bytes=0&cid=3fe82baa388d6966&ts=462&x=0"
2024-11-21 09:32:46 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49727	188.114.97.3	443	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:47 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:48 UTC	848	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:47 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145476 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bnlMvxbn9obmjjCDrGoMUHAPpXaw8PVrAWcgz87Y4W%2F8KDoUH77OzRloOsETHIamziAobW7xZ4oeU850a5dgm9kSD%2FQdqe1G5HKnB2SMAXs5qg565YqqpuHjn5K7LK4wLWSlw4EN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5facaf2fb07cee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2310&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=575029&cwnd=172&unsent_bytes=0&cid=33d52a627157e22c&ts=473&x=0"
2024-11-21 09:32:48 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49728	188.114.97.3	443	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:49 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:49 UTC	848	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:49 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145478 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ro8HAa6apnDGP5RNGgDdQuYvDYNvvFH9v0a%2BK8NTM5SC9O85EFtW%2FYE3VljeGi1dYVTslyfvLicl6jAprKyfZpOu62QoJUvQaCz4g9D1X3kpCRceuoJE40sDcJOp1zXqGAyDTKCZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5facb80a3ac44a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1917&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=879783&cwnd=223&unsent_bytes=0&cid=50f301a09c698b9d&ts=474&x=0"
2024-11-21 09:32:49 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.11	49731	188.114.97.3	443	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:50 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:51 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:51 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145480 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vsMsZefvKDQBjFi50vDSk0Pw%2FUWDy6%2FM5AM2qW0nqYRVnzSq0y83vvV4wiawcuoSmzpnRF56SHSl1yHRh%2F4eNBeGZM6KKzzd2QF4k63hkibIAkkUMlh6NxVTh0oSxLF%2FjBgNVyVQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5facc339a442d8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2352&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1198686&cwnd=219&unsent_bytes=0&cid=a41230fafcdb5a83&ts=468&x=0"
2024-11-21 09:32:51 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.11	49732	188.114.97.3	443	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:52 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:52 UTC	849	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:52 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145481 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2kkJzM78hr3htYNzK8WhMty1wZ2uam4CrLHyn5dBhJWerzpmoFWBV7hwEIXhBLaxVTAp9RJEBG%2BwPYwho6CSI9NrDrRvDAdMOgeYLwad6XV%2FHrUvU2VbbSCb4QL4b40oSAKv4KhJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5faccc6cc21801-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1589&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1844598&cwnd=218&unsent_bytes=0&cid=a28be0c000e69f21&ts=473&x=0"
2024-11-21 09:32:52 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.11	49735	188.114.97.3	443	2536	C:\Users\user\Desktop\z1MB267382625AE.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:54 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:54 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:54 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145483 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sxl%2FXfUL8uExC0UMKH4CGoTiXJ7BbNLqdwksO6CDYdNZwyxVwsqnLLpF6d2yiJSUq1akHehnZtK%2B9KZsV8zyhmvPhzqXTK1mRcy1Cg1oFocBvnMdhR42lfkAxKXrzHVqGp%2B%2BCJF1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5facd77f228c3f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1829&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1602634&cwnd=237&unsent_bytes=0&cid=35824bd2f8b25082&ts=470&x=0"
2024-11-21 09:32:54 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.11	49736	188.114.97.3	443	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:55 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:55 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:55 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145484 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W%2FSV%2BnT2TsLRQs0mUscKJrTkjFrsfW1ZUSd8LZ5YrYtbcs0VmllvC%2FpAVXradPbPldIgvg%2BmDDmvoeW8R1ydSpcNkDHB1XF47k5PP4pG%2BuUdK057rNXxXH8zykiJRu5yra4asZ5Y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5facdfb9850f5d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1610&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1768625&cwnd=217&unsent_bytes=0&cid=b9a24518743067dc&ts=455&x=0"
2024-11-21 09:32:55 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.11	49738	188.114.97.3	443	5764	C:\Users\user\AppData\Roaming\pNgFqm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:32:58 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:32:59 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:32:59 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145488 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xkyjxx268bWlBM7GJa8z3cZOOh2NfhZPxxqh%2F27N5Zeu%2BqDHhzgm2oXI76xBqAgoZK9KrayrUnFoH%2FPqbkHHGl%2BtFoeWHEl6od%2FV%2F101%2BsQORDB0%2Bm2PBTxnNqYTPHx0X5b4vRLx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5facf4de131889-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1847&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1477732&cwnd=252&unsent_bytes=0&cid=c51334898cf180eb&ts=469&x=0"
2024-11-21 09:32:59 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Target ID:	0
Start time:	04:32:24
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\z1MB267382625AE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z1MB267382625AE.exe"
Imagebase:	0x260000
File size:	651'776 bytes
MD5 hash:	B996196F91E1480BA0A4BB0304A1F960
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:32:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe"
Imagebase:	0x970000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:32:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:32:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe"
Imagebase:	0x970000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:32:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:32:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp"
Imagebase:	0x930000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:32:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:32:27
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\z1MB267382625AE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z1MB267382625AE.exe"
Imagebase:	0x6e0000
File size:	651'776 bytes
MD5 hash:	B996196F91E1480BA0A4BB0304A1F960
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3891998369.000000000041C000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3891998369.000000000041A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	04:32:29
Start date:	21/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6220e0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:32:29
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\pNgFqm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\pNgFqm.exe
Imagebase:	0x80000
File size:	651'776 bytes
MD5 hash:	B996196F91E1480BA0A4BB0304A1F960
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:32:32
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp"
Imagebase:	0x930000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:32:32
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:32:32
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\pNgFqm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\pNgFqm.exe"
Imagebase:	0xbd0000
File size:	651'776 bytes
MD5 hash:	B996196F91E1480BA0A4BB0304A1F960
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.3891998922.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.3894344951.00000000031A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	79
Total number of Limit Nodes:	4

Executed Functions

Function 00B8CFD1 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B8D05E
GetCurrentThread.KERNEL32 ref: 00B8D09B
GetCurrentProcess.KERNEL32 ref: 00B8D0D8
GetCurrentThreadId.KERNEL32 ref: 00B8D131

Memory Dump Source

Source File: 00000000.00000002.1459600868.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_z1MB267382625AE.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 66947c5248ce856495576b36b5a2548b68c0bf3906ea75466e9d74fcab1234bb
Instruction ID: a0ec5f1c816d023c4762401ba49cef35bca58a911472cbe8871c77be6df6e2c8
Opcode Fuzzy Hash: 66947c5248ce856495576b36b5a2548b68c0bf3906ea75466e9d74fcab1234bb
Instruction Fuzzy Hash: D65169B0900349CFDB14DFAAD948B9EBFF1EF48314F24855AD409A73A0EB745984CB61

Function 00B8CFE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B8D05E
GetCurrentThread.KERNEL32 ref: 00B8D09B
GetCurrentProcess.KERNEL32 ref: 00B8D0D8
GetCurrentThreadId.KERNEL32 ref: 00B8D131

Memory Dump Source

Source File: 00000000.00000002.1459600868.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_z1MB267382625AE.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0ccbd508ad9370c8803a945de1cce58347b43151acf320ec5db02444ad159fb5
Instruction ID: d456e189504ae366902767abd5946b5f897005d1064f32891132c1d46da46ff5
Opcode Fuzzy Hash: 0ccbd508ad9370c8803a945de1cce58347b43151acf320ec5db02444ad159fb5
Instruction Fuzzy Hash: E45159B0900749CFDB14DFAAD948B9EBBF1EF48314F248459E409A73A0DB745984CB65

Function 00B8AD48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B8AF9E

Memory Dump Source

Source File: 00000000.00000002.1459600868.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_z1MB267382625AE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4fcedaea423ed2c9259c71af285b33326f45d925621590bfeb840da25ac7b31e
Instruction ID: 672c70293e14bfbecedfc8380a7c266875b2180dac8c7ad47917bc14ef88d9f1
Opcode Fuzzy Hash: 4fcedaea423ed2c9259c71af285b33326f45d925621590bfeb840da25ac7b31e
Instruction Fuzzy Hash: D3812570A00B058FE724EF2AD44575ABBF1FF88300F148A6EE44AD7A60D774E845CB92

Function 00B8590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B859C9

Memory Dump Source

Source File: 00000000.00000002.1459600868.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_z1MB267382625AE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a010727bfadaea9ca92dadedab5a84faa415b6b7e07e63a8379b2bf8c28b9a96
Instruction ID: d7f28be48bd52860ee4eafd82137f181378531d58b8630b3fa3f896285c8d862
Opcode Fuzzy Hash: a010727bfadaea9ca92dadedab5a84faa415b6b7e07e63a8379b2bf8c28b9a96
Instruction Fuzzy Hash: 8E41D1B1C00619CBDB24DFA9C885BDDBBF5FF48304F20816AD408AB261EB756946CF90

Function 00B844B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B859C9

Memory Dump Source

Source File: 00000000.00000002.1459600868.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_z1MB267382625AE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4ecf5649bb7d88b6802b864ad70959e2f79c3318cadfe549b5f97a2ca2ff307b
Instruction ID: 8c050ec0ff73d0c1c48dd100cf862f0d19d78c3f53d363c8bf636f78365cb1a8
Opcode Fuzzy Hash: 4ecf5649bb7d88b6802b864ad70959e2f79c3318cadfe549b5f97a2ca2ff307b
Instruction Fuzzy Hash: 2641C1B0D00A5DCBDB24DFA9C885B9DBBF5FF48304F20816AD408AB261EB756945CF90

Function 00B8D628 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B8D6B7

Memory Dump Source

Source File: 00000000.00000002.1459600868.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_z1MB267382625AE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e3d9b30d3015e7f502564b7c07c92fe2c77589055ca8cc659487278984af418d
Instruction ID: f167bde4455ae34c704e04831a37216c562d8eab9085a0820e17f07812df1463
Opcode Fuzzy Hash: e3d9b30d3015e7f502564b7c07c92fe2c77589055ca8cc659487278984af418d
Instruction Fuzzy Hash: BC21F4B5900248DFDB10DF9AD884ADEBFF5FB48320F14805AE918A3350D378A941CFA5

Function 00B8D630 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B8D6B7

Memory Dump Source

Source File: 00000000.00000002.1459600868.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_z1MB267382625AE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7a9957a72402ef9b468366f37d7a9342e94cbb5df4f53291b0d5f20026331096
Instruction ID: c6538b978f16d6e2fd361c8631e0492125be97e4364700c6ee562bcde0304409
Opcode Fuzzy Hash: 7a9957a72402ef9b468366f37d7a9342e94cbb5df4f53291b0d5f20026331096
Instruction Fuzzy Hash: 2621E3B5900248DFDB10DF9AD884ADEBBF9EB48320F14841AE918A3350D378A950CFA5

Function 00B8AF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B8AF9E

Memory Dump Source

Source File: 00000000.00000002.1459600868.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_z1MB267382625AE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 46b4a8a0bb09828bfbcb531c7e575f496f7c9b67a57db9d22e71617e797f092c
Instruction ID: 5e752bf724eaac3480a1f9b67e7438ffa5473c87705b5fbbdaeceb7280a152f7
Opcode Fuzzy Hash: 46b4a8a0bb09828bfbcb531c7e575f496f7c9b67a57db9d22e71617e797f092c
Instruction Fuzzy Hash: 7F1110B6C002498FDB10DF9AC444BDEFBF5EF88324F14846AD918A7210C379A545CFA1

Function 00AED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459169296.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b826da8dc0def61a3f28a77f565307967ce3102a14a7ecc5d4cce22c4fa6796
Instruction ID: 82b3e6a6029981bfe7a1d2b887b29c59852a30207617377ded395f5bf7c63d2c
Opcode Fuzzy Hash: 5b826da8dc0def61a3f28a77f565307967ce3102a14a7ecc5d4cce22c4fa6796
Instruction Fuzzy Hash: FD2145B1500284DFDB01DF05C9C0B26BFA5FBA8324F24C568E9090F286C336E846CAA2

Function 00AFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459395557.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fec030db19317f4edadb9509d1cbfd613d0f16344fad27b30a50d27c9390e4f
Instruction ID: 55552f5c6d0aa0793e9e0b39d3bfd89c73c39d828701b6e625ddd04b5a8e0c86
Opcode Fuzzy Hash: 9fec030db19317f4edadb9509d1cbfd613d0f16344fad27b30a50d27c9390e4f
Instruction Fuzzy Hash: 55210771504248DFDB16DF54D5C0B26BFA6FB88314F24C96DFA4A4B246CB36D807CA61

Function 00AFD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459395557.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf80823a0688225084ba91fb7e0d80fc04696b9d12397b67677afebeb84ec79
Instruction ID: 26e3334a7c1052d161819e7e13e174454e03242f1a325b0d09e495579a0f3e3f
Opcode Fuzzy Hash: dbf80823a0688225084ba91fb7e0d80fc04696b9d12397b67677afebeb84ec79
Instruction Fuzzy Hash: 202107B1504208EFDB06DF94D5C0B36BBA6FB88314F24CA6DFA094F255C336D806CAA1

Function 00AFD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459395557.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6b3987727ddbbfe63d63850d4448a35627bf5b43dff354530c2d0e4bf9ac5f
Instruction ID: c2f9cc633ae3b16731667f0df650b5f2dccf538bffaf06dca1ced0fc523d5f8f
Opcode Fuzzy Hash: be6b3987727ddbbfe63d63850d4448a35627bf5b43dff354530c2d0e4bf9ac5f
Instruction Fuzzy Hash: 3721B0355093C48FCB03CF20D990715BF72EB46314F28C1EAD9498B2A7C33A980ACB62

Function 00AED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459169296.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction ID: 4056b01e54eec8e2be389c5d001d891b5e0a2ade27810151f8796e90aef7312f
Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction Fuzzy Hash: C8112676404280CFDB12CF00D5C0B16BF71FBA4324F24C2A9D9090B256C33AE85ACBA1

Function 00AFD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459395557.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction ID: 0a22e5dd6d103dbd468aaf87829f73cda873bb695023367bf2869fb55355a5fe
Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction Fuzzy Hash: 0A11DD75504284DFDB12CF50C5C0B25FBB2FB84314F24C6AEE9494B296C33AD80ACBA1

Function 00AED759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459169296.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b24186222731a7de923659641a5fdbd0653e105b46b6cc2dba91e93904692e9
Instruction ID: c38015ae15a3c989d282422e16fb6c7ff9ef7be1cc31d8d7738051e39dcd05b8
Opcode Fuzzy Hash: 3b24186222731a7de923659641a5fdbd0653e105b46b6cc2dba91e93904692e9
Instruction Fuzzy Hash: 0701DB714043809AE7209B1BCC84B66FFB8EF55760F28C91AED094E286D3799C40CA71

Function 00AED758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459169296.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db3a45f47da330ec3ac5e9c54a8283a3a0ece12fcd61906af06602b28a605db
Instruction ID: 6ae4a593c4f61c062338535b550e59c5e361d07af4a84953f14ffa8f9e228555
Opcode Fuzzy Hash: 7db3a45f47da330ec3ac5e9c54a8283a3a0ece12fcd61906af06602b28a605db
Instruction Fuzzy Hash: A9F09672404384AEE7218F1ADC84B66FFA8EF51774F18C55AED084F296C3799C44CAB1

Non-executed Functions

Function 00B8D55C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459600868.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c983203035368310468774770c9567033c72bb67f76db9cac2d7d2efb8146f
Instruction ID: eecd690bc9c8f38f8f2dd7cf91910316d4c2fc0f064509876e18b26c221ab9fb
Opcode Fuzzy Hash: 13c983203035368310468774770c9567033c72bb67f76db9cac2d7d2efb8146f
Instruction Fuzzy Hash: FDA12B36A00206CFCF05EFA5C8845AEB7F2FF85300B2585BAE906BB265DB71D955CB50

Analysis Process: z1MB267382625AE.exePID: 2536, Parent PID: 3400COMMON

Executed Functions

Function 01016730 Relevance: 6.7, Strings: 5, Instructions: 441COMMON

Download Yara Rule

Strings

(ogq, xrefs: 01016CA5
(ogq, xrefs: 0101697A
,kq, xrefs: 01016A00
(ogq, xrefs: 01016988
,kq, xrefs: 010169F2

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: (ogq$(ogq$(ogq$,kq$,kq
API String ID: 0-910114814
Opcode ID: a407b8986b1f6e6a87c054107694d6dd84ecdfa83c6e74f50feefa4542cec311
Instruction ID: ded61565276770e6810a3398d51fabe8fbaa0d08857f8200aa87f848f16c7856
Opcode Fuzzy Hash: a407b8986b1f6e6a87c054107694d6dd84ecdfa83c6e74f50feefa4542cec311
Instruction Fuzzy Hash: CE028070A00119DFCB55CFA9C984AAEBBF6FF88300F1480A9E845AB265D77ADC41CF50

Function 0101B328 Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

PHgq, xrefs: 0101B747
0oJp, xrefs: 0101B562
LjJp, xrefs: 0101B6CF
PHgq, xrefs: 0101B758
LjJp, xrefs: 0101B6E5

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 264cbe65f677bad2e36e709716f7649a82ad6a86db0a8ea471c78bf7bdb74b61
Instruction ID: ad2fc977ea37a3810db0a3401c28c7e6c6f523055bf467c95b3cd253906e0604
Opcode Fuzzy Hash: 264cbe65f677bad2e36e709716f7649a82ad6a86db0a8ea471c78bf7bdb74b61
Instruction Fuzzy Hash: BFE10674A00618CFDB14CFA9C984A9DBBF2FF49310F15C4A9E959AB365DB34A881CF50

Function 0101BBD3 Relevance: 6.4, Strings: 5, Instructions: 197COMMON

Download Yara Rule

Strings

LjJp, xrefs: 0101BDAF
PHgq, xrefs: 0101BE38
LjJp, xrefs: 0101BDC5
PHgq, xrefs: 0101BE27
0oJp, xrefs: 0101BC42

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 32e3a7fc93da078e5d944e6ff3d4bf61f3092ffa8f4dc04443012f4e89529dc3
Instruction ID: cfd18964c03c6a476f6529c34f6d94684aeec3978c25ccf7a9cd56a5a833dcbe
Opcode Fuzzy Hash: 32e3a7fc93da078e5d944e6ff3d4bf61f3092ffa8f4dc04443012f4e89529dc3
Instruction Fuzzy Hash: 5091D674E00218DFDB58DFAAD984A9DBBF2BF89300F1480A9E449AB365EB345941CF11

Function 0101C470 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjJp, xrefs: 0101C64F
LjJp, xrefs: 0101C665
PHgq, xrefs: 0101C6D8
0oJp, xrefs: 0101C4E2
PHgq, xrefs: 0101C6C7

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 0522360457423cf166d865730a724188d6dddd15ca043712270dd81b6167afe1
Instruction ID: 80167b8e839e50f39b0c4c5c80ca05dfc81ac6c48f8f3e38d1232c0873430a92
Opcode Fuzzy Hash: 0522360457423cf166d865730a724188d6dddd15ca043712270dd81b6167afe1
Instruction Fuzzy Hash: 8F81B574E40218CFEB54DFAAD984A9DBBF2BF88300F14D469E459AB365DB349981CF10

Function 0101C753 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjJp, xrefs: 0101C945
LjJp, xrefs: 0101C92F
0oJp, xrefs: 0101C7C2
PHgq, xrefs: 0101C9A7
PHgq, xrefs: 0101C9B8

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: f489fbe625660c580d9bad060864c8b6520e0ab92dc595081c072db414c42c47
Instruction ID: bee98d5a71ee5779c9dda68109ff8eab92e2d28f5e7020f0c248e3e4f205a7d2
Opcode Fuzzy Hash: f489fbe625660c580d9bad060864c8b6520e0ab92dc595081c072db414c42c47
Instruction Fuzzy Hash: EC81D974E01218CFEB54DFAAD984A9DBBF2BF89310F14C069E849AB365DB349941CF10

Function 0101C193 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

LjJp, xrefs: 0101C385
LjJp, xrefs: 0101C36F
PHgq, xrefs: 0101C3E7
0oJp, xrefs: 0101C202
PHgq, xrefs: 0101C3F8

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 6a7be05b7a04ebcf176edcdaa7918ba829c89aa1e7e1400b2f058d3fca6577a2
Instruction ID: e89f41f347e3d9107a9d1e74b9d6b38f812d9ee9ca1753122d8580599f8cdf1f
Opcode Fuzzy Hash: 6a7be05b7a04ebcf176edcdaa7918ba829c89aa1e7e1400b2f058d3fca6577a2
Instruction Fuzzy Hash: 3781C574E40208CFEB54DFAAD984A9DBBF2BF89300F14C069E459AB365DB349981CF50

Function 01014AD9 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

PHgq, xrefs: 01014D41
LjJp, xrefs: 01014CB8
LjJp, xrefs: 01014CCE
PHgq, xrefs: 01014D30
0oJp, xrefs: 01014B4A

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 00d6e60b0dfcb00cc7fa67598fb2d2617caf19662e26ca3ceb6840de0e7400ec
Instruction ID: 61efe297f06595d004e26ea6f67e111669aaca33ffbba7b0bbf80c0e627c59ae
Opcode Fuzzy Hash: 00d6e60b0dfcb00cc7fa67598fb2d2617caf19662e26ca3ceb6840de0e7400ec
Instruction Fuzzy Hash: 2E81A274E01218DFDB54DFAAD984A9DBBF2BF88300F14C069E859AB369DB345981CF50

Function 0101CA33 Relevance: 6.4, Strings: 5, Instructions: 182COMMON

Download Yara Rule

Strings

PHgq, xrefs: 0101CC87
0oJp, xrefs: 0101CAA2
LjJp, xrefs: 0101CC25
LjJp, xrefs: 0101CC0F
PHgq, xrefs: 0101CC98

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 83b3d8d0ca059ce3bf6ff5d0541262e59bbda57296f1f8565113be5fae94f5d5
Instruction ID: 9d2a7758585e213615f2f271f42f4af14281daccbca7f299868d5e359cf00d69
Opcode Fuzzy Hash: 83b3d8d0ca059ce3bf6ff5d0541262e59bbda57296f1f8565113be5fae94f5d5
Instruction Fuzzy Hash: 8A81A674E01218CFEB54DFAAD984A9DBBF2BF88300F14C069E459AB365DB349981DF50

Function 0101BEB7 Relevance: 6.4, Strings: 5, Instructions: 181COMMON

Download Yara Rule

Strings

LjJp, xrefs: 0101C08F
0oJp, xrefs: 0101BF22
PHgq, xrefs: 0101C118
PHgq, xrefs: 0101C107
LjJp, xrefs: 0101C0A5

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: b444063c74fca4dd5103ed7a4ebe553a450de2c082deae0107f0c9c7585c20ad
Instruction ID: bb951850a290e0ed857f069e28863d2034e7faf0f0ef1895878a8f7a9b9a5c06
Opcode Fuzzy Hash: b444063c74fca4dd5103ed7a4ebe553a450de2c082deae0107f0c9c7585c20ad
Instruction Fuzzy Hash: 2781C574E40218CFEB54DFAAD984A9DBBF2BF89300F14C069E459AB365DB349981CF50

Function 0101B4F3 Relevance: 3.9, Strings: 3, Instructions: 151COMMON

Download Yara Rule

Strings

PHgq, xrefs: 0101B747
0oJp, xrefs: 0101B562
PHgq, xrefs: 0101B758

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp$PHgq$PHgq
API String ID: 0-3138407973
Opcode ID: 1342e889028efd8cbd073bd227402ade19be2e7174f295bea2915e92e2ef485a
Instruction ID: 9daf603710b25ba8bf5194cd0918f4be6fcb358a1d148d21b7b6403b557333bb
Opcode Fuzzy Hash: 1342e889028efd8cbd073bd227402ade19be2e7174f295bea2915e92e2ef485a
Instruction Fuzzy Hash: 2E61C374E00608DFDB18DFAAD984A9DBBF2BF88300F14C469E459AB369DB345942CF50

Function 01019858 Relevance: 3.4, Strings: 2, Instructions: 857COMMON

Download Yara Rule

Strings

(ogq, xrefs: 01019C78
4'gq, xrefs: 0101A273

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: (ogq$4'gq
API String ID: 0-590356624
Opcode ID: 4956f936a18028aa236aff22c77e1d043914910a4194e7af728b3a35213eaaa8
Instruction ID: 2e2aca4756e584789598ae64071080217365ff65b7aa1dc9ec159be87f0a4724
Opcode Fuzzy Hash: 4956f936a18028aa236aff22c77e1d043914910a4194e7af728b3a35213eaaa8
Instruction Fuzzy Hash: 0572B071B00249CFCB15CFA8C994AAEBBF2FF88314F158559E885DB2A9D734E941CB50

Function 01016108 Relevance: 3.0, Strings: 2, Instructions: 509COMMON

Download Yara Rule

Strings

(ogq, xrefs: 01016642
Hkq, xrefs: 0101650E

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: (ogq$Hkq
API String ID: 0-1949169705
Opcode ID: fadb234afe32527ea295f06d7208c1c5688e558715feea481ffeb6edcfe66e08
Instruction ID: a47e7931fe83836eadfeaf38da7ed7c0d5748e87cb6caae985bdc152b19d2c0c
Opcode Fuzzy Hash: fadb234afe32527ea295f06d7208c1c5688e558715feea481ffeb6edcfe66e08
Instruction Fuzzy Hash: F312AF70A002188FDB14CF69C954AAEBBF6FF88300F248569E549DB395EF799D41CB90

Function 06758B58 Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

PHgq, xrefs: 06758E9A
PHgq, xrefs: 06758EAB

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: PHgq$PHgq
API String ID: 0-1815594587
Opcode ID: 151b92937c1de020e9b13abfb55a9d08e13050af6ae91e50f43fb3b8f8248b7a
Instruction ID: f2ed7f2ba7f599f00bc647010dc948661babb2e5280b80734218e3be4ecf7f1f
Opcode Fuzzy Hash: 151b92937c1de020e9b13abfb55a9d08e13050af6ae91e50f43fb3b8f8248b7a
Instruction Fuzzy Hash: A5B188B0E01228CFDFA5DFA5C8446EDBBB2BF89300F1482AAD859AB350DB705941CF51

Function 067511A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5680d0e3eb608e0288dfbd8c78f67b7f0032fe75937818a24544ee91e650b8
Instruction ID: a3f1ec6fe2847fa71ba34feaad3cf5acd9ca77e7b546cd2bd5caa78e05321201
Opcode Fuzzy Hash: 9a5680d0e3eb608e0288dfbd8c78f67b7f0032fe75937818a24544ee91e650b8
Instruction Fuzzy Hash: 3E827F74E012288FDBA4DF69C994BDDBBB2BF89301F1081E9A80DA7254DB715E85CF50

Function 0101F007 Relevance: .7, Instructions: 717COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ce4995fe2e46696c55c2076f287589611439a287dd53f797832ff4dd20a26c
Instruction ID: f73b9de54690e2926b29bce1141fa7d7ef31aada17e3e87b82a87bbd6bc8315d
Opcode Fuzzy Hash: 27ce4995fe2e46696c55c2076f287589611439a287dd53f797832ff4dd20a26c
Instruction Fuzzy Hash: 6772DF74E052298FDB64DF69C980BEDBBB2BB49300F1481E9E448A7259DB349EC5CF50

Function 06758608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5dec093c3bfeead3748112f2d61f44ec714e82315abab56a371ea48b8ebdd7
Instruction ID: 6c57ab293a55f5d91c4b9858ccca604c9d34bae734ef61718a3e781d124f0ee4
Opcode Fuzzy Hash: 2b5dec093c3bfeead3748112f2d61f44ec714e82315abab56a371ea48b8ebdd7
Instruction Fuzzy Hash: 71E1C274E01218CFEB54DFA5C984B9DBBB2FF89304F2081A9E408AB394DB755A85CF51

Function 06756320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab818b5fc760d0f9f03c446c2898d4ed262b011442f656274c87e46d5974a742
Instruction ID: 81f3db268e9c462a7babe80cdfff13c09b5cdb34aaf69386ccd31c845a4a7c9f
Opcode Fuzzy Hash: ab818b5fc760d0f9f03c446c2898d4ed262b011442f656274c87e46d5974a742
Instruction Fuzzy Hash: A2C19274E01218CFDB54DFA5C994B9DBBB2FF89300F1080A9E809AB369DB755A85CF50

Function 0675D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb50e4aefc48a48a0772de4ea628e4229473f9b1a8373f3e3fdae1dd354578f0
Instruction ID: 279a2ee95bbbc50fc844dd5cbd4739a40053a475ab27dd7af15a23d4d63eebf6
Opcode Fuzzy Hash: fb50e4aefc48a48a0772de4ea628e4229473f9b1a8373f3e3fdae1dd354578f0
Instruction Fuzzy Hash: EDA1A2B4E012188FEB68CF6AC944B9DBBF2AF89300F14D0EAD40DA7254DB745A85CF55

Function 0675B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8c640836bbc42672735720db71e21f86710d088ccde031337d25ddf9eeee0e
Instruction ID: c4ee748c9ffa5acf48c22dcf3e79fd38f90f165055ac32fab076e08dd5b2eb58
Opcode Fuzzy Hash: 7a8c640836bbc42672735720db71e21f86710d088ccde031337d25ddf9eeee0e
Instruction Fuzzy Hash: 66A193B4E012188FEB64CF6AC954B9DBAF2BF89300F14C0AAD409A7255DB745A85CF51

Function 0675C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733f2e5a8a7bd2f4aa3166e7a1692f952bfba152d01f96c80132b9ee0aecf47a
Instruction ID: 0135d4b46e1c33712a9c2d090ff85d4042e641cb0bb85ee5d143086576d63986
Opcode Fuzzy Hash: 733f2e5a8a7bd2f4aa3166e7a1692f952bfba152d01f96c80132b9ee0aecf47a
Instruction Fuzzy Hash: 89A182B5E012188FEB68CF6AD944B9DBBF2AF89300F14C0EAD40DA7255DB745A85CF50

Function 0675A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36adb7083b2d55416848ba24356c8129ce53d22210e0682c15863074f3a0245b
Instruction ID: 67e270f88c709bbade0d16c3740906e5a303a15f81bb3b1dbd8b6b3c2c9351a2
Opcode Fuzzy Hash: 36adb7083b2d55416848ba24356c8129ce53d22210e0682c15863074f3a0245b
Instruction Fuzzy Hash: AFA1A2B4E012188FEB68CF6AC944B9DBBF2AF89300F14C1EAD40DA7255DB745A85CF50

Function 0675BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d9c6868f399dbf2f25786f0216abd87fb942eaf89dc26cfeea4174aa690276
Instruction ID: 003adcd0f3851062a636475dff69e4627b682cf4517fdb648f481c5dc81a4a57
Opcode Fuzzy Hash: 11d9c6868f399dbf2f25786f0216abd87fb942eaf89dc26cfeea4174aa690276
Instruction Fuzzy Hash: 2FA191B4E012188FEB68CF6AD944B9DBBF2AF89300F14C0EAD40DA7255DB745A85CF51

Function 0675C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635f6d683c75ced87b44d952f09026b74a8b99f70aa6d0e903c521f930a8eb24
Instruction ID: 2a76b1346e83261bccbc322d45c7db6611f266003c4efe93e4ecc94a01a1617f
Opcode Fuzzy Hash: 635f6d683c75ced87b44d952f09026b74a8b99f70aa6d0e903c521f930a8eb24
Instruction Fuzzy Hash: 3DA1A2B4E012188FEB68CF6AD944B9DBBF2AF89300F14C1AAD40DA7254DB745A85CF50

Function 0675AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16190704ab18f51b40d537b31316eecec5a18c7968a9ad4abbe99d1756cec37
Instruction ID: 93acb65d8ddd1075375f110bce0f78bd1e81f93fb1fcc3c65fbaf949059eef7a
Opcode Fuzzy Hash: f16190704ab18f51b40d537b31316eecec5a18c7968a9ad4abbe99d1756cec37
Instruction Fuzzy Hash: 5DA193B4E012188FEB68CF6AC944B9DFBF2AF89300F14C1AAD40DA7254DB745A85CF50

Function 0675D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327f0b7ae78ed5c5b3cbd6fed6495f3870c9f50046f5fed52141aa5391274c50
Instruction ID: a46562fec2efe4dc2444f1a7c6c081aa9481a8f32254a9ea743a24ebf31c2ec2
Opcode Fuzzy Hash: 327f0b7ae78ed5c5b3cbd6fed6495f3870c9f50046f5fed52141aa5391274c50
Instruction Fuzzy Hash: B7A192B4E012188FEB68CF6AC944B9DFBF2AF89300F15C0AAD40DA7254DB745A85CF55

Function 0675B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f1bae1806b93657aa5a3cb22ce661bbea315318243a7e1f5d6fa85655e182e
Instruction ID: 8b8f1f4ef1266ce7d70482960335a1b73ac8e4344e32047ae5e4b920348a36a3
Opcode Fuzzy Hash: a9f1bae1806b93657aa5a3cb22ce661bbea315318243a7e1f5d6fa85655e182e
Instruction Fuzzy Hash: A3A193B4E016188FEB64CF6AC944BADFBF2AF89300F14C1AAD409A7254DB745A85CF50

Function 0675B08F Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e0564279556606de2d4379e73504217de51b28b8999733baafffe439763597
Instruction ID: 27be7a416ceeaf8ad6d29a9c58553adbea03b98bf42a40fbca469ed817c506f8
Opcode Fuzzy Hash: 20e0564279556606de2d4379e73504217de51b28b8999733baafffe439763597
Instruction Fuzzy Hash: 1991EAB1D052588FEB64CF6AD984BA9BBB2FF89300F14C0EAD40CAB255D7311A85DF51

Function 06751191 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a78de0d659b4a253838018ced42ded02987176eead1370612df63f924e595f
Instruction ID: c47beb9f93097ca3f951454d6ca613844a3bcecdca3340417daccdbc3666bfe4
Opcode Fuzzy Hash: 60a78de0d659b4a253838018ced42ded02987176eead1370612df63f924e595f
Instruction Fuzzy Hash: 26819174E452289FDB64DF25DD85BEDBBB2AF89301F1080EAE808A7254DB715E81CF44

Function 0675AA48 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f5da4ef1961ba0a28185a842738832b525f2511884911f908e313f123ccee2
Instruction ID: 1a379b88f489ec7179edca7bbfa8301cb4c8dcf77bb197087b70e14e51f2d44e
Opcode Fuzzy Hash: 80f5da4ef1961ba0a28185a842738832b525f2511884911f908e313f123ccee2
Instruction Fuzzy Hash: FA7183B5E006188FEB68CF6AC944B9DBBF2AF89300F14C1EAD50DA7254DB745A85CF50

Function 0675D018 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7717d10b551ae8f920e926991fd35d4030849d407d9d6a6845e752dc5d8dfd
Instruction ID: df4b99f58d95585bff890f2c2e169b60390945262aa7f66c6da6adcfeaa09ff5
Opcode Fuzzy Hash: aa7717d10b551ae8f920e926991fd35d4030849d407d9d6a6845e752dc5d8dfd
Instruction Fuzzy Hash: E7718771E016188FEB68CF6AC944B9DFAF2AF89300F14C0EAD40DA7254DB745A85CF55

Function 0675C9C8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99162d875eafdb46f8f9b24c79c8661fc3c9d7a00ca99a8da7cf93b1fa3f019
Instruction ID: 81c1c5f7eac4ed9c3f298097e89c3fba6e93f9cfdebb0489a037eb023619eed9
Opcode Fuzzy Hash: e99162d875eafdb46f8f9b24c79c8661fc3c9d7a00ca99a8da7cf93b1fa3f019
Instruction Fuzzy Hash: 5D5187B1E016188BEB58CF6BDD457D9FAF3AFC8310F04C0AAD50CA6264DB740A868F51

Function 067585FC Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061c7a95869b66a26339d75093a18c4196c63a5893bb0e538d5c150813d94fa2
Instruction ID: 17c729956e3b43cc6dd4ccf58ea849303f456b9dfd36d048e66b6a026cd3fa11
Opcode Fuzzy Hash: 061c7a95869b66a26339d75093a18c4196c63a5893bb0e538d5c150813d94fa2
Instruction Fuzzy Hash: 2B41D1B0E002198BEB58DFAAC9447EEBBF2AF88300F14C169D418BB254EB754946CF55

Function 0675A3F8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e51fe57372a7b0ce18b3d299969e7aeca8565c25d483c35e3e56d9a0a1e01b7
Instruction ID: fad56943439010c09a00582bb8248d62e0aebc1423efdcb1de68a3a97b476435
Opcode Fuzzy Hash: 6e51fe57372a7b0ce18b3d299969e7aeca8565c25d483c35e3e56d9a0a1e01b7
Instruction Fuzzy Hash: 934158B1E016188BEB58CF6BC9457D9FAF3AFC8310F14C1AAD50CA6265DB740A858F51

Function 0675C378 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3d1950afa30db75dd9a61982b5a76cb08eca018b3eb08fce56afca9afe119b
Instruction ID: 8dca166c2d172f5866db41162c1b892b46216b4678d9475a604c6a37f96d3670
Opcode Fuzzy Hash: df3d1950afa30db75dd9a61982b5a76cb08eca018b3eb08fce56afca9afe119b
Instruction Fuzzy Hash: 6F416BB1D016189BEB58CF6BCD457DAFAF7AFC8304F04C0AAD50CA6264DB741A868F54

Function 0675BD28 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171f22174b77ee297cd7bd9ed65816500442c4bc58a93d0afe69e89657e8937f
Instruction ID: ab2c5a8c7dda1eb6019dc6fbffd2a7f59a09e4b5bf8e22fe69bd9df71f481a51
Opcode Fuzzy Hash: 171f22174b77ee297cd7bd9ed65816500442c4bc58a93d0afe69e89657e8937f
Instruction Fuzzy Hash: 63418C71D016188BEB58CF6BCD457DAFAF7AFC8310F14C0AAD50CA6264DB740A858F50

Function 0675D663 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d21f2cad4255bca0096587cb893ca78d030d6e49509241f5b3d0bcfee0d8753
Instruction ID: d76a4063b671addf93b4be8e272033c2357dbfb876226736c5c16c9dac070ec8
Opcode Fuzzy Hash: 1d21f2cad4255bca0096587cb893ca78d030d6e49509241f5b3d0bcfee0d8753
Instruction Fuzzy Hash: 06416BB1D016188BEB58CF6BCD457DAFAF3AFC8300F04C1AAD50CA6264EB741A858F51

Function 0675B6D9 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adecf936adab37d8eee28ca9a1333ef8e04359895c877fb7cb212b0dc490e669
Instruction ID: 22717bbc1182fa0cb9b57bddb8178de96243e684e70606a5295e294c3056f25b
Opcode Fuzzy Hash: adecf936adab37d8eee28ca9a1333ef8e04359895c877fb7cb212b0dc490e669
Instruction Fuzzy Hash: B6416871E016188BEB58CF6BC9557D9FAF3AFC8300F14C1AAD50CA6264DB740A868F51

Function 06756310 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442a55815891017222f0ccff49ae03f675618b627320a64c1b5554343913077c
Instruction ID: 046977596ade9fe5e36c7848ca7831fd492f3b1ff0e1665c1c6821848915e679
Opcode Fuzzy Hash: 442a55815891017222f0ccff49ae03f675618b627320a64c1b5554343913077c
Instruction Fuzzy Hash: A541F5B0E01248CBEB58DFAAD9546EEFBF2AF88300F24C069D414AB264DB754946CF40

Function 01016E58 Relevance: 10.5, Strings: 8, Instructions: 477COMMON

Download Yara Rule

Strings

(ogq, xrefs: 01016E96
(ogq, xrefs: 01017367
(ogq, xrefs: 01016F7D
,kq, xrefs: 010172F8
(ogq, xrefs: 01016F51
(ogq, xrefs: 0101701A
(ogq, xrefs: 01017377
,kq, xrefs: 01017308

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: (ogq$(ogq$(ogq$(ogq$(ogq$(ogq$,kq$,kq
API String ID: 0-1957521964
Opcode ID: 29ab8e5287d38b6a3e503f5d596f5feed0fec9ad12f2b796e474bb4d9f51dd99
Instruction ID: 596b0458ebbbc11c198da351da6503850f9a66436c03abbc42fd5fbbf2dd1574
Opcode Fuzzy Hash: 29ab8e5287d38b6a3e503f5d596f5feed0fec9ad12f2b796e474bb4d9f51dd99
Instruction Fuzzy Hash: D4126B30A002498FCB65CF69C884AAEBBF2FF89314F148599F985DB2A5D735ED41CB50

Function 010187E9 Relevance: 4.3, Strings: 3, Instructions: 503COMMON

Download Yara Rule

Strings

4'gq, xrefs: 01018811
;gq, xrefs: 01018C2C
4'gq, xrefs: 01018837

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 4'gq$4'gq$;gq
API String ID: 0-2788574575
Opcode ID: b5e40837de8f77c71b9fd9768d286b86dc1a5db7e63c32c52e6704733281c587
Instruction ID: b4f52245425b7ba2ce0ff9caded42be9a15be959c0f6aa474425b37b3e48fe3f
Opcode Fuzzy Hash: b5e40837de8f77c71b9fd9768d286b86dc1a5db7e63c32c52e6704733281c587
Instruction Fuzzy Hash: 4BF160703146018FEB595A3DC994B3D3BD6AF85701F1884ABE582CF3AAEA2DCE41C751

Function 010177F0 Relevance: 3.2, Strings: 2, Instructions: 707COMMON

Download Yara Rule

Strings

$gq, xrefs: 01018337
$gq, xrefs: 01018314

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: $gq$$gq
API String ID: 0-2569250954
Opcode ID: 60073b348d75da4c4359688777deffb17e9add14a5b9a418fbd02b1b7507b83e
Instruction ID: 1f6d9a121bc7276c8f3361bc8eadb579cad9dd622835ad69d84cb1243ad43f3b
Opcode Fuzzy Hash: 60073b348d75da4c4359688777deffb17e9add14a5b9a418fbd02b1b7507b83e
Instruction Fuzzy Hash: CC522F74A002598FEB559BE4C860BDFBBB2EF84300F1081AAD10A6B395DB355E85DF61

Function 010156A8 Relevance: 2.8, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

Hkq, xrefs: 010157C6
Hkq, xrefs: 01015793

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: Hkq$Hkq
API String ID: 0-2158860719
Opcode ID: 5433c4a8e19f9df4d246847f3d41c6d889e515ce53916bc65a3e703576d2fba8
Instruction ID: 545087542e692de2c0b9beba248fb5da456d17a60aa10753a57ac08c51763441
Opcode Fuzzy Hash: 5433c4a8e19f9df4d246847f3d41c6d889e515ce53916bc65a3e703576d2fba8
Instruction Fuzzy Hash: E6B1BD717042548FDB569F78D894B7E7BE2BBCA310F148869E886CF299DB78C801C791

Function 01015C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,kq, xrefs: 01015CDE
,kq, xrefs: 01015CE8

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: ,kq$,kq
API String ID: 0-3716310059
Opcode ID: a47b713dea31a70fd246d1e45e6140be85a589402afc21ec7270f138542eb7ad
Instruction ID: 1ab4133dff889598e747bff55f94d3364e6833c100a7aafe717005e99ff7b371
Opcode Fuzzy Hash: a47b713dea31a70fd246d1e45e6140be85a589402afc21ec7270f138542eb7ad
Instruction Fuzzy Hash: 55817E34A001098FCB58DF6DC8889AEBBF2BFCA314B5481A9D545DF369D739E842CB50

Function 067523E0 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

LRgq, xrefs: 067523FC
LRgq, xrefs: 06752529

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: LRgq$LRgq
API String ID: 0-3234239580
Opcode ID: 32f1a50e1af749599992ebc30411de42640bad4694c0e8bf64e41f44fb7a6f2f
Instruction ID: 4d99ba77e6faaa13debb32556286d71563b1ef528809f06eca4f403e0ef2c62d
Opcode Fuzzy Hash: 32f1a50e1af749599992ebc30411de42640bad4694c0e8bf64e41f44fb7a6f2f
Instruction Fuzzy Hash: BB81B231B101058FCB48DF78C99496E77B6EF88650B1681E9E915DB3B6EB70DD02CBA0

Function 06759510 Relevance: 2.7, Strings: 2, Instructions: 212COMMON

Download Yara Rule

Strings

(kq, xrefs: 067596EA
(&gq, xrefs: 0675962B

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: (&gq$(kq
API String ID: 0-511105817
Opcode ID: df0b028924ad94f4c769ad541e039a791166f2cf0ebb97597d0f812d806374ed
Instruction ID: d5f279b1730219fd80749ab79c574388ec761a35c727ea37fe31f4956f3b73aa
Opcode Fuzzy Hash: df0b028924ad94f4c769ad541e039a791166f2cf0ebb97597d0f812d806374ed
Instruction Fuzzy Hash: AE71B371F002599BCB55DFA8C8506AE7BB2EFC8710F154429E905BB380EF749D06CBA1

Function 01013428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xkq, xrefs: 0101345E
Xkq, xrefs: 01013435

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: Xkq$Xkq
API String ID: 0-930889198
Opcode ID: 534449db6c223965a31212029ece504938299cbabee71b1df58f27247ddfbfc1
Instruction ID: 6cfc7ff64bd504c1cb556a143633bf9a4405fb098eb55da5f7fbd593bfb694cf
Opcode Fuzzy Hash: 534449db6c223965a31212029ece504938299cbabee71b1df58f27247ddfbfc1
Instruction Fuzzy Hash: 1D3127B9B443248BDF594ABE899427E79DABBC4320F144479D986CB388DF7CDC4046A1

Function 01010C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LRgq, xrefs: 01010E5E

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: LRgq
API String ID: 0-2449505933
Opcode ID: 8309c465589b4b564068d0bf5d27ea5b5f100a09203c855c993ab2bfadf478ec
Instruction ID: 3bcbe040e05f7756c528370d08c12d7f5b933d6f6c1f7cf10e29e26da20416b5
Opcode Fuzzy Hash: 8309c465589b4b564068d0bf5d27ea5b5f100a09203c855c993ab2bfadf478ec
Instruction Fuzzy Hash: 19221C78D0521ACFCB54EF64E886A9DBBB1FF48301F1089A9D849AB319DB306D95CF41

Function 01010CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRgq, xrefs: 01010E5E

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: LRgq
API String ID: 0-2449505933
Opcode ID: 8ae6e1971ece752a5457211764226582781e68d2375f5ee768db9bca3565d49b
Instruction ID: f1e0d7fd6fd6b184faffac20b4a442811dd48bd310ec4e14c645da19630075e0
Opcode Fuzzy Hash: 8ae6e1971ece752a5457211764226582781e68d2375f5ee768db9bca3565d49b
Instruction Fuzzy Hash: 33220C78D0521ACFCB54EF64E885A9DBBB1FF48701F1089A9D849AB318DB306D95CF41

Function 0101A650 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

(ogq, xrefs: 0101A7D9

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: (ogq
API String ID: 0-183986202
Opcode ID: 314d4f7ca6efaa16617c08710a5463aa755e6d51b5a275edf87be3ed6b8c4ed4
Instruction ID: 002ace8773201d0dd7351defd6c600ec0b4352f0c11cddc62273f68138b323ec
Opcode Fuzzy Hash: 314d4f7ca6efaa16617c08710a5463aa755e6d51b5a275edf87be3ed6b8c4ed4
Instruction Fuzzy Hash: 77410E35B042488FCB159B79D854AAE7BF7FFC8210F244469E906E7391CE348C06CBA0

Function 0101A818 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30785686d15c9eb604c5a0b0fce360617b9ef35e8f87d4f04549d01b7f739870
Instruction ID: 4c6be731ca8e12a4b47a5f1a39d38c06ec492935b807ffd37ae6da0ddbf59773
Opcode Fuzzy Hash: 30785686d15c9eb604c5a0b0fce360617b9ef35e8f87d4f04549d01b7f739870
Instruction Fuzzy Hash: 98F12A75B01295CFCB05CF6CC9849ADBBF6BF88310B1A8499E545AB366C739EC81CB50

Function 01017438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c909ec0f1785dd73aee481c2e8ec4b153b02d807f1b5fb711a5ae21c67d2122
Instruction ID: 993415a6c9b1485d2eb4f0fcffb9b4f14486615818a1b512384238f58ffd0f79
Opcode Fuzzy Hash: 8c909ec0f1785dd73aee481c2e8ec4b153b02d807f1b5fb711a5ae21c67d2122
Instruction Fuzzy Hash: A17125307402458FDB55DF2CC898AAE7BE6AF49700F1904A9E986CB3B5DB78DC41CB90

Function 0101CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc402b76a14113b5fb74ee6b4a2af2fd5fb97b8d78753e958099d8aa6780d6fb
Instruction ID: 5e972d2c2efb0de761ca607ed76d01e610a6ce44f03a192bfdaae3f835aad2cd
Opcode Fuzzy Hash: cc402b76a14113b5fb74ee6b4a2af2fd5fb97b8d78753e958099d8aa6780d6fb
Instruction Fuzzy Hash: C351AF348A964BCFD7043F20E9AC17ABBA1FF6FB2B7046D14B40E95066DF705169DA20

Function 0101CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98036749adc96388257b093a5a99fcb5da3fec10e185815efdecbc7898bf83c
Instruction ID: 912cf36989471a9cd4a86ae97ed63b5bf8ca40fd91605ce2bd519d853b1ae6d4
Opcode Fuzzy Hash: b98036749adc96388257b093a5a99fcb5da3fec10e185815efdecbc7898bf83c
Instruction Fuzzy Hash: 10519F348A974BCFD2043B20E9AC13EBBA5FF6FB2B7046D14B50E950669F305469DA60

Function 0101E2D9 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334f36bd562f8204a83752f3bcf7896a90b6e5c9c7d8bb90d7ee74a11d1994ec
Instruction ID: 7c646fe81fb516eafd4476ef1fba1d3d3cee1efdb9fdef1bc47e66769684153d
Opcode Fuzzy Hash: 334f36bd562f8204a83752f3bcf7896a90b6e5c9c7d8bb90d7ee74a11d1994ec
Instruction Fuzzy Hash: DD612374D01218CFDB15DFB5D994AADBBB2FF88300F208569E805AB399DB745985CF40

Function 0101CD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ab6fcf634e5e2ab81682143d9d4fd83d0cb92a5019c22d560b0aab76bfea2c
Instruction ID: ababd17060454dff933835fcda81a9be41c06655bfb2232852b24e9556e881aa
Opcode Fuzzy Hash: 81ab6fcf634e5e2ab81682143d9d4fd83d0cb92a5019c22d560b0aab76bfea2c
Instruction Fuzzy Hash: 24517374E01208DFDB48DFA9D58499DBBF2FF89300F248169E815AB365DB31A945CF50

Function 0675DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc67d7455dd2b4c7ee2a8045449ba94d0e74fc2485acb44a5d2c0062031d9e2f
Instruction ID: cac3e719b80acbc524590191ca9a39afd7549b1a17f5d5bbdd282336bf3a4156
Opcode Fuzzy Hash: bc67d7455dd2b4c7ee2a8045449ba94d0e74fc2485acb44a5d2c0062031d9e2f
Instruction Fuzzy Hash: 89418E7580531ACFD704BFA0D85C7EE7BB1EB9A312F104865E501672A5CBB80A84DF95

Function 01013908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79361afce7b9981bca945620e0c8a05621f9eccb32daebc8c1d49d3d409007c5
Instruction ID: d8d1346362e8d8a4ebf45c3f2c0a23ae9caee5f54594bb3a4a51a9c961fc221e
Opcode Fuzzy Hash: 79361afce7b9981bca945620e0c8a05621f9eccb32daebc8c1d49d3d409007c5
Instruction Fuzzy Hash: AB519475E01208CFCB48DFA9D59099DBBF2FF89310B209569E805BB368DB35A946CF50

Function 0101F0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f8acdd223b72eaa394b7d344f77654128c5b1ed79f4b89e0eab47afd0d2547
Instruction ID: cfce5caa1eb8b5656daf39cb6447769b90389b5036469ca37371d953a8781740
Opcode Fuzzy Hash: 17f8acdd223b72eaa394b7d344f77654128c5b1ed79f4b89e0eab47afd0d2547
Instruction Fuzzy Hash: CB51BE74E02229CFCB64DF68D984AEDBBB1BB49301F1055AAE409A7354D739AE85CF00

Function 01019A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20df2190977ddf11ff773c8b5dedb137e6d973d8b8d51968a07f72ce2217121
Instruction ID: 6cada5bd52fa76901a0a410f64c4f5f9b444ad1bb3388944ae27976ae1bd19be
Opcode Fuzzy Hash: f20df2190977ddf11ff773c8b5dedb137e6d973d8b8d51968a07f72ce2217121
Instruction Fuzzy Hash: 0041D531A04249DFCF15CFA8C854ADDBFF2BF89318F048555E9859B29AD338E915CB90

Function 06759A49 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814ad176beb8f320a39e784f2167cc8f64203363a5b380d8a2232e398de7282e
Instruction ID: eafadeb36ef1f3117a8c6173a3d9f16cbcc19ac714ebbb157bf5e4ace92bb4ff
Opcode Fuzzy Hash: 814ad176beb8f320a39e784f2167cc8f64203363a5b380d8a2232e398de7282e
Instruction Fuzzy Hash: D441D1B8D00249CFDB44DFA5D9847EDBBF1AF88300F14842AE815A7298EB745A4ACF50

Function 06759500 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0426a427636e0dc1323f0a2ddd384bfb644d120edcabf90894ce177f5e682e5
Instruction ID: 8c9ce260c2040b43f22c4f0712be196a12559571a474422ffd1581c4b441edd7
Opcode Fuzzy Hash: d0426a427636e0dc1323f0a2ddd384bfb644d120edcabf90894ce177f5e682e5
Instruction Fuzzy Hash: 3B41A171E00319DBDB54CFA5C980AEEBBF2EF88710F158169E915B7280EB70AD45CB90

Function 0101E134 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88b39bb73703523327891ed3339da828c9b1795b5a315a49ffed45727571520
Instruction ID: 310c6222da8aa06ca427c6f1f5b2ede77fd68b4f231c48fee53509310bb3a218
Opcode Fuzzy Hash: b88b39bb73703523327891ed3339da828c9b1795b5a315a49ffed45727571520
Instruction Fuzzy Hash: F8414F74D05108CFCB16DFA8D484AEDBBF2FF49300F609519E885AB249D779A881CF55

Function 0101D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60a38edf61aa289d89190bd257ca5ee1710488a907170d1e0176cd5c9e43522
Instruction ID: 6a391dd9d6fe73e71473fbea9fcc07c647f8e0343dfd8e141a354eba6146c0d8
Opcode Fuzzy Hash: e60a38edf61aa289d89190bd257ca5ee1710488a907170d1e0176cd5c9e43522
Instruction Fuzzy Hash: B0413B74D05248CFDB14DFE8D488AEDBBB2FF49301F209519E499AB249E739A842CF54

Function 06759A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0b4ac1c060c660c1f52255707ba2f13beec902491d8d1215cdd280127c14ad
Instruction ID: 34480c188e273a8dc131210681c052ac115e7188e05d789723eca99c83ded64c
Opcode Fuzzy Hash: df0b4ac1c060c660c1f52255707ba2f13beec902491d8d1215cdd280127c14ad
Instruction Fuzzy Hash: 5241B2B4E01249CFDB44DFA5D9847EDBBF2BF88300F10842AE815A7298EB745A46CF50

Function 0101E0D4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648868916d8610ea7adaaeab75b5a490602e5a33e53b878aaba693813b626f93
Instruction ID: 90b0a09d2ca97194721476b95a2a05890bcf8bf5b6d2a67335013ec7017f312b
Opcode Fuzzy Hash: 648868916d8610ea7adaaeab75b5a490602e5a33e53b878aaba693813b626f93
Instruction Fuzzy Hash: A4412674D05108CFCB16DFA8D484AEDBBF2BF49310F209529E885BB259C779A881CF50

Function 0101D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607e8912be938bf3e44ebf9402cd18efb27e93f6ea8c5853850b2bc1d28cd0c4
Instruction ID: 170e21ffea3efc05543390c5c5ee8f1671d59dbabc84ccebf66303a614e1ef9c
Opcode Fuzzy Hash: 607e8912be938bf3e44ebf9402cd18efb27e93f6ea8c5853850b2bc1d28cd0c4
Instruction Fuzzy Hash: 1A41F374D05208CFDB04DFE8D498AEDBBB2FF49311F209519E449AB249E739A882CF54

Function 0101D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa593bd49ad7517b9b95a4afdcb850f3d56f835692cff29d1704b68e2189db12
Instruction ID: 30906b8d8a7f82eceacd34df11e8ed4f1be70f740f4621d64945a39781072ce9
Opcode Fuzzy Hash: fa593bd49ad7517b9b95a4afdcb850f3d56f835692cff29d1704b68e2189db12
Instruction Fuzzy Hash: 5E41E370D05208CBDB04DFA9D488AEEBBB2BB89301F14D529D458BB259DB79A842CF54

Function 0101DF88 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118f3d07cd53a5d185ce6299bb1bf8a902afae2cf0f15ade193a7bc4dca4ed66
Instruction ID: 7ec8c39961271f61c6a527c6185a4aaec83628f95f5a42a4963364d7d85bb9cc
Opcode Fuzzy Hash: 118f3d07cd53a5d185ce6299bb1bf8a902afae2cf0f15ade193a7bc4dca4ed66
Instruction Fuzzy Hash: 71313B74D011088BDB0ADFA9C444AEEFBF2BF89300F14D529E844BB259DB79A881CF54

Function 01014DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c749320f4d140ef8b894e1dee68754fa2412323219561f995dc0809e0db0a86d
Instruction ID: ee810b67fde0f9296d65be58f3a6da75084766f04d221d29e897dc612cc56805
Opcode Fuzzy Hash: c749320f4d140ef8b894e1dee68754fa2412323219561f995dc0809e0db0a86d
Instruction Fuzzy Hash: 33316F31608249AFCF059FA8D454AAF7BE6EF88300F004414F955CB265CB39CD65CBA0

Function 010176D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cad52fa64327532056eaa24b21dd2a7482f98cd4df9d8eb5647a21455fdde6
Instruction ID: 728bdf092b5279ecfd7e0b520b7f729a69927a1047513e523c34b8a58d3d28b6
Opcode Fuzzy Hash: 13cad52fa64327532056eaa24b21dd2a7482f98cd4df9d8eb5647a21455fdde6
Instruction Fuzzy Hash: 7A21C4343042414BEB26167E8A94A7D77D7AFC4715F1840B9E586CB79AEE288C42D790

Function 0675DCB1 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91357855a59aa2d79a8df91d963fbde4c62626fa4def77bf3bd25086cf316605
Instruction ID: deb10147dac35ef6044cd1a2f896d5fb15691345315cd42501e28d2df0e16f2e
Opcode Fuzzy Hash: 91357855a59aa2d79a8df91d963fbde4c62626fa4def77bf3bd25086cf316605
Instruction Fuzzy Hash: 4131807580531ADFDB04AFB0D86C7EEBBB1EF4A312F108859D911672A5CBB80A48DF51

Function 0101A809 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2755ed52a57f016262911b874182853539a2e9f02243d72f5ec980c074248382
Instruction ID: 650f46ccdefc82fc3fca555ecbfb52694597149d01bdd5885229c25156f965d4
Opcode Fuzzy Hash: 2755ed52a57f016262911b874182853539a2e9f02243d72f5ec980c074248382
Instruction Fuzzy Hash: BD31CF70F011098FCB04CF6DC8849AEBBB7FF88320B158159E5959B3A5CB34AC42CB90

Function 010176E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22fded8286a344623dc20910719ce4ff43bd94a8ea679d143ef71b9b0f82f34
Instruction ID: 5a1a134b18460badde1d9c381c5577c7f11d92fd21de14522750e41d0cc7a1cc
Opcode Fuzzy Hash: c22fded8286a344623dc20910719ce4ff43bd94a8ea679d143ef71b9b0f82f34
Instruction Fuzzy Hash: BA21B0343042014BEB261629C954A7E76D7BFC4719F1840B8E946CBB9DEE29CC42D791

Function 01012060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feefb2b37a6cabbeffbaedd1b2c60ff6eca4ba03f618f5388333552423d4cb56
Instruction ID: 4a9ae60bb5965d7d0e4e1c9b119cd0661a543383facfb55b8fa6560f177c4b88
Opcode Fuzzy Hash: feefb2b37a6cabbeffbaedd1b2c60ff6eca4ba03f618f5388333552423d4cb56
Instruction Fuzzy Hash: 4E21F135A002059FCF51DF78C4409AE77A6EB9C260F20C559E84A8B359DB35EA42CBD1

Function 01015A63 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6c56612d586083a8de76580e0da1727571cd1e644e8b457087d3928f383300
Instruction ID: f42cc06e6c9478b262658490c43c99911380704aae6d92b48771613497c56876
Opcode Fuzzy Hash: 7f6c56612d586083a8de76580e0da1727571cd1e644e8b457087d3928f383300
Instruction Fuzzy Hash: E021D3317457119FC7159B68C8A452EBBA2FFC665170844A9E946CF369CE38DC02CBD0

Function 00F4D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893418335.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f4d000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7eb0c1ba9caab95a247fafb9f6030ee2a4f8f9639cb7f51f4ea379049db3bf5
Instruction ID: d9a20f1164e4c866e2ea1efe274f4fa27f66161ea7539607c5e8ff313a40b961
Opcode Fuzzy Hash: e7eb0c1ba9caab95a247fafb9f6030ee2a4f8f9639cb7f51f4ea379049db3bf5
Instruction Fuzzy Hash: AE210771504204DFDB14CF18C9C4B26BFA5FB88324F24C96DED494B245C776D846DA61

Function 067596F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617b3232504c9fa14f3269d5f577683578d1089f56c153723f7b4399fb1c710d
Instruction ID: 1b550bb7a51edbc61b90a11b403ff8f2d05783cd030c7a29a770ea081fda394c
Opcode Fuzzy Hash: 617b3232504c9fa14f3269d5f577683578d1089f56c153723f7b4399fb1c710d
Instruction Fuzzy Hash: 611108767042941FCB065EBCA8655AE3FA7EBC9360B544429E909DB3D1DE384D0287A2

Function 0101215C Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0fe1be6eddbf7f24c280bd4b58536099bc717b40d814d5c21c4d63e826e49be
Instruction ID: d8be3443a2ab814208b1d5df435e4dc1d21e3f330a12ef1ad0b9930c5dbdb9e9
Opcode Fuzzy Hash: f0fe1be6eddbf7f24c280bd4b58536099bc717b40d814d5c21c4d63e826e49be
Instruction Fuzzy Hash: D4115E35E442499BCB01DBFC9C104DEBB35FF89210B24C796EA6677051E9311815C3A1

Function 010139ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2747b259992f9a4ef8885dc5c48d6f515005e818b2df9066a14aeec397626264
Instruction ID: b15abe4961bfd4c48961e3623f9a0b4fa77c4794dd34c7c41a180cad7a774dac
Opcode Fuzzy Hash: 2747b259992f9a4ef8885dc5c48d6f515005e818b2df9066a14aeec397626264
Instruction Fuzzy Hash: 8B319278E15209CFCB44DFA8E59489DBBB2FF49311B204469E809AF328D735AD55CF40

Function 01014DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e27e799be349ccda74604d17734a98d89d59a4ba7b6a2d6fcac335c7532ca83
Instruction ID: 98bd2f08c4232210ce8b54596e621e43ef6aa2360551336f8b35618c333a6167
Opcode Fuzzy Hash: 6e27e799be349ccda74604d17734a98d89d59a4ba7b6a2d6fcac335c7532ca83
Instruction Fuzzy Hash: B821C2316082459FCB169F68D454AAF3FE2EF84314F044469F985CB266CB388D66CBA0

Function 01011F08 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610d373882db1f20db32b6c4e74c077946ad61bd24d6d0d2a43aeec14c3caf0a
Instruction ID: c81c95806dd6c2cea5aaf834fff70be1a1107a1c9cf7ac8d1580e8204a071c21
Opcode Fuzzy Hash: 610d373882db1f20db32b6c4e74c077946ad61bd24d6d0d2a43aeec14c3caf0a
Instruction Fuzzy Hash: 51217A74C092098FCB05EFB8C9485EDBFF0BF49300F1445AAD545B7254EB305A44DB92

Function 0101E1F8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebe29b3a2e02922361c866f4d8a6da43665b9381653eacf99018f994bf4f067
Instruction ID: fb4391591adbd6521ffddb6ad3306111105e14340a90da5769b2a501b04bcb5f
Opcode Fuzzy Hash: 2ebe29b3a2e02922361c866f4d8a6da43665b9381653eacf99018f994bf4f067
Instruction Fuzzy Hash: C9219FB490514A9FCB41EFB9D54179EBFF2FF45300F0085AAD0449B265EB301A46CB81

Function 0101D60F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1771c607743fdc22d8d30cf4cdea21f27b003244be2da1e102392861d5df1370
Instruction ID: 6c4aaf34248f9cd72a8de1c9ff9e650669df4860b1f3ac9bf190446a5cd60a24
Opcode Fuzzy Hash: 1771c607743fdc22d8d30cf4cdea21f27b003244be2da1e102392861d5df1370
Instruction Fuzzy Hash: CE117C74D042489BDB08CFBAD4086EEBBF2AFCD301F08C565D848B726AD73454568F50

Function 0675E0C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e320889193b07eceb1be7fd851fe474ffbbb2cfcde4679f57ad3483337be4eb
Instruction ID: e71f7ec9832abdb0b62343a3790946163d7ee582e7c782afcddb40d8ec97596d
Opcode Fuzzy Hash: 1e320889193b07eceb1be7fd851fe474ffbbb2cfcde4679f57ad3483337be4eb
Instruction Fuzzy Hash: EB11C831B082548FD7451B7A5C585FFAFABAFCA210B1984B7E546C7296CE748D0A8370

Function 01015A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605d553ea097e2eba959d36a4388e5d34634bdd1e9f853192590eb0fd2502c2b
Instruction ID: 302c26cfce8852d54d27c5d3bf31bf786a9ec3deeef75f84bd62be644f22cfd9
Opcode Fuzzy Hash: 605d553ea097e2eba959d36a4388e5d34634bdd1e9f853192590eb0fd2502c2b
Instruction Fuzzy Hash: 7B11E1327456129FD7199A29C8A493EBBE6FFC566171844A8E906CF364CF34DC02CBD0

Function 01011F61 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4fc709187aa0164ffd78df32073bd3e1ea405e50b12225ff46f0116960f1fb
Instruction ID: 7af9c13cac2cf536c4f4994d2c140b778426ba90e2b7815825af851445b01223
Opcode Fuzzy Hash: aa4fc709187aa0164ffd78df32073bd3e1ea405e50b12225ff46f0116960f1fb
Instruction Fuzzy Hash: 7421C078C092098FCB40EFA8D9595EDBFF0BF09300F14466AD949B7265EB301A59DBA1

Function 06759350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00947eefb089cca60bf2d350781b67ef9f100168733d67dce4f2f3506ab98797
Instruction ID: 414aa524ae55396ac75d44cd5a113e910d716c163b3d8f4f650dbd3300b60336
Opcode Fuzzy Hash: 00947eefb089cca60bf2d350781b67ef9f100168733d67dce4f2f3506ab98797
Instruction Fuzzy Hash: F41179B2800289DFDB10CF99C944BEEBFF4EF48320F148459EA14A7210C379A550DFA5

Function 06759999 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a206b749b39147653d8c49bd9315581282750efaf478c7276321532c6e9fbb
Instruction ID: 7e9b835bf8bd64bae0809c085a155b98399b726f978440f107d9191ff1e3f234
Opcode Fuzzy Hash: f0a206b749b39147653d8c49bd9315581282750efaf478c7276321532c6e9fbb
Instruction Fuzzy Hash: 921158B6800289DFDB10CF99C845BEEBFF8EF48320F148459EA18A7251C379A554DFA5

Function 0101E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7ef69b54f3560053cf5b1771649aba0fddf98c4327d42a70e57a40081edb8b
Instruction ID: 3c0c600ba91da8de16ad1d28635af56d0ad1ee1764ee60f12003970643ab20a8
Opcode Fuzzy Hash: 9a7ef69b54f3560053cf5b1771649aba0fddf98c4327d42a70e57a40081edb8b
Instruction Fuzzy Hash: 3B117CB4D0120A9FCB41EFB9D94179EBBF2FB49300F40C5A9D004AB254EB345A46CB82

Function 06758EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f2ab460939ee954aca0268917c83ebb9846540dd85c3966e9083732a02345c
Instruction ID: 61d5e3713bd25aa3aa4d2d6c70efd8fa17343a9602e672b8485c1b0ed6a45d43
Opcode Fuzzy Hash: 74f2ab460939ee954aca0268917c83ebb9846540dd85c3966e9083732a02345c
Instruction Fuzzy Hash: 2F115E74F001598FDB40DFE8D950BAEBBB2EB49311F41D0A5E908AB349EB7199428F91

Function 00F4D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893418335.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f4d000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction ID: 199fb1b18d1d5e10f0a74a1e247bd9d26effc88494d9c6cc33229edcbc60c368
Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction Fuzzy Hash: DB11BB75904284CFDB11CF14C9C4B15BFA2FB88324F24C6ADDC494B256C33AD84ADB62

Function 06752670 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2171e9babf7c2bd0053f8da3d7c34ec304a31cd2e6bf306b4164d4f84d5ab9
Instruction ID: 736693e9befa32c275b9f855da7972e04f252d781ce01f83f2d428a4e0dfc2f6
Opcode Fuzzy Hash: 8b2171e9babf7c2bd0053f8da3d7c34ec304a31cd2e6bf306b4164d4f84d5ab9
Instruction Fuzzy Hash: 45118E75F102118FC790DB78D9086AE7BF4EF88311B0205A9E815DB711EB31CA068F90

Function 01015607 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b5db365cd7c1d73b99d3af3ada3bdbfb3cec7129005e8d275cb53447f1ef8f
Instruction ID: d527f9d67ddd599287a54d188b625824db89851e824175cdabe02c446b2592a7
Opcode Fuzzy Hash: c9b5db365cd7c1d73b99d3af3ada3bdbfb3cec7129005e8d275cb53447f1ef8f
Instruction Fuzzy Hash: DC01D871B041156FDB058E58E804AEF3BE7DFC9751F18846AF905CB294DE75881687A0

Function 067525E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fecaccc66daa2d4dae2509ed41ad2167a201ff38b7794ceb516f9c73f6a6265
Instruction ID: 890ddafc5de22dbe98d5637f4dd5120640894c94e32e56d53aa4552c1394ef73
Opcode Fuzzy Hash: 0fecaccc66daa2d4dae2509ed41ad2167a201ff38b7794ceb516f9c73f6a6265
Instruction Fuzzy Hash: 7201F670E013198FCF44EFB9C8006EEBBF5AF88200F10856AD819E7254E7745A018B90

Function 0101DF08 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976372cc580c537892e56aba89cc69fc8fe1db8e096ebf90825aca346365b54b
Instruction ID: 936983a67abd2b95a28d9e7fed5128a837a82073c214c6996795a837e0c114fe
Opcode Fuzzy Hash: 976372cc580c537892e56aba89cc69fc8fe1db8e096ebf90825aca346365b54b
Instruction Fuzzy Hash: B3F0233D9491446FCB149FF968192FD77B19F87711F009569D944A33A1CB71850B9A40

Function 0101D449 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7b62aebef8147bf31666d0c59bb4d83d42241d134247b26d8f9efbc9c7dd38
Instruction ID: 81ed3975576296bc4f6a8dbffa4cf5e6db496a02853e5cc961346e89489ec5ee
Opcode Fuzzy Hash: fe7b62aebef8147bf31666d0c59bb4d83d42241d134247b26d8f9efbc9c7dd38
Instruction Fuzzy Hash: 62E0553888A1489BC7108BB6A81A2FDBBB18F87311F0099A9D440A3262CB611407CB00

Function 0101DEB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5d71b726c9b9001520967511bfd364410828e7f18dd4ef2e59791459b04886
Instruction ID: 9a0d29f4c57fec71b91c4f8cf7d85962e40d66c8a6ebe4f3011d59fc503c23da
Opcode Fuzzy Hash: 5b5d71b726c9b9001520967511bfd364410828e7f18dd4ef2e59791459b04886
Instruction Fuzzy Hash: 32F03A71A11125CFCB84EFBCC44456E77F0AF0822172145A9D409DB321EB30D9008BD0

Function 0101D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83bd0d92ab7d9606712a3511ab30dd3d3a66ebc481746cfac33ecd584c150edb
Instruction ID: 63ca81ec421b4ef26985438c3a378a662ec37e8c3a304971cbfc89a11db22df4
Opcode Fuzzy Hash: 83bd0d92ab7d9606712a3511ab30dd3d3a66ebc481746cfac33ecd584c150edb
Instruction Fuzzy Hash: E1E0DF96C881409BE3109BEA681A0B9BF70DEE7251744A4C7D0C98B529EB18A206DB11

Function 01012010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eaa1dc5182755e00e6a7c1199f58d3d209d212659bda1dc8b6875d59e6cb5b5
Instruction ID: 5cf81274faaca3b6fdc63916435c7530be806dc414cfbfb47569f4c29bf0e9b5
Opcode Fuzzy Hash: 1eaa1dc5182755e00e6a7c1199f58d3d209d212659bda1dc8b6875d59e6cb5b5
Instruction Fuzzy Hash: 56E06830D283D29BCB0297B09C040FEBF709DC3210B0645ABD0A077411E7301A1BC7A1

Function 01012020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b1f73b0fc6bbf61c9847a0460388704a2a48838e4f63fd45941af1b8bb7455
Instruction ID: 836aca71d7febede66b29f61092e56f7ef7ae592c7c100d2759c81c4eb04d0ee
Opcode Fuzzy Hash: 19b1f73b0fc6bbf61c9847a0460388704a2a48838e4f63fd45941af1b8bb7455
Instruction Fuzzy Hash: F6D05E32D2022B97CB00EBA5EC048EFF738EED6261B948626E52477154FB703659C6F1

Function 01018258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 1986cab06a7540b3d4520980ca3a3915d2cac2dc591d6a5d1d64e5f6f34f8273
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: A0C08C3320C5282AA636108F7C40EF7BB8CC3C13F4B298177F99CE3200A8469C8001F8

Function 0101A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ae6ed5eb3302008ca69f2866799b123f68900500e6b383194d567cbe655306
Instruction ID: 5b0f7a2f5e0b0d434a619fa80a1332dd9cf1e752971242e859e298e8b79a6fcd
Opcode Fuzzy Hash: 89ae6ed5eb3302008ca69f2866799b123f68900500e6b383194d567cbe655306
Instruction Fuzzy Hash: 4BD0677BB410189FCF049F98EC408DDB7B6FB9C221B048526E915A3265C6319925DB50

Function 01015EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d258fd6d5fe8698f1e61ad5eac053440ed712627a0bba09b7079ca6317da09
Instruction ID: 05788c63c101a4fd71ce5661d9e59a0e328a3406cac379cc077859713d9f6e30
Opcode Fuzzy Hash: 97d258fd6d5fe8698f1e61ad5eac053440ed712627a0bba09b7079ca6317da09
Instruction Fuzzy Hash: EBE0C27090C3C21BC712F77AE95649C3F22AA80204F440594B4424E10BEA79089A87A1

Function 0101FBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7301aa52ced76c51b7d092fee3290eec9c5005d1856b1eaffd140b1666995d6d
Instruction ID: a48bc1a6c314eb43764d481656fe31f18a563e7895f772653bbd7c54eb7bf4a6
Opcode Fuzzy Hash: 7301aa52ced76c51b7d092fee3290eec9c5005d1856b1eaffd140b1666995d6d
Instruction Fuzzy Hash: 5CD06774D4411DCBCB20DF94EA452ECB7B0EF89300F0014D69809B3200D6345A649F11

Function 01015EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e6bb51a16234f7b6bafd1c9059df8fd6431d08d0dfac71df2c20e3a1e06d33
Instruction ID: 049b4ca461256c6c2888632ad5ce24aaa423df12e99fed3efe4d84d04cab761e
Opcode Fuzzy Hash: b8e6bb51a16234f7b6bafd1c9059df8fd6431d08d0dfac71df2c20e3a1e06d33
Instruction Fuzzy Hash: 70C0127050C34A47C501FBB7EA46919371AE7C0300F404910B10A0E119FEB819D546E1

Non-executed Functions

Function 06752807 Relevance: 14.1, Strings: 11, Instructions: 388COMMON

Download Yara Rule

Strings

", xrefs: 06753087
PHgq, xrefs: 06752DD7
PHgq, xrefs: 06752BFE
PHgq, xrefs: 06752DEB
PHgq, xrefs: 06752EE6
PHgq, xrefs: 06752ED2
0oJp, xrefs: 06752A00
PHgq, xrefs: 06752CE2
PHgq, xrefs: 06752BEA
PHgq, xrefs: 06752CF6
Hkq, xrefs: 06752869

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: "$0oJp$Hkq$PHgq$PHgq$PHgq$PHgq$PHgq$PHgq$PHgq$PHgq
API String ID: 0-672688664
Opcode ID: a366f69f4fe645789696d8a7dcaca13abcf47fd4435c6987cc58860ed2985cac
Instruction ID: f34c4d750f745919ac242dd755d07ab2ac4ba57ee5f22ecc037720ff2a7bab81
Opcode Fuzzy Hash: a366f69f4fe645789696d8a7dcaca13abcf47fd4435c6987cc58860ed2985cac
Instruction Fuzzy Hash: 2712C3B4E00218CFDB58DF69C984B9DBBB2BF89300F1080A9D919AB365DB755E85CF50

Function 067533B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0oJp, xrefs: 06753423

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp
API String ID: 0-3363274003
Opcode ID: 069c7f345e10706bed396b32730f376e760873169cd3fcafb0af9436457b9cc8
Instruction ID: 93d23f4ced65825ff0edf670c903bb0fbab6cafbe15fbed91d53355876450336
Opcode Fuzzy Hash: 069c7f345e10706bed396b32730f376e760873169cd3fcafb0af9436457b9cc8
Instruction Fuzzy Hash: BBB1B774E00218CFDB54DFA9D894A9DBBB2FF89310F1181A9E819AB365DB30AD45CF50

Function 067533A8 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

0oJp, xrefs: 06753423

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: 0oJp
API String ID: 0-3363274003
Opcode ID: 917e2ec632f269beba0eb163fee6ad41df2ae3a1b199babc8806bb5b23cbdfbc
Instruction ID: 1afce7c62a9fa1f3518d1d6e7c9b2de9fa159cbb776408dd1c3e9eed84299cf1
Opcode Fuzzy Hash: 917e2ec632f269beba0eb163fee6ad41df2ae3a1b199babc8806bb5b23cbdfbc
Instruction Fuzzy Hash: B251A774E016088FDB48DFAAD984A9DBBF2FF89310F15C069E814AB364E7349942CF50

Function 0101E528 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5098fe0f46673b06b12a13a03993ee8f3a4a1cc3aed84ca41ce55128897525
Instruction ID: f073ead881c17f1622d7938a2ebbb8699e346cfb2409c0108cb4aa22375ecfef
Opcode Fuzzy Hash: 7c5098fe0f46673b06b12a13a03993ee8f3a4a1cc3aed84ca41ce55128897525
Instruction Fuzzy Hash: 0B52AE74E01228CFDB65DF69C884BDDBBB2BB89300F1085E9E449A7258DB359E85CF50

Function 06755A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e6d5d286b29d2155c158f9027e52d99e3dd747a102a52cfc7a2975290a3432
Instruction ID: 11c921b95877598e78a19a32249181754a055425d91ccad82e3800f046c145e0
Opcode Fuzzy Hash: e1e6d5d286b29d2155c158f9027e52d99e3dd747a102a52cfc7a2975290a3432
Instruction Fuzzy Hash: F0C19074E01218CFDB54DFA5C984BADBBB2FF89300F2080A9E809AB354DB755A85CF50

Function 06755618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a386e789172159254981904b1082654a028c797c6812e83f61e2a19ebefb338c
Instruction ID: 9649f4ac60fdaca0fbe5dbb8ec6d3bd0732b789d2a150f005fec19219a4a3713
Opcode Fuzzy Hash: a386e789172159254981904b1082654a028c797c6812e83f61e2a19ebefb338c
Instruction Fuzzy Hash: 9DC1A174E01218CFDB54DFA5C994B9DBBB2FF89300F1080A9E809AB358DB755A85CF51

Function 06755EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7d3a96ade17e48f6699d71ba0a366ee8a15d6f84990a6cc66c81087da51dc0
Instruction ID: 8a9a4567967dfd2d574847c7fd7090f8beb6522b70b133fcdf0f0c93c3ec43b6
Opcode Fuzzy Hash: 3b7d3a96ade17e48f6699d71ba0a366ee8a15d6f84990a6cc66c81087da51dc0
Instruction Fuzzy Hash: AEC19174E01218CFDB54DFA5C994BADBBB2FF89300F1080A9E809AB365DB755A85CF50

Function 06756778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a5c31fce91e0d4c118e820a7a3d47f6554d7f4fd2176f85daa2679de71ebc8
Instruction ID: 11280c18f3475a0998d547780c6b191f0e38c53faafe4bdae9f708344d2782f7
Opcode Fuzzy Hash: 20a5c31fce91e0d4c118e820a7a3d47f6554d7f4fd2176f85daa2679de71ebc8
Instruction Fuzzy Hash: ECC19174E01218CFDB54DFA5C994B9DBBB2BF89300F2080A9E809AB364DB755E85CF51

Function 06756BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8c1a7d29a9dd55541f90a48d0c22b55c532f8841f80ea328122089ae82f191
Instruction ID: 0f2267131e56e801c038b12a0c6389891a929782aa2c78f8d456e4722a2342c3
Opcode Fuzzy Hash: 0c8c1a7d29a9dd55541f90a48d0c22b55c532f8841f80ea328122089ae82f191
Instruction Fuzzy Hash: EEC18074E01218CFDB54DFA5C994B9DBBB2FF89300F1080A9E809AB368DB755A85CF51

Function 06757050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220491f6e701dad591ea609331ec40bffe977cfa81de488f31ceb0c8f438c32e
Instruction ID: a5a109a32e384e198f682ae96b5255c526f25dfd71898e44d72325bac486428a
Opcode Fuzzy Hash: 220491f6e701dad591ea609331ec40bffe977cfa81de488f31ceb0c8f438c32e
Instruction Fuzzy Hash: 09C1A074E01218CFDB54DFA5C994BADBBB2FF89300F2080A9E809AB354DB755A85CF51

Function 06750040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf0e4f3ae43de37b3a15b39533b95b4570f8cc86b79a1ab1172fbfbd7421220
Instruction ID: 6bad56a13881429a271670f7e0c832e32a0d0c3cba6b31fdeaa029df1eab8a63
Opcode Fuzzy Hash: 3cf0e4f3ae43de37b3a15b39533b95b4570f8cc86b79a1ab1172fbfbd7421220
Instruction Fuzzy Hash: E1C19174E01218CFDB54DFA5C984BADBBB2FF89300F1080A9E809AB359DB755A85CF51

Function 067508F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee26c8ccec492ab0e918e3620fe304bdea86a1d9b6390e0634b2543d1e8261d
Instruction ID: e5dd21744b7070a65dcbd7d421184d24c63847aa91c58ebcd39eb53ce052d6c8
Opcode Fuzzy Hash: 9ee26c8ccec492ab0e918e3620fe304bdea86a1d9b6390e0634b2543d1e8261d
Instruction Fuzzy Hash: C2C1A174E01218CFDB54DFA5C994B9DBBB2FF89300F2081A9E809AB358DB755A85CF50

Function 067574A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4b529453e904a672ae5cd03ed5828ec6bce912fe84dba44baff49b781435b8
Instruction ID: 20ef8a55fc106f42b1b411700ae4b5edeb68cf6ed08e81222c6eeb1b23c38901
Opcode Fuzzy Hash: 8a4b529453e904a672ae5cd03ed5828ec6bce912fe84dba44baff49b781435b8
Instruction Fuzzy Hash: 5EC1A174E01218CFDB54DFA5C984BADBBB2FF89300F1080A9E809AB359DB755A85CF51

Function 06750498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4434b13b356ad2ca71313c4fb7f6898bebe2652fde3c29c9bb77037a9a1f0ae4
Instruction ID: 1e1504328a0e4b1be04a2ad3d8f8b7a328e132f758a383fe6e93c8f30c8ed2a9
Opcode Fuzzy Hash: 4434b13b356ad2ca71313c4fb7f6898bebe2652fde3c29c9bb77037a9a1f0ae4
Instruction Fuzzy Hash: 09C19074E01218CFDB54DFA5C984B9DBBB2FF89300F2080A9E809AB355DB755A85CF51

Function 06757D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ba8345b029935f32c343909ffbb59cebdf4f8ed3adfdbc62d92b42d639875e
Instruction ID: 0aa25bc4ecd6f7cc48777461d85b26f79da8cd7335b974e9734f5b459e845760
Opcode Fuzzy Hash: e7ba8345b029935f32c343909ffbb59cebdf4f8ed3adfdbc62d92b42d639875e
Instruction Fuzzy Hash: 31C19074E01218CFDB54DFA5C994BADBBB2FF89300F2080A9E809AB354DB755A85CF51

Function 06750D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbb031284821a18dba6f0812285f532e099f50af29a01f18e278dc96e3bb3ba
Instruction ID: 0f3de3feef1b7fc46bdea732340d2e7bda5043df8f11979b3d9aaa88f8e983dc
Opcode Fuzzy Hash: 9bbb031284821a18dba6f0812285f532e099f50af29a01f18e278dc96e3bb3ba
Instruction Fuzzy Hash: 0EC19074E01218CFDB54DFA5D984B9DBBB2BF89300F2080A9E809AB358DB755E85CF50

Function 06757900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63dc0d9f9a3a061ccbeae722550e35a1bbcd7662bfcb1e46955aed0009864fb
Instruction ID: 07ec8ac28b8b0071e12cbe10a158a90f6df2c8f8fe474505b39865a2653483c6
Opcode Fuzzy Hash: e63dc0d9f9a3a061ccbeae722550e35a1bbcd7662bfcb1e46955aed0009864fb
Instruction Fuzzy Hash: 1AC19274E01218CFDB54DFA5C994B9DBBB2FF89300F2081A9E809AB354DB759A85CF50

Function 067581B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f450ac22f0441005c21c29b781cd1eb3e0a6a147121bd6082b80b16bbb54dad
Instruction ID: 70ddab6bcd595bbc6104a96becec8dae600dfec2a7da01e1b13657d5d75447eb
Opcode Fuzzy Hash: 9f450ac22f0441005c21c29b781cd1eb3e0a6a147121bd6082b80b16bbb54dad
Instruction Fuzzy Hash: AEC19074E01218CFDB54DFA5C994BADBBB2FF89300F1080A9E809AB354DB759A85CF51

Function 06755198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3898671802.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6750000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee893ef79796a50d60fb7a59fec880fed57ab656087c3c331b6bef55bf6b9980
Instruction ID: a7bf5d5a5ee5cd1debcdce95ab080e43197e453800c799c12394d912756d77f1
Opcode Fuzzy Hash: ee893ef79796a50d60fb7a59fec880fed57ab656087c3c331b6bef55bf6b9980
Instruction Fuzzy Hash: AFC19074E01218CFDB54DFA5C994B9DBBB2BF89300F2080A9E809AB354DB759A85CF50

Function 0101EB5B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9607aab48ec1fda9071fba6080c7614ca2eb73c55cf711f18afb815cac7c957a
Instruction ID: f5a5cc6cca59ef569df21453deaf670f1d1d0119386ecedcab16a1394a201bcc
Opcode Fuzzy Hash: 9607aab48ec1fda9071fba6080c7614ca2eb73c55cf711f18afb815cac7c957a
Instruction Fuzzy Hash: 89A19B74A05228CFDB65DF24C944BAEBBB2BF49300F1085EAE84DA7254DB359E81CF51

Function 0101ED3C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9daf74b3aa947f9a8bf639fc996c8e288c01d87646ab29c983831ab4326f1380
Instruction ID: 257bb56532bea625db0d163279ddf6296f1d88bf8469750a8cd15d4bc9f3e1c1
Opcode Fuzzy Hash: 9daf74b3aa947f9a8bf639fc996c8e288c01d87646ab29c983831ab4326f1380
Instruction Fuzzy Hash: 9551A074A05228CFCB65DF24C954BAEB7B2BF4A301F5089E9D80AA7354CB359E81CF50

Function 01016088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;gq, xrefs: 0101609E
\;gq, xrefs: 01016094
\;gq, xrefs: 010160C6
\;gq, xrefs: 010160BA

Memory Dump Source

Source File: 00000008.00000002.3893826640.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1010000_z1MB267382625AE.jbxd

Similarity

API ID:
String ID: \;gq$\;gq$\;gq$\;gq
API String ID: 0-1347663453
Opcode ID: 2338b8f40caf8755030cd82ed8d28663be97e7c370bb878bffef4dfb0e29892e
Instruction ID: 6097ad9a483acf0fd05e5f23397f3d7e9f1055c3671617fc3ce007f95853bdc5
Opcode Fuzzy Hash: 2338b8f40caf8755030cd82ed8d28663be97e7c370bb878bffef4dfb0e29892e
Instruction Fuzzy Hash: E70171317101188FCB668E6DC84492B77F6AF98A6071541BAF581CB3B9DAB7DC818750

Analysis Process: pNgFqm.exePID: 5840, Parent PID: 1060COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	38
Total number of Limit Nodes:	3

Executed Functions

Function 0244CFD1 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0244D05E
GetCurrentThread.KERNEL32 ref: 0244D09B
GetCurrentProcess.KERNEL32 ref: 0244D0D8
GetCurrentThreadId.KERNEL32 ref: 0244D131

Memory Dump Source

Source File: 0000000A.00000002.1511165734.0000000002440000.00000040.00000800.00020000.00000000.sdmp, Offset: 02440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2440000_pNgFqm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 643943c8839810ebcee3b2ab2b05841017fe3c7bdcc3ba6a8cea0b2f19905e97
Instruction ID: 56379271d4d51a66633fd36b81876f8791cb70623c91c506902db22530918fc7
Opcode Fuzzy Hash: 643943c8839810ebcee3b2ab2b05841017fe3c7bdcc3ba6a8cea0b2f19905e97
Instruction Fuzzy Hash: 785147B0D01649CFDB18CFAAD948BDEBBF1EF48314F248459E419AB360DB34A944CB65

Function 0244CFE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0244D05E
GetCurrentThread.KERNEL32 ref: 0244D09B
GetCurrentProcess.KERNEL32 ref: 0244D0D8
GetCurrentThreadId.KERNEL32 ref: 0244D131

Memory Dump Source

Source File: 0000000A.00000002.1511165734.0000000002440000.00000040.00000800.00020000.00000000.sdmp, Offset: 02440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2440000_pNgFqm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 97297e2952f1bf7de2d9716a633006331c64e376d7dea506ed84adfe36271de8
Instruction ID: 94516753e625076c3a762e0fb311bfecb1e474ce6ed47d10cefa8945b8e3bd83
Opcode Fuzzy Hash: 97297e2952f1bf7de2d9716a633006331c64e376d7dea506ed84adfe36271de8
Instruction Fuzzy Hash: D05135B0D00649CFDB18CFAAD548BDEBBF1AF48314F248459E409AB360DB34A944CB65

Function 0244AD48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0244AF9E

Memory Dump Source

Source File: 0000000A.00000002.1511165734.0000000002440000.00000040.00000800.00020000.00000000.sdmp, Offset: 02440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2440000_pNgFqm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 14e2660af6dcffd1eb4ac4e69dd52db220036b2858415b52a5b9c83b802205e5
Instruction ID: 52a7eb325472f6d0afe7662a80c739b17df88a94d44a527f672e8b03838a7d48
Opcode Fuzzy Hash: 14e2660af6dcffd1eb4ac4e69dd52db220036b2858415b52a5b9c83b802205e5
Instruction Fuzzy Hash: 8E713570A00B158FE724DF2AD05475ABBF2BF88304F10892ED49A9BB50DB75E849CB95

Function 0244590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 024459C9

Memory Dump Source

Source File: 0000000A.00000002.1511165734.0000000002440000.00000040.00000800.00020000.00000000.sdmp, Offset: 02440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2440000_pNgFqm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 12a978290c0b8879a0cd503b24fde8410149779586023912ad1b55ae93d66fd6
Instruction ID: 1c0f6b3f296c7f485e3eed8989e6301324823da1e652b8cc4849e8162c40594d
Opcode Fuzzy Hash: 12a978290c0b8879a0cd503b24fde8410149779586023912ad1b55ae93d66fd6
Instruction Fuzzy Hash: FC41F2B1C00619CBEF24CFAAC985BDEBBF5BF48314F60805AD409AB251DB75694ACF50

Function 024444B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 024459C9

Memory Dump Source

Source File: 0000000A.00000002.1511165734.0000000002440000.00000040.00000800.00020000.00000000.sdmp, Offset: 02440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2440000_pNgFqm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b85d7e1a79ced283c6946dcec10ed11a2595208488d583682edae54a49fd3001
Instruction ID: f66008481fe40752aef4f0fe18b4a808d9655b1c93ecd574ec1bbc722af4195f
Opcode Fuzzy Hash: b85d7e1a79ced283c6946dcec10ed11a2595208488d583682edae54a49fd3001
Instruction Fuzzy Hash: B541D1B0C00619CBEF24DFAAC985B8EBBF5BF58304F60806AD409AB251DB756945CF90

Function 0244D628 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0244D6B7

Memory Dump Source

Source File: 0000000A.00000002.1511165734.0000000002440000.00000040.00000800.00020000.00000000.sdmp, Offset: 02440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2440000_pNgFqm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ce9b37012ba85f97479750bee0f2aa42d223936e1596d81e769b219e26972236
Instruction ID: f7f2c4b0c3948690083bb20dd495f20569c7c70c7febadefa84cc8f646f027a8
Opcode Fuzzy Hash: ce9b37012ba85f97479750bee0f2aa42d223936e1596d81e769b219e26972236
Instruction Fuzzy Hash: 4021F4B5D00258DFDB10CF9AD984ADEBFF4EB48720F14841AE958A7350C378A945CFA5

Function 0244D630 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0244D6B7

Memory Dump Source

Source File: 0000000A.00000002.1511165734.0000000002440000.00000040.00000800.00020000.00000000.sdmp, Offset: 02440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2440000_pNgFqm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a2df659c009b85f1ef14433ffff8b1cf23589d9bd221a1451c4a493d1c944ab3
Instruction ID: 81d79788ae649a42d8bc6f0d26fc8ca9ca0dbd45ec3b431ced5f4a0e214b3552
Opcode Fuzzy Hash: a2df659c009b85f1ef14433ffff8b1cf23589d9bd221a1451c4a493d1c944ab3
Instruction Fuzzy Hash: 2F21B3B5D00258DFDB10CF9AD984ADEBFF8EB48720F14841AE918A7350D375A944CFA5

Function 0244AF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0244AF9E

Memory Dump Source

Source File: 0000000A.00000002.1511165734.0000000002440000.00000040.00000800.00020000.00000000.sdmp, Offset: 02440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2440000_pNgFqm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dd54ac968d25f5a9e023e283ad56d3ca847497f6a3eca23d8f2cfff3889bf1a5
Instruction ID: e5ebb48f2119659f50a8fc50bd492e9e01de45c8474908be3af8e3546a5cefcb
Opcode Fuzzy Hash: dd54ac968d25f5a9e023e283ad56d3ca847497f6a3eca23d8f2cfff3889bf1a5
Instruction Fuzzy Hash: B6110FB6C006598FDB10CF9AD544ADEFBF4EB88324F14851AD819A7200C379A545CFA1

Function 006ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1508386782.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6ed000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0740f15a7990a2d93d8207523663c5b94a912222585056d990b32bddae7847
Instruction ID: 41a40ac47c3e9410520c4e8f54fc312e2418affb76cb1c730d4b6a1d7a980744
Opcode Fuzzy Hash: 9b0740f15a7990a2d93d8207523663c5b94a912222585056d990b32bddae7847
Instruction Fuzzy Hash: 702136B1500384DFDB01DF05C9C0B1ABFA6FBA8314F24C568E9090B286C336E806C6A2

Function 006FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1508466947.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c167dae238f33ce29fa0f2288ba029e87999f476abc7dc524b5aee2d7e7ffd0
Instruction ID: ac90cc93bddd7ca135d94c36ad9a2bd76bc958909b9c7c0c4f2fa7a023cd6234
Opcode Fuzzy Hash: 3c167dae238f33ce29fa0f2288ba029e87999f476abc7dc524b5aee2d7e7ffd0
Instruction Fuzzy Hash: 1B210771504248DFDB14DF14D5C0B26BBA7FB88314F24C56DEA094B386CB36E847CA61

Function 006FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1508466947.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab73150695e4ebd106ee7e1948d0b96ea37e5f76acc2edbc6393c8c9d40ea421
Instruction ID: f22c73acf05ae17db36b735ab01ed3a41e2ce131c11f8e4c0f53baa5d7f08f97
Opcode Fuzzy Hash: ab73150695e4ebd106ee7e1948d0b96ea37e5f76acc2edbc6393c8c9d40ea421
Instruction Fuzzy Hash: 8F21F571504208EFDB05DF14D5C0B26BBA7FB88314F24C56DEB094B355C336E906CAA1

Function 006FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1508466947.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a782a7ab5113dedbc062ae891cb4e1d9cf20c4785cd384fad11260be055f9e2
Instruction ID: 02c2b4602e951372929d3707a96823896fd90d28bf7a9806ba3f77e5316a71b0
Opcode Fuzzy Hash: 8a782a7ab5113dedbc062ae891cb4e1d9cf20c4785cd384fad11260be055f9e2
Instruction Fuzzy Hash: 3F2192755093C48FDB12CF24D990715BF72EB46314F28C5EAD9498F6A7C33A980ACB62

Function 006ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1508386782.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6ed000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction ID: 35b93977639adf2000ffd5bea6c40560909e6b8cac3b3feefb045caf442b2050
Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction Fuzzy Hash: 5911D276404280DFDB11CF00D5C0B56BFB2FBA4314F24C2A9D9090B296C33AD456CB91

Function 006FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1508466947.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction ID: 65a1a68ff9abb0b42b32c1b71f190a7c6177e8fe2650ba74cfcaa07bbfcecf6a
Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction Fuzzy Hash: B511BB75504284DFDB12CF10C5C0B25BBA2FB84314F24C6AADA494B396C33AE80ACBA1

Function 006ED759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1508386782.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6ed000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8031493dedc896e409b565953f6de89c83bc85b75a505007087ca16aac6e12f
Instruction ID: f2d639ef6db30390244f44ff40235c6e87cbf367181c5887899fecc92576efc3
Opcode Fuzzy Hash: e8031493dedc896e409b565953f6de89c83bc85b75a505007087ca16aac6e12f
Instruction Fuzzy Hash: C401DB710063809AEB209B17CC84B67FFE9EF55720F18C91AED094E386C3799C40C6B1

Function 006ED758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1508386782.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6ed000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a29e67647fcd20cf50c9efe3fad60122e48371d3db87b2a699c4732f249b45
Instruction ID: 547728f9528d889fdac908dbcaae24e9c734e62cee43da248b81217169fb11c8
Opcode Fuzzy Hash: 96a29e67647fcd20cf50c9efe3fad60122e48371d3db87b2a699c4732f249b45
Instruction Fuzzy Hash: 43F06272405384AEEB208B16DD84B66FFA9EF51734F18C55AED484F386C379AC44CAB1

Analysis Process: pNgFqm.exePID: 5764, Parent PID: 5840COMMON

Executed Functions

Function 0150B328 Relevance: 6.6, Strings: 5, Instructions: 348COMMON

Download Yara Rule

Strings

PHgq, xrefs: 0150B747
PHgq, xrefs: 0150B758
LjJp, xrefs: 0150B6E5
LjJp, xrefs: 0150B6CF
0oJp, xrefs: 0150B562

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: feb51e4da60f07c09d90a9060fdeba9abf2f7c69d47fa51b3e051cd57e17debd
Instruction ID: e08b5db0ae74a9dc373acdda9f1511a0ce6c68990f3f74b54032f8d6b231e59e
Opcode Fuzzy Hash: feb51e4da60f07c09d90a9060fdeba9abf2f7c69d47fa51b3e051cd57e17debd
Instruction Fuzzy Hash: 05E1F975E00619CFDB15DFA9C984A9DBBB2FF48310F168469E819AB3A1DB30AD41CF50

Function 0150C752 Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

PHgq, xrefs: 0150C9B8
LjJp, xrefs: 0150C945
LjJp, xrefs: 0150C92F
PHgq, xrefs: 0150C9A7
0oJp, xrefs: 0150C7C2

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: a074a6c350e7756d5e65c5856b2b4e2f0a767b8e464b0e391bce41afe2ffa235
Instruction ID: 0f798f2dcb0a357bad805f713a6afb093f1ddbb6380e78c2bfef91f648455a34
Opcode Fuzzy Hash: a074a6c350e7756d5e65c5856b2b4e2f0a767b8e464b0e391bce41afe2ffa235
Instruction Fuzzy Hash: 7881D774E00218DFDB15DFAAD884A9DBBF2BF89310F14C5A9E419AB3A5DB309941CF50

Function 0150BEB0 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PHgq, xrefs: 0150C118
0oJp, xrefs: 0150BF22
LjJp, xrefs: 0150C08F
PHgq, xrefs: 0150C107
LjJp, xrefs: 0150C0A5

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 5c99c1cbb0845ed5bc36a42c1c385fcb262b3cf8b96b9aa8b419fdcf811b89f0
Instruction ID: 0a61d037d5e7f9be9d7b628d30b2d48a96db9a835639d7a0b2b17c4eb373b484
Opcode Fuzzy Hash: 5c99c1cbb0845ed5bc36a42c1c385fcb262b3cf8b96b9aa8b419fdcf811b89f0
Instruction Fuzzy Hash: 0281D5B4E00208DFDB15DFAAD994A9DBBF2BF89300F14C1A9E419AB355DB319981CF50

Function 0150CA32 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

0oJp, xrefs: 0150CAA2
LjJp, xrefs: 0150CC0F
LjJp, xrefs: 0150CC25
PHgq, xrefs: 0150CC87
PHgq, xrefs: 0150CC98

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 4629a58cf99e76f8b4de79b97089fc613202f7570818f78ff4a494fcd7d34a6d
Instruction ID: 30f268e2ebdb12f9196df6ada5145b114b549dc9a593f4e8c743df69832dc26d
Opcode Fuzzy Hash: 4629a58cf99e76f8b4de79b97089fc613202f7570818f78ff4a494fcd7d34a6d
Instruction Fuzzy Hash: 0781A574E00218DFDB15DFAAD984A9DBBF2BF89300F14C5A9E819AB355DB309981CF50

Function 01504AD9 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

LjJp, xrefs: 01504CCE
PHgq, xrefs: 01504D30
LjJp, xrefs: 01504CB8
0oJp, xrefs: 01504B4A
PHgq, xrefs: 01504D41

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: b8d44eb1a09ca804eadfde29d83de4429ef8304194cf6597b4845122bb8e0f7a
Instruction ID: edbf21c6c1f3695519c84b73f4af4c7273d30445d6d08391641c6f09e0e90375
Opcode Fuzzy Hash: b8d44eb1a09ca804eadfde29d83de4429ef8304194cf6597b4845122bb8e0f7a
Instruction Fuzzy Hash: 5D819374E00218DFDB55DFAAD984A9DBBF2BF88300F14C069E919AB365DB349981CF50

Function 0150C190 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjJp, xrefs: 0150C385
LjJp, xrefs: 0150C36F
PHgq, xrefs: 0150C3E7
PHgq, xrefs: 0150C3F8
0oJp, xrefs: 0150C202

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 8eee60749cf08a47f75892b321f277d7fc0f768537ffce31d88c50de2f31192b
Instruction ID: bb996136aa7c0b9d7565a3d151d07b1a76d5f25466158d0a28859b46367649f8
Opcode Fuzzy Hash: 8eee60749cf08a47f75892b321f277d7fc0f768537ffce31d88c50de2f31192b
Instruction Fuzzy Hash: DA81A374E00218DFDB15DFAAD984A9DBBF2BF89300F14C5A9E419AB3A5DB309941CF50

Function 0150C470 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjJp, xrefs: 0150C64F
PHgq, xrefs: 0150C6C7
PHgq, xrefs: 0150C6D8
0oJp, xrefs: 0150C4E2
LjJp, xrefs: 0150C665

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 01a365966c541162b8f2829f5a4d6bfd8dd20ef0dcabb899ca7a933f83fdaf29
Instruction ID: 66296eab8777bd80f93ed1add97585da7088274597ad2338b97947346b2f48ad
Opcode Fuzzy Hash: 01a365966c541162b8f2829f5a4d6bfd8dd20ef0dcabb899ca7a933f83fdaf29
Instruction Fuzzy Hash: D681C574E00208DFDB15DFAAD984A9DBBF2BF89300F14D1A9E419AB365DB30A941CF10

Function 0150BBD2 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0oJp, xrefs: 0150BC42
PHgq, xrefs: 0150BE27
PHgq, xrefs: 0150BE38
LjJp, xrefs: 0150BDAF
LjJp, xrefs: 0150BDC5

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: 0oJp$LjJp$LjJp$PHgq$PHgq
API String ID: 0-804687319
Opcode ID: 3a801e18a5d4b12e574fae7005024dd8421c47d834f3534b1ed192beb33633a7
Instruction ID: af3700bde56548ba84ad7c883866fa529bbc69790e98f63507324d140e437c8f
Opcode Fuzzy Hash: 3a801e18a5d4b12e574fae7005024dd8421c47d834f3534b1ed192beb33633a7
Instruction Fuzzy Hash: 6A81A274E00218DFDB15DFAAD984A9DBBF2BF89300F14C06AE419AB365EB309941CF51

Function 01506880 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

,kq, xrefs: 01506A00
(ogq, xrefs: 0150697A
,kq, xrefs: 015069F2
(ogq, xrefs: 01506988

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: (ogq$(ogq$,kq$,kq
API String ID: 0-56747132
Opcode ID: 0d6e7b78a102213647547ec9b0f18b686f705e1bad2de5848bdf4087cfadf75c
Instruction ID: 0ce2da683b8175762c489067ab6c35052d163219f76907d411011cb5215c51de
Opcode Fuzzy Hash: 0d6e7b78a102213647547ec9b0f18b686f705e1bad2de5848bdf4087cfadf75c
Instruction Fuzzy Hash: 1AD12AB0E00119DFDB16CFA9C984AADBBF2FF88350F198465E505AB3A1D730E961CB51

Function 0150B4F2 Relevance: 3.9, Strings: 3, Instructions: 154COMMON

Download Yara Rule

Strings

PHgq, xrefs: 0150B747
PHgq, xrefs: 0150B758
0oJp, xrefs: 0150B562

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: 0oJp$PHgq$PHgq
API String ID: 0-3138407973
Opcode ID: 145424844217834d346502de5dd67872665022cc617763385372f3f26ad3348d
Instruction ID: ec88acabfcd8cc64ef38baef5fea143f7cedcfe33ef5f3d95094143c7de3ed76
Opcode Fuzzy Hash: 145424844217834d346502de5dd67872665022cc617763385372f3f26ad3348d
Instruction Fuzzy Hash: BE61C574E002089FDB19DFAAD984A9DBBF2FF89300F14C469E419AB365EB345941CF51

Function 01509858 Relevance: 3.4, Strings: 2, Instructions: 856COMMON

Download Yara Rule

Strings

(ogq, xrefs: 01509C78
4'gq, xrefs: 0150A273

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: (ogq$4'gq
API String ID: 0-590356624
Opcode ID: 76bdb21f22d14e2e03af9ae04e5d06d9ee4c2cfcf0c5bcf6c67f368295a34c6d
Instruction ID: 0595bf68cd642e03f2f7401314f350d6064acf98462a0274e723db60405bd35b
Opcode Fuzzy Hash: 76bdb21f22d14e2e03af9ae04e5d06d9ee4c2cfcf0c5bcf6c67f368295a34c6d
Instruction Fuzzy Hash: CB727371A00609DFCB16CFA8C984AAEBBF2FF88354F158559E9099F396D730E941CB50

Function 01506108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(ogq, xrefs: 01506642
Hkq, xrefs: 0150650E

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: (ogq$Hkq
API String ID: 0-1949169705
Opcode ID: c3f392f12f22f62a1ec59110c8349e558359be7adecc75fe3b8cb6b41ded2160
Instruction ID: 1b76aa3a4fb416caf214056a0fe93fb8f187357930f78387aefa3e96b08f4f30
Opcode Fuzzy Hash: c3f392f12f22f62a1ec59110c8349e558359be7adecc75fe3b8cb6b41ded2160
Instruction Fuzzy Hash: 91129270A002198FDB15DFA9C954BAEBBF6FF88300F248529E505DB395DB349D52CB90

Function 06C48C5B Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PHgq, xrefs: 06C48E9A
PHgq, xrefs: 06C48EAB

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID: PHgq$PHgq
API String ID: 0-1815594587
Opcode ID: cd5541ac5ecf96c8c8d17be0558a232c53bfdf9dd5d96bd5cc1ca4a869303d7c
Instruction ID: 99a33878803dea406a76df9c65fd1504a89420b1e831a4c218887b378daf741e
Opcode Fuzzy Hash: cd5541ac5ecf96c8c8d17be0558a232c53bfdf9dd5d96bd5cc1ca4a869303d7c
Instruction Fuzzy Hash: BC81AF74E01218CFDB58DFAAD9947ADBBB2BF89300F20816AD419BB294DB349945CF50

Function 06C411A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459a5c5a4a2c6fea2b736c0398d34f2229b9d31fa36cc8ba2d1e7c63a7766982
Instruction ID: 33eb8dd224f69e9c486b5fca7b5f5750c884a506191d756f191ea395517230bc
Opcode Fuzzy Hash: 459a5c5a4a2c6fea2b736c0398d34f2229b9d31fa36cc8ba2d1e7c63a7766982
Instruction Fuzzy Hash: 9E826F74E012698FDB64DF69C998BDDBBB2BF89300F1481EA980DA7254DB355E81CF40

Function 0150F007 Relevance: .7, Instructions: 717COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b4bce65d0ded9aa105e00810988738e9c3d500ac156d59092eace71c0e0a5a
Instruction ID: 2e3bdda7bf24fc02e823e6ba078c45ac4a43fa04ef00f9a71e51f4b8b262746f
Opcode Fuzzy Hash: 97b4bce65d0ded9aa105e00810988738e9c3d500ac156d59092eace71c0e0a5a
Instruction Fuzzy Hash: 1F72E174E012298FDB65DF69C990BDDBBB2BB89300F1485EAD409AB395D7349E81CF40

Function 06C48608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32c27e496de04533196f60b90b29f3389590cae088b76313c6583093faa52d5
Instruction ID: 9a55ce6d91ea2e04eb22521dacfc2d549f0c05c473c87d1229fb636a8feb8b9f
Opcode Fuzzy Hash: a32c27e496de04533196f60b90b29f3389590cae088b76313c6583093faa52d5
Instruction Fuzzy Hash: 9AE1B1B4E01218CFEB54DFA5C954B9DBBB2BF88304F2081A9D409AB394DB759E85CF50

Function 06C4B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02705942748164f5cae25875c02edf97c30a93970dc886f88e101bfcb09b2877
Instruction ID: 93a2974562dd5b197a513e881c0ca8f414fc08ae5d61949716760fcfdd354e53
Opcode Fuzzy Hash: 02705942748164f5cae25875c02edf97c30a93970dc886f88e101bfcb09b2877
Instruction Fuzzy Hash: 8DA18375E012288FEB64DF6AD944B9DBBF2BF89300F14C0AAD40DA7254DB349A85CF51

Function 06C4D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d5a82c00d92eeee2a924336bf99ec876a0b98a689f512addbba39d609a736b
Instruction ID: d88e376268176a725af4e44e91008e3be54949dbd7659c397984a0ca65c983f8
Opcode Fuzzy Hash: 48d5a82c00d92eeee2a924336bf99ec876a0b98a689f512addbba39d609a736b
Instruction Fuzzy Hash: A8A1A174E012288FEB68DF6AC944B9DBBF2BF89300F14D0AAD40DA7254DB345A85CF50

Function 06C4C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a125d5b03fb20a8a61e7c12b911722df490e9d6c80ecd7bf9cf378a54cfc988d
Instruction ID: cf5bdd10856c96f097403e2dbfd45eb72d1e22e9f628f5b40676ac574c3b8a11
Opcode Fuzzy Hash: a125d5b03fb20a8a61e7c12b911722df490e9d6c80ecd7bf9cf378a54cfc988d
Instruction Fuzzy Hash: E4A193B5E012188FEB64DF6AD944B9DBBF2BF89300F14C0AAD40DA7264DB345A85CF50

Function 06C4A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d00c8d4d8d1533df9dd68e0ce4a3ef4db8b28a58f4f5e83554f451abf00534
Instruction ID: a149da7bc9b1a276f182f7cb3166eb2f5a858c077d4b2b216846b4eeefc01a6a
Opcode Fuzzy Hash: b9d00c8d4d8d1533df9dd68e0ce4a3ef4db8b28a58f4f5e83554f451abf00534
Instruction Fuzzy Hash: 36A19175E016288FEB68DF6AC944B9DBBF2BF89300F14C0AAD409A7254DB345A85CF51

Function 06C4C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85331adcb7f480f4c21aa3956132da3a061e3eee51d278de8bd5cc7bf11e5241
Instruction ID: 4cc8158fa8e3e18f4d6cb1b962d44c52f6dfed19bffe9862071584a88711f22a
Opcode Fuzzy Hash: 85331adcb7f480f4c21aa3956132da3a061e3eee51d278de8bd5cc7bf11e5241
Instruction Fuzzy Hash: 33A19475E012188FEB64DF6AD944B9DBBF2BF89300F14C0AAD40DA7264DB345A85CF51

Function 06C4BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342447b2bf6a200ff244940f0b5336b6ad18e7e681518d1e310d8f56d44fe89a
Instruction ID: b2417afc2ff569de87cc59adc0edfb3b5d96f797e1f18398709a60fb22bf3691
Opcode Fuzzy Hash: 342447b2bf6a200ff244940f0b5336b6ad18e7e681518d1e310d8f56d44fe89a
Instruction Fuzzy Hash: CCA19275E012288FEB68DF6AC944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF51

Function 06C4AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f448326ba81c9090ddf26f95c952aac1fb8a8e212ed82a7163017ab0534cde
Instruction ID: 3eba75439e75de7a30b181295ecca0497f72377820c8909f0e226b475cdb013d
Opcode Fuzzy Hash: 91f448326ba81c9090ddf26f95c952aac1fb8a8e212ed82a7163017ab0534cde
Instruction Fuzzy Hash: 91A19275E016288FEB68DF6AC944B9DFBF2BF89300F14C0AAD409A7254DB345A85CF50

Function 06C4B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f773a6108110c1bf01665cc30e18b63c126131c3266979c79f51b3bc915681c9
Instruction ID: a0a385d1833ab6d4d3f9bc66f90aced0f3b7760111bf30216cbcddce5b34caca
Opcode Fuzzy Hash: f773a6108110c1bf01665cc30e18b63c126131c3266979c79f51b3bc915681c9
Instruction Fuzzy Hash: D6A19275E016188FEB68DF6AC944B9DBBF2BF89300F14C1AAD409A7254DB349A85CF50

Function 06C4D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd831b2a2e2d2d7a654b01c652c095d0470fca100c96fc25f0bd3e1e5376d3a
Instruction ID: 3b6f4a81a71b9029d4e98835ebd4c3009af765cc25e294b1f11f924907de537e
Opcode Fuzzy Hash: 9dd831b2a2e2d2d7a654b01c652c095d0470fca100c96fc25f0bd3e1e5376d3a
Instruction Fuzzy Hash: 60A18275E012188FEB68DF6AC944B9DBBF2BF89300F14C0AAD40DA7254DB349A85CF51

Function 06C41191 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd9e22a15a53a35ffc67ee243115d298070b6b16d0b6d2401eaf694cf2883e9
Instruction ID: a19d0e5e2a1e8d22ac6d247057418ce0005ed822929802f3c89662b89b6cfeee
Opcode Fuzzy Hash: 5dd9e22a15a53a35ffc67ee243115d298070b6b16d0b6d2401eaf694cf2883e9
Instruction Fuzzy Hash: 6381A274E412299FDB65DF29DD54BEDBBB2BB89300F1080EAD809A7254DB315E81CF80

Function 06C4AA4B Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d978ce77be26592b7afdc8c84d4269d647f227d2c80e33976dc19e3938bc94
Instruction ID: 612b29ecf5e69209bf8046cb8ab91dcdccfca9979e35aa52ba2f7c96ad0f0629
Opcode Fuzzy Hash: 63d978ce77be26592b7afdc8c84d4269d647f227d2c80e33976dc19e3938bc94
Instruction Fuzzy Hash: B07185B5E016188FEB68DF6AD944B9DFBF2AF89300F14C0AAD40DA7254DB344A85CF51

Function 06C4B09B Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9c0354fe67137c58ec2df5836235926a0ed002298fb89d3a927ed3fc5e59df
Instruction ID: 96d40ca9b430a6a3c30e62f55aaf9c18180e2bebe4ad686ff54d5b5dc1d468aa
Opcode Fuzzy Hash: 3b9c0354fe67137c58ec2df5836235926a0ed002298fb89d3a927ed3fc5e59df
Instruction Fuzzy Hash: 2A717575E016188FEB68DF6AC944B9DFBF2AF89300F14C1AAD40DA7254DB345A85CF50

Function 06C4D023 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec907051f29aa31e49bab1f0989feba3ec97c7769d3a21811fef7ba28943a89b
Instruction ID: 6b1ade82222e62a14a6b23ec2d09524eba85a4f982494003bf40ebdde57b0a79
Opcode Fuzzy Hash: ec907051f29aa31e49bab1f0989feba3ec97c7769d3a21811fef7ba28943a89b
Instruction Fuzzy Hash: F4717271E016288FEB68DF6AC944B9DFBF2AF89300F14C1AAD40DA7254DB345A85CF51

Function 06C485FC Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19d7f4b4a997f096440575d19aec449064ba2c0ae3012fde67860064b289117
Instruction ID: f0df1139c22f740c31af9fc742d825d518990e13345e7c3895b1a658fc76b6cc
Opcode Fuzzy Hash: f19d7f4b4a997f096440575d19aec449064ba2c0ae3012fde67860064b289117
Instruction Fuzzy Hash: 4141C1B0E012088BEB58DFAAD9547EEBBF2BF88300F14C169C418BB294DB755946CF54

Function 06C4C9D3 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f03d272072cb163152c892d0dcebd911aeb7c078f73fdc2b4ae0c480a77a4c9
Instruction ID: 3c64ff92af87c54ddf2f951bf26039460a2e4313cda6b2c1905b09daae698262
Opcode Fuzzy Hash: 9f03d272072cb163152c892d0dcebd911aeb7c078f73fdc2b4ae0c480a77a4c9
Instruction Fuzzy Hash: DD4188B1E016189BEB58DF6BD9457D9FAF3AFC8310F04C0AAC50CA6264DB740A868F51

Function 06C4A3F8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba14c123058518197db9e20bf4f904226750b151ae9b34981803d2da453f1a5
Instruction ID: 5c01e3854a92eba4ee181cbe87bdbe4c9928c6a16e34e1432525cf0649f90a22
Opcode Fuzzy Hash: dba14c123058518197db9e20bf4f904226750b151ae9b34981803d2da453f1a5
Instruction Fuzzy Hash: 8A419DB1D016188BEB58DF6BD9457DAFBF3AFC8310F14C1AAD40CA6264DB340A858F51

Function 06C4C383 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de51af5177e9562c5d967bca20b7e7ab9931a6442f396a2d67c0ace130829174
Instruction ID: 6ee67ed2850470c4072071ac833e98dfd1f30f2f7d43775093aa30cd477d2714
Opcode Fuzzy Hash: de51af5177e9562c5d967bca20b7e7ab9931a6442f396a2d67c0ace130829174
Instruction Fuzzy Hash: C3416AB1D016189BEB58CF6BD9457C9FAF3AFC8304F14C1AAD50CA6264DB740A868F50

Function 06C4BD33 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6408af08d6232cf2890d0ab68a8aeaae07dc7f4916e1be23453b2d45d0847b6
Instruction ID: 836baba585851d89ef23a098ec5609fb6101ec67374a38fb906e8b68b28dadec
Opcode Fuzzy Hash: c6408af08d6232cf2890d0ab68a8aeaae07dc7f4916e1be23453b2d45d0847b6
Instruction Fuzzy Hash: 694159B1E016188BEB58DF6BD9457D9FAF3AFC8300F14C1AAC50CA6264DB740A868F50

Function 06C4B6E3 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f9d5cb8885858e5cefc9efd012cf53d74b10a501edbe33cf772f872e9a4098
Instruction ID: 180130135bb9e64c0f9d71c888f27d66abfbd909c90a95473f57f48e7797a1ee
Opcode Fuzzy Hash: 74f9d5cb8885858e5cefc9efd012cf53d74b10a501edbe33cf772f872e9a4098
Instruction Fuzzy Hash: 9B4159B1E016189BEB58CF6BD9457D9FAF3AFC8304F14C1AAC50CA6264DB740A86CF50

Function 06C4D66B Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713009aa0a64e64de69e9a84b2cb7935987a117a7a4092aa45edc0aa6c51d4dd
Instruction ID: 8fdcaf7c25fbfe53db6bb314d3c4684f5fe12149c23bd9648b3756f67b7ff692
Opcode Fuzzy Hash: 713009aa0a64e64de69e9a84b2cb7935987a117a7a4092aa45edc0aa6c51d4dd
Instruction Fuzzy Hash: 65414AB1E016188BEB58DF6BD9457C9FAF3AFC8300F14C1BAD50CA6264DB740A858F51

Function 01506E58 Relevance: 10.5, Strings: 8, Instructions: 475COMMON

Download Yara Rule

Strings

(ogq, xrefs: 0150701A
,kq, xrefs: 01507308
(ogq, xrefs: 01507367
(ogq, xrefs: 01506F7D
(ogq, xrefs: 01507377
,kq, xrefs: 015072F8
(ogq, xrefs: 01506F51
(ogq, xrefs: 01506E96

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: (ogq$(ogq$(ogq$(ogq$(ogq$(ogq$,kq$,kq
API String ID: 0-1957521964
Opcode ID: a69aa97ee893b01d0438c3199adc73ee9fece7b3a451a19cf61230561a257055
Instruction ID: a913fecdbb86bdf94460d50dc62dd07d171ad68b6cebcd69d0b578cff80f8471
Opcode Fuzzy Hash: a69aa97ee893b01d0438c3199adc73ee9fece7b3a451a19cf61230561a257055
Instruction Fuzzy Hash: 3C124930A006099FDB16DFA9C984A9EBBF2FF88314F248559E955DB2A1DB30FD41CB50

Function 015077F0 Relevance: 3.2, Strings: 2, Instructions: 690COMMON

Download Yara Rule

Strings

$gq, xrefs: 01508314
$gq, xrefs: 01508337

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: $gq$$gq
API String ID: 0-2569250954
Opcode ID: 4b9e9744be2d9fb3ae9bc93c911e8f1b68d768967e8a82921c62bcad8b766a06
Instruction ID: 4ee1cb6bfc2020a55671f55bc86644915e05c03ad341c5c2cdbf3cae5bc4b792
Opcode Fuzzy Hash: 4b9e9744be2d9fb3ae9bc93c911e8f1b68d768967e8a82921c62bcad8b766a06
Instruction Fuzzy Hash: BA521F74A102198FEB55EBA4C860BEEBB72FF84300F1080AAC10A6B799DB355D85DF51

Function 015087E9 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

4'gq, xrefs: 01508811
4'gq, xrefs: 01508837

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: 4'gq$4'gq
API String ID: 0-2478590125
Opcode ID: 172a6cae9927ee4dba1ab963db0ca394b184e3c7d51bebc381c5658be6375e02
Instruction ID: 9673261bbca5ade127312bd7684f741412a1ea8350d6f14deeb39cb58fb8bd33
Opcode Fuzzy Hash: 172a6cae9927ee4dba1ab963db0ca394b184e3c7d51bebc381c5658be6375e02
Instruction Fuzzy Hash: E0B15170B109018FEB169AADCA59F3D7796FF85750F1808A9E602CF3E2EA64CC41C741

Function 015056A8 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

Hkq, xrefs: 015057C6
Hkq, xrefs: 01505793

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: Hkq$Hkq
API String ID: 0-2158860719
Opcode ID: e3d2e217f87755a28aecc6d60508a3a98587fb514d839febe3cde11f2f0263fa
Instruction ID: 5dc7eacb5510c0379d62da70e6d924ced40d3a6812321cd99b8c960c97fcc157
Opcode Fuzzy Hash: e3d2e217f87755a28aecc6d60508a3a98587fb514d839febe3cde11f2f0263fa
Instruction Fuzzy Hash: 4BB1AD717142598FDB169FA8C994B7E7BE2BF88350F244829E906CF2D1EB74D841CB90

Function 01505C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,kq, xrefs: 01505CE8
,kq, xrefs: 01505CDE

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: ,kq$,kq
API String ID: 0-3716310059
Opcode ID: c2087520dfa09e7fdfa5a98f0c5ba7a56dc39e9919b415106aa80b636b697f80
Instruction ID: c9f3a90d601d0fec2def3e1b2b386f7ced90f06cd3b4979df6d7ab8fc494e251
Opcode Fuzzy Hash: c2087520dfa09e7fdfa5a98f0c5ba7a56dc39e9919b415106aa80b636b697f80
Instruction Fuzzy Hash: CA817F35A205058FDB16DFADC88896EBBF2BF89210B1485AAD506DF3A5E731EC41CF50

Function 06C423E0 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

LRgq, xrefs: 06C423FC
LRgq, xrefs: 06C42529

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID: LRgq$LRgq
API String ID: 0-3234239580
Opcode ID: bd5a373f0a942ff87263871e7e23c488df51f5b60c610b18118f7c47db44cba1
Instruction ID: 66b415ba185b9198b446b180697677ac727a5dcc6c254ac5601b8031fe556eac
Opcode Fuzzy Hash: bd5a373f0a942ff87263871e7e23c488df51f5b60c610b18118f7c47db44cba1
Instruction Fuzzy Hash: AC81A034B101068FCB48EF79C955A6E77B6EFC8650B1181A9E505DB3B4EB34DE02CB90

Function 06C49510 Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

(kq, xrefs: 06C496EA
(&gq, xrefs: 06C4962B

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID: (&gq$(kq
API String ID: 0-511105817
Opcode ID: 41ee04ca2356f21ccf38f3f580f20df6a623d47b1885f6787c5e72f187301760
Instruction ID: e84a37312fb19a4e0c3c734a71841228e89a88d98abb63917c223020cceb9324
Opcode Fuzzy Hash: 41ee04ca2356f21ccf38f3f580f20df6a623d47b1885f6787c5e72f187301760
Instruction Fuzzy Hash: 0C719031F002295BDB55EFA9C850AEEBBB2AFC9710F148529E405E7394DF349E06C791

Function 01503428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xkq, xrefs: 01503435
Xkq, xrefs: 0150345E

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: Xkq$Xkq
API String ID: 0-930889198
Opcode ID: f18a57544d1163e0d1357a56aec1a823af930b21a946f268692aa700bc11aa1e
Instruction ID: 3f2f246edc7d077252849af591dc8913e57c2772f672725df600c3ec74163bda
Opcode Fuzzy Hash: f18a57544d1163e0d1357a56aec1a823af930b21a946f268692aa700bc11aa1e
Instruction Fuzzy Hash: EF31E479B003248FDF9B5AEE559827FAADABBC4250F154839D906CF3D0DBB5CC408691

Function 01500C8F Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

LRgq, xrefs: 01500E5E

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: LRgq
API String ID: 0-2449505933
Opcode ID: b0c1264d76b328a82405c959d9aaf3faf2d6ed6243b169c45a1138312092e408
Instruction ID: 29ca5a47a775df91e18d23b614ec52e3818c98339854b75fae1eae0b782cde2b
Opcode Fuzzy Hash: b0c1264d76b328a82405c959d9aaf3faf2d6ed6243b169c45a1138312092e408
Instruction Fuzzy Hash: 7E22DD74A0021EDFCB55EF64E998A9DBBB5FF88341F2085A6D409AB358EB305D85CF40

Function 01500CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRgq, xrefs: 01500E5E

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: LRgq
API String ID: 0-2449505933
Opcode ID: c7b244b22c889b3c44f4ab40813e52db07bb13743846a94d11018f23fd33390b
Instruction ID: af36b9575333b09509ada313ba62edf4fcf7eaa304040e15a2300269d5783fa4
Opcode Fuzzy Hash: c7b244b22c889b3c44f4ab40813e52db07bb13743846a94d11018f23fd33390b
Instruction Fuzzy Hash: 7D22DE74A0021EDFCB55EF64E998A9DBBB5FF88341F2085A6D409AB358EB305D85CF40

Function 0150A650 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

(ogq, xrefs: 0150A7D9

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: (ogq
API String ID: 0-183986202
Opcode ID: ed0c9ee4919804817f970cf1a0895f8f2d78a6c82159e15a198e93e2ad6c8c45
Instruction ID: 1edddc241ae9ea6de4e6592e8b8a8c96d589ebf67e979eed6ca6214e5557595a
Opcode Fuzzy Hash: ed0c9ee4919804817f970cf1a0895f8f2d78a6c82159e15a198e93e2ad6c8c45
Instruction Fuzzy Hash: EE41E131B002489FCB199F79D954AAEBBB6BFC8350F248469E506DB3D1CE359C02CB90

Function 015077E0 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ccc34ed3a500179e012719385bf71e26e49597da39bb1652b5192cbcd99f16
Instruction ID: d8f0116a3adff6d7eafffeaf1095e0caf672574017cb8788b82fa9960e33e41e
Opcode Fuzzy Hash: 44ccc34ed3a500179e012719385bf71e26e49597da39bb1652b5192cbcd99f16
Instruction Fuzzy Hash: 0942ED74A10219CFEB54EBA5C860BEEBB72FF94300F1081AAC10A6B799CB355D85DF51

Function 0150A84F Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6575576646770be9158c9caff8a9ca6d51a642cd1c1cf4a07f1eb7533fe6e1d
Instruction ID: 03f419c3d1137a4fee81be3de9a0ab803046eae915a1eaf2bc51d91703303c71
Opcode Fuzzy Hash: d6575576646770be9158c9caff8a9ca6d51a642cd1c1cf4a07f1eb7533fe6e1d
Instruction Fuzzy Hash: 39F12075A006158FCB06CFADC584A9DBBF6FF88350F1A8459E515AB3A1C735EC81CB50

Function 01507438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0682644b922cc60dbcc9d0363320bb4d5bbbbed33bf970562c5ef82200f5bd
Instruction ID: 58867e3bf4b14a6ff001ff6736c5300bd4caff33a6c776a0eb9262bdd7926b5d
Opcode Fuzzy Hash: ce0682644b922cc60dbcc9d0363320bb4d5bbbbed33bf970562c5ef82200f5bd
Instruction Fuzzy Hash: 9371E7347002458FDB26DF6CC898AAE7BE5BF49640F1904A5E942CB3B1DB71EC41CB90

Function 0150CEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f778e4222a5f42bd6898d560ee8d29018b2c34764181593a359ae39d938aaf
Instruction ID: 224f41e10591b552533b12e0670d6d83f371ab303962d8a2dbfe64823206e1d4
Opcode Fuzzy Hash: 50f778e4222a5f42bd6898d560ee8d29018b2c34764181593a359ae39d938aaf
Instruction Fuzzy Hash: 4851C0309A134A8FD3153F24B3AC16EFBA4FB4F3977256D69A10E86019DB3550A9DF20

Function 0150CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69827b036f3ee40ca085f5b91ebd1e5c962588a1c2d61df0302af89433be0c0
Instruction ID: bbb49fdaabf89991287ed05c4bfedcfce200c56ff2e8bc67808aba57cd48da29
Opcode Fuzzy Hash: f69827b036f3ee40ca085f5b91ebd1e5c962588a1c2d61df0302af89433be0c0
Instruction Fuzzy Hash: A451AE309A120B8FD3193F28B3AC16EFBA4FB4F3977216D65A10E86019DB3550A5DF60

Function 0150E2D9 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be543a33cb754a983ead163db2550f6df947ddbd35f80ecb4085f710dac084
Instruction ID: a07112046ff52ca937a3d160582bebec16ea865a09e737a1ad3ca7302e6af0ac
Opcode Fuzzy Hash: c5be543a33cb754a983ead163db2550f6df947ddbd35f80ecb4085f710dac084
Instruction Fuzzy Hash: 38512374D1121CCFDB15EFA5D958AAEBBB2FF88300F208529D805AB399DB395985CF40

Function 0150CD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f129570c104592efef553a0f8f969fb51177f23cfc6f9e05662111c2c0adfdf7
Instruction ID: 6b02713e7579fc746986968dbbec2e1440c7ea94afe056dc67a5db411725e495
Opcode Fuzzy Hash: f129570c104592efef553a0f8f969fb51177f23cfc6f9e05662111c2c0adfdf7
Instruction Fuzzy Hash: D2519474E01208DFDB48DFA9D58499DBBF2FF89310F24816AE819AB365DB31A905CF50

Function 06C4DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ca68d97e307273dbaaa5b5f42dd1992dce13dcdd0cd2f79c183a74415ca559
Instruction ID: 05eed4a767816895cfc3fa065b65bf82b34a6e5be013bb6adb4d2ca93c917bed
Opcode Fuzzy Hash: 91ca68d97e307273dbaaa5b5f42dd1992dce13dcdd0cd2f79c183a74415ca559
Instruction Fuzzy Hash: FF411B7591131ACFEB15AFB5D16C7EEBBB1FB8A312F10586AD10267294CB780A44CF90

Function 01503908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146d8b56d8fb1b1962ea1fc534a7b34cfc1b34b61de5fd51eeb934acba3c406f
Instruction ID: b7b67cf7b042b96549c63b616226ab02475bda925c87bb7e645f621a3ae97b01
Opcode Fuzzy Hash: 146d8b56d8fb1b1962ea1fc534a7b34cfc1b34b61de5fd51eeb934acba3c406f
Instruction Fuzzy Hash: 0F51B574E01209DFCB48EFA9D99099DBBF6FF89310B208469E805AB364DB31AD45CF40

Function 01509A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2edfb8bc0d03aa93386552ad80170ab9b777746006b29c1fc3d806638cb9c2
Instruction ID: 144022127df19b2d3e5073a65c9ac5b735f6e934745eafcc32a2f82fb32a396b
Opcode Fuzzy Hash: ca2edfb8bc0d03aa93386552ad80170ab9b777746006b29c1fc3d806638cb9c2
Instruction Fuzzy Hash: 62418F71A04249DFCF12CFE8C844A9DBFB2BF89368F048555E9199F29AD374E950CB90

Function 06C49A53 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0891af504a953ed052aa9513b74d0417ca5135e7e5fea7b838418722d2ccf120
Instruction ID: 6b876e753f01db9c8b764f1af891e3520cf365155a034b50f8f5e5ea4708e412
Opcode Fuzzy Hash: 0891af504a953ed052aa9513b74d0417ca5135e7e5fea7b838418722d2ccf120
Instruction Fuzzy Hash: AE51C0B4E012198FDB14DFA5D6846EEBBB1BF88300F20842AD415B73A4E7385A46CF50

Function 06C49500 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819a1d5b1538d19ff9001dd08282c07b2c4708f728dc1dc3a755fbbd1f5edb27
Instruction ID: 3dd83ae254d3fcd6a7a91fa1145bf66c2701fd1db6085e68e32d6ca4d2a9e36a
Opcode Fuzzy Hash: 819a1d5b1538d19ff9001dd08282c07b2c4708f728dc1dc3a755fbbd1f5edb27
Instruction Fuzzy Hash: E2413071E002199BDB54DFA5C980EDFBBF5AF88710F148229E415B7294DB70AE46CB90

Function 0150E134 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e482ee8d3f9ced75371ad15fad34d61d6a51448187cb0f04f2369aeac34e9520
Instruction ID: e67fb896123a15cdc36d3bdd60b027955e0368fe08c813a3fc76dc9155a575d5
Opcode Fuzzy Hash: e482ee8d3f9ced75371ad15fad34d61d6a51448187cb0f04f2369aeac34e9520
Instruction Fuzzy Hash: 34412374D05209CBCB16DFE8D596AEDBBF2FB89300F249819D055AB285DB71A842CF50

Function 01506730 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d48afc094ca8f93417dbdaac5635d36d4b97b36e8e61bdaf84be981273a255
Instruction ID: 62e3aff58786d0470c958bc0a592884a2480cfbd68be135aa6e42b9cabf5c1a1
Opcode Fuzzy Hash: 50d48afc094ca8f93417dbdaac5635d36d4b97b36e8e61bdaf84be981273a255
Instruction Fuzzy Hash: 3141D271A00209DFDB129FA8C904BAEBBF6FF44314F04846AE4159B282EB74DD55CB91

Function 0150D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce99d289a58eb0625036d2019a23f35036806521f65ec9ef897bb7f652de4e4
Instruction ID: 55f3ae9b98f974f08c100214c6d5a6e575120ce986c419d514b4afcf0b20d7c1
Opcode Fuzzy Hash: 7ce99d289a58eb0625036d2019a23f35036806521f65ec9ef897bb7f652de4e4
Instruction Fuzzy Hash: DE410274D04249CFCB16DFE8D494AADFBB2FF89300F249519E41AAB284D775A842CF64

Function 06C49A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff138368b8da35f2d08f20183efea3bf9ecc2f9f0b4850027fc36c1b7c03aed6
Instruction ID: 2436c3c9a188facef9ddf9e3c3c93319e08ee99c1ce7dc1130168e0605a5713b
Opcode Fuzzy Hash: ff138368b8da35f2d08f20183efea3bf9ecc2f9f0b4850027fc36c1b7c03aed6
Instruction Fuzzy Hash: 2541B2B4D012188FDB44DFA5D6846EDBBF1BF89300F10942AD415A7364E7385A46CF50

Function 0150E0D4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74abaa281cbd792ed6c1d6324d839e280e0676e530d0e66c46581242233f8e60
Instruction ID: 771729332abf76a410afba77cbdc3f2b9cba08bbca17cebbb78827ac3af8aaec
Opcode Fuzzy Hash: 74abaa281cbd792ed6c1d6324d839e280e0676e530d0e66c46581242233f8e60
Instruction Fuzzy Hash: BB411270D01209CFCB12DFE8D5A56EDBBB2FF49310F209919D415AB295D7319881CF50

Function 0150D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75098ed73e01f708104ec47fc3d8a9e5db6254d7682aab6cd41f96bcd149244
Instruction ID: c9b4721b3bbd0cd02c405b3e1018124581694db7ed8c29f3ebca2a2f3ae2cf70
Opcode Fuzzy Hash: e75098ed73e01f708104ec47fc3d8a9e5db6254d7682aab6cd41f96bcd149244
Instruction Fuzzy Hash: D241F074D01209CFCB12DFE8E494AADFBB2FF49310F209529E41AAB284D775A941CF54

Function 0150D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5854aab1a3df32ef87b26d819ca676fd8add6128836696249bc9cccf4225d2
Instruction ID: cb29644e0475166b5a3a6b616f9c01770f788eaa9aa34f9965afca2092a63690
Opcode Fuzzy Hash: 1c5854aab1a3df32ef87b26d819ca676fd8add6128836696249bc9cccf4225d2
Instruction Fuzzy Hash: 7C411274D01209CBDB05DFE9D844AAEFBB2BF89300F24D529D819AB294DB759842CF64

Function 0150DF88 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62665e04b37545e6e2c32f6b9c8b72ec54bb4c151ef524994c20776a589d1b94
Instruction ID: 61cb829fa16b1dc39b7ffa95250a91ad1ca67d1c9a5e116194bf628d6707e4b3
Opcode Fuzzy Hash: 62665e04b37545e6e2c32f6b9c8b72ec54bb4c151ef524994c20776a589d1b94
Instruction Fuzzy Hash: 43312470D012098BDB16EFE9C555AEEBBF2FF89300F24D929D414AB294DB719842CF54

Function 01504DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b095a1b82681a318acdb55ded171eb476102583c6f1086ed55b9cc7da339c60
Instruction ID: b8e40ef902f006fcfc4ae04a4a24136879ac14b733d2ca95d5aa4c6b643b01d0
Opcode Fuzzy Hash: 0b095a1b82681a318acdb55ded171eb476102583c6f1086ed55b9cc7da339c60
Instruction Fuzzy Hash: 3031803160410E9FDB06AFA8D954ABF7BA6FB88240F104429FA158B291CB34DC65DBA1

Function 06C4DCB1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99d68c65bd7d8e66b07f58ccb8b96fb5e6b578207d52911536c3aa6d89cf6f2
Instruction ID: 235ba0ed45e6c77bce28ed4e64ef5f2de0fad7eb23aeceaa3e6598cdb2b9c473
Opcode Fuzzy Hash: b99d68c65bd7d8e66b07f58ccb8b96fb5e6b578207d52911536c3aa6d89cf6f2
Instruction Fuzzy Hash: 32314F7490131ADFEB05AFB5D46C7EEBBB1FB8A316F10486AD51167294CB780A44CF90

Function 015076E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb3efcc6ab6b25a74c1c71a7ea833d45492fe6b6c9c27daa72fa44ad5ddc3d0
Instruction ID: a17bb749251649f84c8bc381b2a7ad04b2b207678fffe55108044d7a3eef2643
Opcode Fuzzy Hash: 7eb3efcc6ab6b25a74c1c71a7ea833d45492fe6b6c9c27daa72fa44ad5ddc3d0
Instruction Fuzzy Hash: 3821F13830060547EB1B16798A54A3E7297BFC8B99F244078D542CF7D5EE25DC41D381

Function 0150DF79 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc773baea3961dd858a6819b7f0916312fb6ca47af533475d04357e9d0eca07
Instruction ID: cf4988845b019396b5d3edbf9a23c34f584ddca2cffddc72c343a79defb8892d
Opcode Fuzzy Hash: 9fc773baea3961dd858a6819b7f0916312fb6ca47af533475d04357e9d0eca07
Instruction Fuzzy Hash: EB21AC71E002099BDB09DFEED8096EEBBB6FBC9300F04D829C514BB2A4DB7484068E54

Function 01502060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22220c90984b952fb6053853262b98932e9906902baec18201d6f8481ed1cbd0
Instruction ID: efcc72ea2a3e08782ea7fa2dc97f787076caa24d6a019b42db8782873fcac1a0
Opcode Fuzzy Hash: 22220c90984b952fb6053853262b98932e9906902baec18201d6f8481ed1cbd0
Instruction Fuzzy Hash: BD21B535A002059FCF56DFA8C5549AE77A6EB8C250F10C459EC0A8B294EA31EA41CBD1

Function 01505A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8c6fd061c6c6e3e658e9a0a742f68541a6ffd039e1a5f8021c2c48459b5d43
Instruction ID: c4208c7af3dd47a2c37f44cae6037d58f9bf8740c3242ddf21727c14f501343a
Opcode Fuzzy Hash: 4c8c6fd061c6c6e3e658e9a0a742f68541a6ffd039e1a5f8021c2c48459b5d43
Instruction Fuzzy Hash: F021F331710A168BD326AA68C49452FB7A6FBC46517144568EA06CF394EF70EC02CFC0

Function 0129D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893435482.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_129d000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22433d8a64da218602da54227c9909ec42f4d52ec1d50d246d5a577df7a6b9be
Instruction ID: e9f78215c3c8dee6c4284e2746de0e2bc7cef43a81ebcc79801466af9d15be87
Opcode Fuzzy Hash: 22433d8a64da218602da54227c9909ec42f4d52ec1d50d246d5a577df7a6b9be
Instruction Fuzzy Hash: D22104B1514208DFDF15CF6CC9C0B26BBA5FB88314F24C96DE9494B242C77AD446DA61

Function 01504DB9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5e00767e39c5af4e623147ca85a014cb7c1c8782867d4e308dd3ea28c74657
Instruction ID: e96d0664259dcd26f081a8093d183d937a077353a5dd678d8ebef1b0dc6a7823
Opcode Fuzzy Hash: ed5e00767e39c5af4e623147ca85a014cb7c1c8782867d4e308dd3ea28c74657
Instruction Fuzzy Hash: B621933160410A9FDB16AFA8D555B6F7BA6FB84750F204429FA058F382CA38DC55CBE1

Function 06C496F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae44326d6c86373eecfc1bf7c76cecbd594fea5eb47ba718bf353ec5f51c6e5
Instruction ID: 254eb0e8763487eff2e14893647a47699c333fec984ac58d9d2ee71ae99490a3
Opcode Fuzzy Hash: eae44326d6c86373eecfc1bf7c76cecbd594fea5eb47ba718bf353ec5f51c6e5
Instruction Fuzzy Hash: 97113D367041A41FDF06AFB898245AE3FA3FFC9260B54442AD405DB3D1CE384E0683A5

Function 01501F08 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4675f9f86c486632dff9a51950c15e07f21601bd07228ccf03e51c92aea73cf7
Instruction ID: 80ee8a6f1e7b85a9cbfe8982d03824aaa1d280265c55703b2b95f79b469259b1
Opcode Fuzzy Hash: 4675f9f86c486632dff9a51950c15e07f21601bd07228ccf03e51c92aea73cf7
Instruction Fuzzy Hash: B2215770C0460A8FCB02EFB8C9985EDFFF0BF49340F14456AC541AB254EB305945CBA2

Function 0150D60F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4955cd5fd774a0ecda34be591b4c675cfc23a54c2ce142f294b133feea4338e3
Instruction ID: f865c964fb273211e31f5a19ce73b36a72e87e9051469bf75f824601563a159d
Opcode Fuzzy Hash: 4955cd5fd774a0ecda34be591b4c675cfc23a54c2ce142f294b133feea4338e3
Instruction Fuzzy Hash: 80114971D006088BDB09CFEAD8096EEFBF2FBC9311F18D52AD418BB295DB7445068E54

Function 06C4E0C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc2c16c401695c1bcf87a8fbdfb88b36343eb6b2e5367dd79a40578e65e6df3f
Instruction ID: 37c06008db4dd9d0a49cc9236d1f61f465b77568bc8c31d364eca43c469d4078
Opcode Fuzzy Hash: bc2c16c401695c1bcf87a8fbdfb88b36343eb6b2e5367dd79a40578e65e6df3f
Instruction Fuzzy Hash: 2311E1307452548FE7055B7A98549BBBFABAFCA290B258876E546C7296CA248C068360

Function 0150E201 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0284a03486eab72e6f15453f249ae2b043532f7bc15eb1520442f0e70e8c4e
Instruction ID: ff57d2c7054010aac6b2e7cce053f9c03376119f494f4ae41892cb3c1cbd268e
Opcode Fuzzy Hash: 8c0284a03486eab72e6f15453f249ae2b043532f7bc15eb1520442f0e70e8c4e
Instruction Fuzzy Hash: 38217FB0D0110E9FDB45EFB9D554A9EBBF1FB44304F10C5AAD0049B358EB305A46CB81

Function 01501F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729af7c10ae012b5e2710630cb1fe5226ede0014948cbd316806108dc13cc0b3
Instruction ID: 44f3ec5973302807aa3e54e5f314058f2399aa2df9c3a28a0132193dee3edc33
Opcode Fuzzy Hash: 729af7c10ae012b5e2710630cb1fe5226ede0014948cbd316806108dc13cc0b3
Instruction Fuzzy Hash: 2E21D0B4D0160D8FCB41EFA8D9856EEBBF1FB48300F10966AD805B3250EB345A56CBA1

Function 06C49350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a05202cd9032819e9f4a10c85dd8bdc2106449ceecf23bd0effc11aca06daf
Instruction ID: f9ee3883b658883a25778a585799445eb7b90fc114630e92dc9a5f7068cfb87e
Opcode Fuzzy Hash: 44a05202cd9032819e9f4a10c85dd8bdc2106449ceecf23bd0effc11aca06daf
Instruction Fuzzy Hash: FA1134B6800299DFDB10DF9AC845BEEBFF4EF48320F148419E918A7250C379A954DFA5

Function 06C48EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e106fae2c290dd304cb805a2085d0035a110597726a800bc3a733fa6a11d9c9
Instruction ID: d11c5f872cf758afa181077715f4098f52482641a081fe3e86a2d6d96f06ced7
Opcode Fuzzy Hash: 0e106fae2c290dd304cb805a2085d0035a110597726a800bc3a733fa6a11d9c9
Instruction Fuzzy Hash: FA111274F011498FEB40DFE8D950BAEBBB5EB88311F409055E908A7349E731D9428F91

Function 0150E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad33e5b9ddf120fc93a4d0d9397ce8022ef05e078fa5745ea39e5c70a29ec108
Instruction ID: 8a4b29ef95e320ae78f1153b71d6cb3b26081ae865d42723da0d822fcf7ac913
Opcode Fuzzy Hash: ad33e5b9ddf120fc93a4d0d9397ce8022ef05e078fa5745ea39e5c70a29ec108
Instruction Fuzzy Hash: 51117CB0D0110E9FCB45EFB9D554A9EBBF2FB44304F10C9AAD0049B258EB305A46CB81

Function 0129D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893435482.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_129d000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction ID: ef3004ddc711e87d29ce1fca4567c8a045cac88b56b2f3793ce5feb61c37bc2c
Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction Fuzzy Hash: AB11DD76504288CFDB12CF58C9C4B15BFA2FB84314F24C6A9D9494B252C33AD44ADF62

Function 06C4999B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b1782e5f29bb9bedc6d3309f5e99271a7bda7a30b0d21f25153a8718ed526a
Instruction ID: 552f7eb3c074499dbfdd63b2ba693c0bedd2e94aff1ac2a23960f2b737779401
Opcode Fuzzy Hash: a2b1782e5f29bb9bedc6d3309f5e99271a7bda7a30b0d21f25153a8718ed526a
Instruction Fuzzy Hash: D51134B6800249DFDB10CF99C945BEEBBF4EF48320F14841AE518A7610C339A554DFA1

Function 01505607 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b32bf85a3c15d1f9d9ce379a9cecb4f3ace2a18a958b2e128940ec1176c3af
Instruction ID: 4f91d0db4dd4711e7311a96d736a497c481db697a594797fc378e5331573af59
Opcode Fuzzy Hash: a1b32bf85a3c15d1f9d9ce379a9cecb4f3ace2a18a958b2e128940ec1176c3af
Instruction Fuzzy Hash: 3701FE317001096FDB079E54DC106EF7B96EBC9651B28802AF605CB280DD35DC179BA1

Function 06C42670 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447ce07c7a98cdafb809d95d35f17580b228b64b4649a05ddbf730f31b97b375
Instruction ID: f5245dc810997247dd61ff9f6f3e551a8deda2d8c67a6ccd855ad19f50ceaedc
Opcode Fuzzy Hash: 447ce07c7a98cdafb809d95d35f17580b228b64b4649a05ddbf730f31b97b375
Instruction Fuzzy Hash: 54115B75A402158FC790EB7CE5096AEBBF0EF8876171145A9E806DB311DB35CD06CF90

Function 06C425E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fefe872ba1027fe12c2c70b583839bd6008deb836b6495db276fc4847073c41c
Instruction ID: bbf53270b46555edb4506dfd1329502ab141801572a43144db63bba10dbfcc86
Opcode Fuzzy Hash: fefe872ba1027fe12c2c70b583839bd6008deb836b6495db276fc4847073c41c
Instruction Fuzzy Hash: 7701A471E002199FCF44EFBA8905AEEBBB5AF88211F10856AD819E7254E7785A018F90

Function 06C49760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08ef1823a19e65167f4634478fd394dd780f75b95d0e86d494051aa0e5cf703
Instruction ID: 61c496decb2df67ba481434360c2bea81f1e680b5d6f14ebb57072eb0fb56202
Opcode Fuzzy Hash: d08ef1823a19e65167f4634478fd394dd780f75b95d0e86d494051aa0e5cf703
Instruction Fuzzy Hash: D2F089363001296F8F059F999C409AF7BEBFBC9260B004429F909D7350DE368D1597A5

Function 0150D449 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2a4976974ff9994a0ed4d92cd952a4dd0d1aca7d232df28d13bd40c48aabd3
Instruction ID: 180ead810f7aba4ee058d14ef081c457f1b4128ebc8c05c726de7c5002d4280b
Opcode Fuzzy Hash: 0d2a4976974ff9994a0ed4d92cd952a4dd0d1aca7d232df28d13bd40c48aabd3
Instruction Fuzzy Hash: C7E06830E4010497DB0AAADDEC0F2FEB7B8F78A311F00543AD104FB2D5CBB890068A90

Function 0150DEB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cb59c1dc206ea04d81c423f06bfc179dd1c929ac2ed98b340f4dd828aa0036
Instruction ID: 570b69b8a3c61cedc37000d4e2b9285437cea160c52c0cd675ec9c7f3659715e
Opcode Fuzzy Hash: 81cb59c1dc206ea04d81c423f06bfc179dd1c929ac2ed98b340f4dd828aa0036
Instruction Fuzzy Hash: 92F01770A111298F8B85EBFCC44456EB7F0BF0822072145A9D409DB361EB309D018B90

Function 0150DF08 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94ba9efd2a8b97264b348285d85f285e7207510b8983fe457ca4c3289c1bda5
Instruction ID: 1be2c4fb53dec2fb7ff2cdd54ec7e93283416b3d16efad882364c3953c6499ec
Opcode Fuzzy Hash: b94ba9efd2a8b97264b348285d85f285e7207510b8983fe457ca4c3289c1bda5
Instruction Fuzzy Hash: E5E02231E042049FDB159FEEE8492FABBB6FBCA314F4498A8D61462190DBF495168B81

Function 0150D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6999d4560b735f71055e49a2bce004850b5c685a350de6cff3d2bd8e53f9db12
Instruction ID: d74b910e251f7948433c600cc1e349d394820637f5072e225194deb39f8070b3
Opcode Fuzzy Hash: 6999d4560b735f71055e49a2bce004850b5c685a350de6cff3d2bd8e53f9db12
Instruction Fuzzy Hash: 52E0DF92C081408BE3228BEA65160B9BF70EBE7211B456887D1898F1A5E698A206DB15

Function 01502010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201af0820e48c5e2564a880098582ef31eb53f47f2b5fbb94e61d8da11a5cc9c
Instruction ID: 4661aee78c6763663a6d1256435c9d3a10602c9aca0766a05ce89f0769229445
Opcode Fuzzy Hash: 201af0820e48c5e2564a880098582ef31eb53f47f2b5fbb94e61d8da11a5cc9c
Instruction Fuzzy Hash: 73E0CD32D1022B93CF00D7A1DD156DFB738FFD2260F659626D52173940EB74365B86A0

Function 01502020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10fee083a4a5ec707e1785da12135a552950ad07dd89dc998413363c4e83d9b1
Instruction ID: 836aca71d7febede66b29f61092e56f7ef7ae592c7c100d2759c81c4eb04d0ee
Opcode Fuzzy Hash: 10fee083a4a5ec707e1785da12135a552950ad07dd89dc998413363c4e83d9b1
Instruction Fuzzy Hash: F6D05E32D2022B97CB00EBA5EC048EFF738EED6261B948626E52477154FB703659C6F1

Function 01508258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 3082208425df867feb4457bfdaeb329351a2cd6ac316fb2bcfc7b259b7e24cec
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: F9C01233A0C5282AA626108E7C41EA7BB8CE3C12B5A250137F91CAB280A8429C8001A8

Function 0150A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21ab7f1dd6ff9783a06e69fa5dbf5fb09be06dd4cb0a9a3547a2798501af3de
Instruction ID: 648784f76e0ad99866967b56c901345143d8d642f0830b529a7c1d38b00234af
Opcode Fuzzy Hash: c21ab7f1dd6ff9783a06e69fa5dbf5fb09be06dd4cb0a9a3547a2798501af3de
Instruction Fuzzy Hash: 8CD0677BB410189FCF049F98E8408DDF7B6FB9C261B148516E915A7265C631A921DB50

Function 01505EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5e65106c4208fa6f35a971e4560e5eaa6f50277a1d6749959a5f639d151bd6
Instruction ID: 051997ca6be12cc093ff48581a5f104df915c6f300888cfdceb3bcc462f4fd77
Opcode Fuzzy Hash: be5e65106c4208fa6f35a971e4560e5eaa6f50277a1d6749959a5f639d151bd6
Instruction Fuzzy Hash: 85D02B7080C38F0BC712F736E5664D93F31BB81208B504994B8420F417E979484F8B22

Function 01505EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946b21962c7bf79f745fb307066eae39954a3c763b4dd54b1ca2ce95d3abcae6
Instruction ID: 59bb9127bd9b50fc691c10b61750f399ffa382b1818a8b6dbb22124524e993d6
Opcode Fuzzy Hash: 946b21962c7bf79f745fb307066eae39954a3c763b4dd54b1ca2ce95d3abcae6
Instruction Fuzzy Hash: E8C0127051830F47C501F77BFA55955772AB7C0700F504D10B20B0F119EE7868894AA2

Non-executed Functions

Function 06C42807 Relevance: 14.1, Strings: 11, Instructions: 388COMMON

Download Yara Rule

Strings

PHgq, xrefs: 06C42CF6
PHgq, xrefs: 06C42DEB
", xrefs: 06C43087
Hkq, xrefs: 06C42869
PHgq, xrefs: 06C42BEA
0oJp, xrefs: 06C42A00
PHgq, xrefs: 06C42CE2
PHgq, xrefs: 06C42DD7
PHgq, xrefs: 06C42BFE
PHgq, xrefs: 06C42ED2
PHgq, xrefs: 06C42EE6

Memory Dump Source

Source File: 0000000D.00000002.3898962504.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c40000_pNgFqm.jbxd

Similarity

API ID:
String ID: "$0oJp$Hkq$PHgq$PHgq$PHgq$PHgq$PHgq$PHgq$PHgq$PHgq
API String ID: 0-672688664
Opcode ID: d1075e229f4faf231c656c1639b80fa66210176f7b85a0771cebfa896e7ee858
Instruction ID: 17938e107572deb38c6a606da293283533351a842e85e3d931a3a5da6e59d8fa
Opcode Fuzzy Hash: d1075e229f4faf231c656c1639b80fa66210176f7b85a0771cebfa896e7ee858
Instruction Fuzzy Hash: 7112C2B4E002188FDB64DF69C954B9DBBF2BF89300F1084A9D819AB394DB759E85CF50

Function 01502150 Relevance: 5.2, Strings: 4, Instructions: 208COMMON

Download Yara Rule

Strings

Xkq, xrefs: 015022C7
Xkq, xrefs: 0150220E
Xkq, xrefs: 01502314
Xkq, xrefs: 01502248

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: Xkq$Xkq$Xkq$Xkq
API String ID: 0-2567626648
Opcode ID: b72cdc2c17b61bdf9db2ba0f1b2caf872da95fba54125b89fac5ef3f61da96d3
Instruction ID: 8cf1ff5cee99bf9e1ce2624a13d04304bfe2292211d8f3f4df81ac60ccbe3cc1
Opcode Fuzzy Hash: b72cdc2c17b61bdf9db2ba0f1b2caf872da95fba54125b89fac5ef3f61da96d3
Instruction Fuzzy Hash: 9D71D571D0421A8FCF66DBF8C8587EEBBB6BF89300F1485A5D509AB291DB308D45CB91

Function 01506088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;gq, xrefs: 01506094
\;gq, xrefs: 015060C6
\;gq, xrefs: 015060BA
\;gq, xrefs: 0150609E

Memory Dump Source

Source File: 0000000D.00000002.3893920017.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1500000_pNgFqm.jbxd

Similarity

API ID:
String ID: \;gq$\;gq$\;gq$\;gq
API String ID: 0-1347663453
Opcode ID: a0163ccbfe5b425ee12186741a538b6d97e01c1e3ee4b8229fdd8d40fc71be33
Instruction ID: f0fbe01c6cbcc7b6d9dd360ddff7f53d2f3bda25636420a19c977227b780286e
Opcode Fuzzy Hash: a0163ccbfe5b425ee12186741a538b6d97e01c1e3ee4b8229fdd8d40fc71be33
Instruction Fuzzy Hash: E001B1317900198F8B22CF6DC46092A77F6BF88660315417AE101CF3F4DA71DCA18750

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z1MB267382625AE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pNgFqm.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z1MB267382625AE.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0lids2i0.t1m.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qt33czf.h1g.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5t3f3ljf.e33.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3qkfkgz.2gb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbn0vzlk.3d4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eo233raw.kx0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndvlinkz.2qm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zowk15da.xvq.psm1

C:\Users\user\AppData\Local\Temp\tmpCA64.tmp

Windows Analysis Report
z1MB267382625AE.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre