Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
edlyEKgpaz.exe

Overview

General Information

Sample name:edlyEKgpaz.exe
renamed because original name is a hash value
Original sample name:461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe
Analysis ID:1422328
MD5:ccfdbf07643aed4c333fad91828e4a80
SHA1:ccb1efa6c2ef21eb912bfdabb9a6bccb374dc248
SHA256:461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e
Tags:exe
Infos:

Detection

Snake Keylogger
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Machine Learning detection for sample
Self deletion via cmd or bat file
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • edlyEKgpaz.exe (PID: 1736 cmdline: "C:\Users\user\Desktop\edlyEKgpaz.exe" MD5: CCFDBF07643AED4C333FAD91828E4A80)
    • cmd.exe (PID: 2828 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\edlyEKgpaz.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 2884 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@stpgig.com", "Password": "Stpgig#Login21", "Host": "mail.stpgig.com", "Port": "587"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
edlyEKgpaz.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    edlyEKgpaz.exeJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      edlyEKgpaz.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1497a:$a1: get_encryptedPassword
      • 0x14c70:$a2: get_encryptedUsername
      • 0x14786:$a3: get_timePasswordChanged
      • 0x14881:$a4: get_passwordField
      • 0x14990:$a5: set_encryptedPassword
      • 0x15fc2:$a7: get_logins
      • 0x15f25:$a10: KeyLoggerEventArgs
      • 0x15bbe:$a11: KeyLoggerEventArgsEventHandler
      edlyEKgpaz.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
      • 0x1c2e1:$a2: \Comodo\Dragon\User Data\Default\Login Data
      • 0x1b513:$a3: \Google\Chrome\User Data\Default\Login Data
      • 0x1b946:$a4: \Orbitum\User Data\Default\Login Data
      • 0x1c985:$a5: \Kometa\User Data\Default\Login Data
      edlyEKgpaz.exeINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
      • 0x1552c:$s1: UnHook
      • 0x15533:$s2: SetHook
      • 0x1553b:$s3: CallNextHook
      • 0x15548:$s4: _hook
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x1477a:$a1: get_encryptedPassword
          • 0x14a70:$a2: get_encryptedUsername
          • 0x14586:$a3: get_timePasswordChanged
          • 0x14681:$a4: get_passwordField
          • 0x14790:$a5: set_encryptedPassword
          • 0x15dc2:$a7: get_logins
          • 0x15d25:$a10: KeyLoggerEventArgs
          • 0x159be:$a11: KeyLoggerEventArgsEventHandler
          00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
          • 0x18188:$x1: $%SMTPDV$
          • 0x181ec:$x2: $#TheHashHere%&
          • 0x197dd:$x3: %FTPDV$
          • 0x198d1:$x4: $%TelegramDv$
          • 0x159be:$x5: KeyLoggerEventArgs
          • 0x15d25:$x5: KeyLoggerEventArgs
          • 0x19801:$m2: Clipboard Logs ID
          • 0x199cd:$m2: Screenshot Logs ID
          • 0x19a99:$m2: keystroke Logs ID
          • 0x199a5:$m4: \SnakeKeylogger\
          00000000.00000002.1511341797.0000000003BB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.edlyEKgpaz.exe.920000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.0.edlyEKgpaz.exe.920000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.0.edlyEKgpaz.exe.920000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x1497a:$a1: get_encryptedPassword
                • 0x14c70:$a2: get_encryptedUsername
                • 0x14786:$a3: get_timePasswordChanged
                • 0x14881:$a4: get_passwordField
                • 0x14990:$a5: set_encryptedPassword
                • 0x15fc2:$a7: get_logins
                • 0x15f25:$a10: KeyLoggerEventArgs
                • 0x15bbe:$a11: KeyLoggerEventArgsEventHandler
                0.0.edlyEKgpaz.exe.920000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x1c2e1:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x1b513:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x1b946:$a4: \Orbitum\User Data\Default\Login Data
                • 0x1c985:$a5: \Kometa\User Data\Default\Login Data
                0.0.edlyEKgpaz.exe.920000.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
                • 0x1552c:$s1: UnHook
                • 0x15533:$s2: SetHook
                • 0x1553b:$s3: CallNextHook
                • 0x15548:$s4: _hook
                Click to see the 1 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://scratchdreams.tkAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000000.00000002.1511341797.0000000003BB1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@stpgig.com", "Password": "Stpgig#Login21", "Host": "mail.stpgig.com", "Port": "587"}
                Multi AV Scanner detection for domain / URL
                Source: https://scratchdreams.tkVirustotal: Detection: 15%Perma Link
                Multi AV Scanner detection for submitted file
                Source: edlyEKgpaz.exeReversingLabs: Detection: 65%
                Source: edlyEKgpaz.exeVirustotal: Detection: 71%Perma Link
                Machine Learning detection for sample
                Source: edlyEKgpaz.exeJoe Sandbox ML: detected
                Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49705 version: TLS 1.0
                Source: edlyEKgpaz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.21.67.152 104.21.67.152
                Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49705 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                Source: edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D7A000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DE9000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: edlyEKgpaz.exeString found in binary or memory: http://checkip.dyndns.org/q
                Source: edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D7A000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DE9000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DA1000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D7A000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D10000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DE9000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: edlyEKgpaz.exeString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
                Source: edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231p
                Source: edlyEKgpaz.exeString found in binary or memory: https://scratchdreams.tk
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: edlyEKgpaz.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: edlyEKgpaz.exe, type: SAMPLEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: edlyEKgpaz.exe, type: SAMPLEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: edlyEKgpaz.exe, type: SAMPLEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: Process Memory Space: edlyEKgpaz.exe PID: 1736, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: edlyEKgpaz.exe PID: 1736, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: edlyEKgpaz.exeStatic PE information: No import functions for PE file found
                Source: edlyEKgpaz.exe, 00000000.00000002.1512202901.000000001C822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs edlyEKgpaz.exe
                Source: edlyEKgpaz.exe, 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs edlyEKgpaz.exe
                Source: edlyEKgpaz.exeBinary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs edlyEKgpaz.exe
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\choice.exeSection loaded: version.dllJump to behavior
                Source: edlyEKgpaz.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: edlyEKgpaz.exe, type: SAMPLEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: edlyEKgpaz.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: edlyEKgpaz.exe, type: SAMPLEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: Process Memory Space: edlyEKgpaz.exe PID: 1736, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: edlyEKgpaz.exe PID: 1736, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: edlyEKgpaz.exe, .csCryptographic APIs: 'TransformFinalBlock'
                Source: edlyEKgpaz.exe, .csCryptographic APIs: 'TransformFinalBlock'
                Source: edlyEKgpaz.exe, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: edlyEKgpaz.exe, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: classification engineClassification label: mal96.troj.winEXE@6/1@2/2
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\edlyEKgpaz.exe.logJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3984:120:WilError_03
                Source: edlyEKgpaz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: edlyEKgpaz.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: edlyEKgpaz.exeReversingLabs: Detection: 65%
                Source: edlyEKgpaz.exeVirustotal: Detection: 71%
                Source: edlyEKgpaz.exeString found in binary or memory: F-Stopw
                Source: unknownProcess created: C:\Users\user\Desktop\edlyEKgpaz.exe "C:\Users\user\Desktop\edlyEKgpaz.exe"
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\edlyEKgpaz.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\edlyEKgpaz.exe"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                Source: edlyEKgpaz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: edlyEKgpaz.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: edlyEKgpaz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Hooking and other Techniques for Hiding and Protection

                barindex
                Self deletion via cmd or bat file
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\edlyEKgpaz.exe"
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\edlyEKgpaz.exe"Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeMemory allocated: 1BBB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599874Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599546Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599436Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599327Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599218Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599109Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598999Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598890Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598748Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598640Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598531Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598421Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598312Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598203Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598093Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597984Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597874Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597765Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597656Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597546Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597437Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597328Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597218Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597109Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597000Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596890Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596781Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596667Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596562Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596453Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596331Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596203Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596093Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595984Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595874Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595763Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595644Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595515Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595406Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595296Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595187Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595078Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 594967Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 594859Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 594750Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 594640Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 594531Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeWindow / User API: threadDelayed 8191Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeWindow / User API: threadDelayed 1665Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -599874s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2352Thread sleep count: 8191 > 30Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2352Thread sleep count: 1665 > 30Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -599765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -599656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -599546s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -599436s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -599327s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -599218s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -599109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -598999s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -598890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -598748s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -598640s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -598531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -598421s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -598312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -598203s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -598093s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -597984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -597874s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -597765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -597656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -597546s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -597437s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -597328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -597218s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -597109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -597000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -596890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -596781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -596667s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -596562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -596453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -596331s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -596203s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -596093s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -595984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -595874s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -595763s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -595644s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -595515s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -595406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -595296s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -595187s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -595078s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -594967s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -594859s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -594750s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -594640s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exe TID: 2340Thread sleep time: -594531s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599874Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599546Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599436Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599327Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599218Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 599109Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598999Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598890Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598748Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598640Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598531Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598421Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598312Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598203Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 598093Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597984Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597874Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597765Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597656Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597546Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597437Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597328Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597218Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597109Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 597000Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596890Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596781Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596667Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596562Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596453Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596331Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596203Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 596093Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595984Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595874Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595763Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595644Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595515Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595406Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595296Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595187Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 595078Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 594967Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 594859Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 594750Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 594640Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeThread delayed: delay time: 594531Jump to behavior
                Source: edlyEKgpaz.exe, 00000000.00000002.1510827584.0000000001183000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\edlyEKgpaz.exe"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeQueries volume information: C:\Users\user\Desktop\edlyEKgpaz.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\edlyEKgpaz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: edlyEKgpaz.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1511341797.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: edlyEKgpaz.exe PID: 1736, type: MEMORYSTR
                Source: Yara matchFile source: edlyEKgpaz.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: edlyEKgpaz.exe PID: 1736, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: edlyEKgpaz.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.edlyEKgpaz.exe.920000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1511341797.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: edlyEKgpaz.exe PID: 1736, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping1
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                File Deletion                		DCSync12
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                edlyEKgpaz.exe66%ReversingLabsByteCode-MSIL.Infostealer.Mintluks
                edlyEKgpaz.exe72%VirustotalBrowse
                edlyEKgpaz.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                reallyfreegeoip.org1%VirustotalBrowse
                checkip.dyndns.com0%VirustotalBrowse
                checkip.dyndns.org0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://reallyfreegeoip.org0%URL Reputationsafe
                https://reallyfreegeoip.org0%URL Reputationsafe
                http://checkip.dyndns.org0%URL Reputationsafe
                http://checkip.dyndns.org/0%URL Reputationsafe
                http://checkip.dyndns.com0%URL Reputationsafe
                http://checkip.dyndns.org/q0%URL Reputationsafe
                http://reallyfreegeoip.org0%URL Reputationsafe
                https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                https://scratchdreams.tk100%Avira URL Cloudmalware
                https://reallyfreegeoip.org/xml/102.129.152.231p0%Avira URL Cloudsafe
                https://reallyfreegeoip.org/xml/102.129.152.2310%Avira URL Cloudsafe
                https://scratchdreams.tk15%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		104.21.67.152
                		truefalseunknown
                checkip.dyndns.com
                		132.226.247.73
                		truefalseunknown
                checkip.dyndns.org
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://checkip.dyndns.org/false
                • URL Reputation: safe
                		unknown
                https://reallyfreegeoip.org/xml/102.129.152.231false
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://reallyfreegeoip.orgedlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D7A000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D10000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DE9000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://checkip.dyndns.orgedlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://checkip.dyndns.comedlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D7A000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DE9000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://reallyfreegeoip.org/xml/102.129.152.231pedlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameedlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://checkip.dyndns.org/qedlyEKgpaz.exefalse
                  • URL Reputation: safe
                  		unknown
                  https://scratchdreams.tkedlyEKgpaz.exefalse
                  • 15%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://reallyfreegeoip.orgedlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D8D000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DD7000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D7A000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DE9000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003D66000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003DA1000.00000004.00000800.00020000.00000000.sdmp, edlyEKgpaz.exe, 00000000.00000002.1511341797.0000000003CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/edlyEKgpaz.exefalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  104.21.67.152
                  		reallyfreegeoip.orgUnited States
                  		13335CLOUDFLARENETUSfalse
                  132.226.247.73
                  		checkip.dyndns.comUnited States
                  		16989UTMEMUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1422328
                  Start date and time:2024-04-08 15:28:35 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 2m 45s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:edlyEKgpaz.exe
                  renamed because original name is a hash value
                  Original Sample Name:461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe
                  Detection:MAL
                  Classification:mal96.troj.winEXE@6/1@2/2
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 33
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Stop behavior analysis, all processes terminated

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe
                  • Excluded IPs from analysis (whitelisted): 40.127.169.103
                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                  • Execution Graph export aborted for target edlyEKgpaz.exe, PID 1736 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  15:29:33API Interceptor64x Sleep call for process: edlyEKgpaz.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  104.21.67.15258208 Teklif.exeGet hashmaliciousSnake KeyloggerBrowse
                    Zarefy4bOs.exeGet hashmaliciousSnake KeyloggerBrowse
                      SAT8765456000.xlam.xlsxGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                        Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                          Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                            1d4D5ndo0x.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                              D09876500900000H.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                23343100IM00270839_Dekont1.exeGet hashmaliciousSnake KeyloggerBrowse
                                  Payment_Draft_confirmation.xla.xlsxGet hashmaliciousSnake KeyloggerBrowse
                                    e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                      132.226.247.73Remittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      Fuy2BDS9W2.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      8wvP84hzFu.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      Payment_Draft_confirmation.xla.xlsxGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      xdd6BRIg0O.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      Mquqdysqqv.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      SecuriteInfo.com.Trojan.PackedNET.2725.19533.14530.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      Vessel Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      checkip.dyndns.comPsBygexGwH.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 158.101.44.242
                                      58208 Teklif.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.130.0
                                      Zarefy4bOs.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.6.168
                                      VI3 Operation Guide_tech Info versionfdp.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                      • 132.226.8.169
                                      Remittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.247.73
                                      SAT8765456000.xlam.xlsxGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      • 158.101.44.242
                                      request-2.doc.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                      • 132.226.8.169
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.8.169
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 158.101.44.242
                                      Fuy2BDS9W2.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      • 132.226.247.73
                                      reallyfreegeoip.orgPsBygexGwH.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 172.67.177.134
                                      58208 Teklif.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.67.152
                                      Zarefy4bOs.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.67.152
                                      Remittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 172.67.177.134
                                      SAT8765456000.xlam.xlsxGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      • 104.21.67.152
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 172.67.177.134
                                      Fuy2BDS9W2.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      • 172.67.177.134
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.67.152
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 172.67.177.134
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.67.152

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUSP3DuNLpu72.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.12.205
                                      oi89NcmKFP.exeGet hashmaliciousAgentTeslaBrowse
                                      • 172.67.74.152
                                      ZaDKpv94O0.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.13.205
                                      a9wJzPSyH4.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.13.205
                                      http://56hytuti5.weebly.comGet hashmaliciousUnknownBrowse
                                      • 162.159.136.66
                                      https://wix-l.in/k-T3DnGkZkGet hashmaliciousUnknownBrowse
                                      • 1.1.1.1
                                      https://777qiuqiu.online/LOVEYOU/Get hashmaliciousUnknownBrowse
                                      • 172.67.158.60
                                      f4CdNDrJp8.exeGet hashmaliciousFormBookBrowse
                                      • 172.67.152.117
                                      https://www.mail2world.com/FileCabinet/Download.asp?User=av044072@mail2world.com&app=web&FID=%7bC96F9402-AB4B-48C3-BCE0-B86B5F3F10A5%7dGet hashmaliciousHTMLPhisherBrowse
                                      • 104.17.2.184
                                      xnYuUw7KjK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.146.180
                                      UTMEMUSVI3 Operation Guide_tech Info versionfdp.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                      • 132.226.8.169
                                      1WOxWETNbC.elfGet hashmaliciousUnknownBrowse
                                      • 132.226.89.213
                                      Remittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.247.73
                                      request-2.doc.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                      • 132.226.8.169
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.8.169
                                      Fuy2BDS9W2.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      • 132.226.247.73
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.247.73
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.247.73
                                      FGT5000800000.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      • 132.226.8.169
                                      z52OURO08765.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      • 132.226.8.169

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      54328bd36c14bd82ddaa0c04b25ed9adPsBygexGwH.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.67.152
                                      58208 Teklif.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.67.152
                                      Zarefy4bOs.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.67.152
                                      VI3 Operation Guide_tech Info versionfdp.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                      • 104.21.67.152
                                      Remittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.67.152
                                      file.exeGet hashmaliciousSmokeLoader, Xehook StealerBrowse
                                      • 104.21.67.152
                                      request-2.doc.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                      • 104.21.67.152
                                      https://my.visme.co/view/w46vn911-northshore-tractor-ltdGet hashmaliciousUnknownBrowse
                                      • 104.21.67.152
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.67.152
                                      Fuy2BDS9W2.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      • 104.21.67.152

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\edlyEKgpaz.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\edlyEKgpaz.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):1510
                                      Entropy (8bit):5.380493107040482
                                      Encrypted:false
                                      SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclSKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/l
                                      MD5:EC75759911B88E93A2B5947380336033
                                      SHA1:4D1472BBA520DBF76449567159CD927E94454210
                                      SHA-256:5BFBF7B8E9F9E89881AD3B4E1214A3F0E9F9E36F72A41143226F4DB9E4642E5D
                                      SHA-512:EF017C70BFB6464CA040FA12C04CE42F9E611D1F79F123F0A7AF7E6CD80002678E1BB97EB835EAF42F7E37B940833CE8422566340A5398115FBB10FC6CCB76C5
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

                                      Static File Info

                                      General

                                      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):5.860140512962988
                                      TrID:
                                      • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                      • Win64 Executable GUI (202006/5) 46.43%
                                      • Win64 Executable (generic) (12005/4) 2.76%
                                      • Generic Win/DOS Executable (2004/3) 0.46%
                                      • DOS Executable Generic (2002/1) 0.46%
                                      File name:edlyEKgpaz.exe
                                      File size:132'608 bytes
                                      MD5:ccfdbf07643aed4c333fad91828e4a80
                                      SHA1:ccb1efa6c2ef21eb912bfdabb9a6bccb374dc248
                                      SHA256:461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e
                                      SHA512:c9bd1a9ac30e941eae5acf39cff6c6b0ac8a95e7bd0c656496851f15fcce345f4cf0371df6aad709c4f72845ad496291a70d9364572abdd8da0d7444f385b6c7
                                      SSDEEP:3072:jeHgpwPUTi/GIRhvudmxG9OCAXGtsddlQbgkVcsQvwvxLob3mDbY:VpmNZMm7Lqbfcb30b
                                      TLSH:B3D3080D37E84804E1FF997316716211C7B6F8430A1ADE1D1AD2F8692A7DB91CE1AF93
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........."...P.................. .....@..... .......................@............@...@......@............... .....

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x140000000
                                      Entrypoint Section:
                                      Digitally signed:false
                                      Imagebase:0x140000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x65D908AD [Fri Feb 23 21:05:49 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:

                                      Entrypoint Preview

                                      Instruction
                                      dec ebp
                                      pop edx
                                      nop
                                      add byte ptr [ebx], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax+eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x108f.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x1f1b80x1f200de60aef4ac94b80e62e3bbb03e5293f2False0.3577434738955823data5.859891373349516IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x220000x108f0x1200a9748b2af48eaa26a49411e60c15061dFalse0.3665364583333333data4.872208135586403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x220a00x394OpenPGP Secret Key0.4203056768558952
                                      RT_MANIFEST0x224340xc5bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3926651912741069

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 8, 2024 15:29:32.242369890 CEST4970480192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:32.474802971 CEST8049704132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:32.474919081 CEST4970480192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:32.476269960 CEST4970480192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:32.708703995 CEST8049704132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:32.709810019 CEST8049704132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:32.717508078 CEST4970480192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:32.950448990 CEST8049704132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:33.004457951 CEST4970480192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:33.172341108 CEST49705443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:33.172385931 CEST44349705104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:33.172461987 CEST49705443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:33.202338934 CEST49705443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:33.202377081 CEST44349705104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:33.467482090 CEST44349705104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:33.467607975 CEST49705443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:33.473843098 CEST49705443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:33.473866940 CEST44349705104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:33.474220037 CEST44349705104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:33.520134926 CEST49705443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:33.554683924 CEST49705443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:33.600238085 CEST44349705104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:33.761903048 CEST44349705104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:33.761998892 CEST44349705104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:33.762079954 CEST49705443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:33.777395964 CEST49705443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:33.780790091 CEST4970480192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:34.013850927 CEST8049704132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:34.017411947 CEST49706443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:34.017450094 CEST44349706104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:34.017539978 CEST49706443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:34.017925024 CEST49706443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:34.017944098 CEST44349706104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:34.067121983 CEST4970480192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:34.278276920 CEST44349706104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:34.280539036 CEST49706443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:34.280575991 CEST44349706104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:34.605941057 CEST44349706104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:34.606055021 CEST44349706104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:34.606138945 CEST49706443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:34.606705904 CEST49706443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:34.609831095 CEST4970480192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:34.611051083 CEST4970780192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:34.842236042 CEST8049704132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:34.842344046 CEST4970480192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:34.843441010 CEST8049707132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:34.843522072 CEST4970780192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:34.843703032 CEST4970780192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:35.076200962 CEST8049707132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:35.076780081 CEST8049707132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:35.077127934 CEST4970780192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:35.078536987 CEST49708443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:35.078572035 CEST44349708104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:35.078661919 CEST49708443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:35.078896999 CEST49708443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:35.078907967 CEST44349708104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:35.309700966 CEST8049707132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:35.309782982 CEST4970780192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:35.337280989 CEST44349708104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:35.338691950 CEST49708443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:35.338711977 CEST44349708104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:35.637871027 CEST44349708104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:35.637974024 CEST44349708104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:35.638039112 CEST49708443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:35.638744116 CEST49708443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:35.643413067 CEST4970980192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:35.878104925 CEST8049709132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:35.878273010 CEST4970980192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:35.878436089 CEST4970980192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:36.113179922 CEST8049709132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:36.113852024 CEST8049709132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:36.115309000 CEST49710443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:36.115353107 CEST44349710104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:36.115463018 CEST49710443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:36.115705967 CEST49710443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:36.115725040 CEST44349710104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:36.160743952 CEST4970980192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:36.372653961 CEST44349710104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:36.374281883 CEST49710443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:36.374310970 CEST44349710104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:36.677896976 CEST44349710104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:36.677994967 CEST44349710104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:36.678339005 CEST49710443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:36.678920984 CEST49710443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:36.682307005 CEST4970980192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:36.683299065 CEST4971180192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:36.917772055 CEST8049711132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:36.917887926 CEST4971180192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:36.918076992 CEST4971180192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:36.922163963 CEST8049709132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:36.922231913 CEST4970980192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:37.148087978 CEST8049711132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:37.148477077 CEST8049711132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:37.150207043 CEST49712443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:37.150250912 CEST44349712104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:37.150326014 CEST49712443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:37.150638103 CEST49712443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:37.150652885 CEST44349712104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:37.192271948 CEST4971180192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:37.408540010 CEST44349712104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:37.410118103 CEST49712443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:37.410152912 CEST44349712104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:37.711469889 CEST44349712104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:37.711581945 CEST44349712104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:37.711646080 CEST49712443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:37.712297916 CEST49712443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:37.715440035 CEST4971180192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:37.716449022 CEST4971380192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:37.946436882 CEST8049711132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:37.946501017 CEST4971180192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:37.947906971 CEST8049713132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:37.947981119 CEST4971380192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:37.948175907 CEST4971380192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:38.178535938 CEST8049713132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:38.179604053 CEST8049713132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:38.180947065 CEST49714443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:38.180979967 CEST44349714104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:38.181051016 CEST49714443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:38.181304932 CEST49714443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:38.181318998 CEST44349714104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:38.223234892 CEST4971380192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:38.442370892 CEST44349714104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:38.443614960 CEST49714443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:38.443646908 CEST44349714104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:38.745842934 CEST44349714104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:38.745938063 CEST44349714104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:38.746001959 CEST49714443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:38.746584892 CEST49714443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:38.749851942 CEST4971380192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:38.751106977 CEST4971580192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:38.980233908 CEST8049713132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:38.980297089 CEST4971380192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:38.983973980 CEST8049715132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:38.984050989 CEST4971580192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:38.984246969 CEST4971580192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:39.218877077 CEST8049715132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:39.229159117 CEST8049715132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:39.230760098 CEST49716443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:39.230787992 CEST44349716104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:39.230866909 CEST49716443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:39.231151104 CEST49716443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:39.231159925 CEST44349716104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:39.270109892 CEST4971580192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:39.490221024 CEST44349716104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:39.491635084 CEST49716443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:39.491660118 CEST44349716104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:39.788252115 CEST44349716104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:39.788357973 CEST44349716104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:39.788429022 CEST49716443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:39.788935900 CEST49716443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:39.792196035 CEST4971580192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:39.793320894 CEST4971780192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:40.026935101 CEST8049715132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:40.027036905 CEST4971580192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:40.027349949 CEST8049717132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:40.027426004 CEST4971780192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:40.027584076 CEST4971780192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:40.260595083 CEST8049717132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:40.261059046 CEST8049717132.226.247.73192.168.2.8
                                      Apr 8, 2024 15:29:40.262202024 CEST49718443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:40.262231112 CEST44349718104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:40.262293100 CEST49718443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:40.262603045 CEST49718443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:40.262609005 CEST44349718104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:40.301373005 CEST4971780192.168.2.8132.226.247.73
                                      Apr 8, 2024 15:29:40.523495913 CEST44349718104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:40.524779081 CEST49718443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:40.524806023 CEST44349718104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:40.829890013 CEST44349718104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:40.829998970 CEST44349718104.21.67.152192.168.2.8
                                      Apr 8, 2024 15:29:40.830068111 CEST49718443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:40.830488920 CEST49718443192.168.2.8104.21.67.152
                                      Apr 8, 2024 15:29:40.962914944 CEST4971780192.168.2.8132.226.247.73

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 8, 2024 15:29:32.110373974 CEST5898953192.168.2.81.1.1.1
                                      Apr 8, 2024 15:29:32.235025883 CEST53589891.1.1.1192.168.2.8
                                      Apr 8, 2024 15:29:33.040128946 CEST5270053192.168.2.81.1.1.1
                                      Apr 8, 2024 15:29:33.171473980 CEST53527001.1.1.1192.168.2.8

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Apr 8, 2024 15:29:32.110373974 CEST192.168.2.81.1.1.10x5988Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                      Apr 8, 2024 15:29:33.040128946 CEST192.168.2.81.1.1.10x4bd1Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Apr 8, 2024 15:29:32.235025883 CEST1.1.1.1192.168.2.80x5988No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                      Apr 8, 2024 15:29:32.235025883 CEST1.1.1.1192.168.2.80x5988No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                      Apr 8, 2024 15:29:32.235025883 CEST1.1.1.1192.168.2.80x5988No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                      Apr 8, 2024 15:29:32.235025883 CEST1.1.1.1192.168.2.80x5988No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                      Apr 8, 2024 15:29:32.235025883 CEST1.1.1.1192.168.2.80x5988No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                      Apr 8, 2024 15:29:32.235025883 CEST1.1.1.1192.168.2.80x5988No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                      Apr 8, 2024 15:29:33.171473980 CEST1.1.1.1192.168.2.80x4bd1No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                      Apr 8, 2024 15:29:33.171473980 CEST1.1.1.1192.168.2.80x4bd1No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • reallyfreegeoip.org
                                      • checkip.dyndns.org

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.849704132.226.247.73801736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      Apr 8, 2024 15:29:32.476269960 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Apr 8, 2024 15:29:32.709810019 CEST324INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:32 GMT
                                      Content-Type: text/html
                                      Content-Length: 107
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: dcfd5907c25f3c6f9cdc17d28c212c5f
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
                                      Apr 8, 2024 15:29:32.717508078 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Apr 8, 2024 15:29:32.950448990 CEST324INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:32 GMT
                                      Content-Type: text/html
                                      Content-Length: 107
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 338de7e43cb2a982398a5f55d64213f3
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
                                      Apr 8, 2024 15:29:33.780790091 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Apr 8, 2024 15:29:34.013850927 CEST324INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:33 GMT
                                      Content-Type: text/html
                                      Content-Length: 107
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: a6541b3080ec8b75441e502314fc2ab9
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.849707132.226.247.73801736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      Apr 8, 2024 15:29:34.843703032 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Apr 8, 2024 15:29:35.076780081 CEST324INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:34 GMT
                                      Content-Type: text/html
                                      Content-Length: 107
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: f0599f760438b22ddb8d334de7341c07
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.849709132.226.247.73801736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      Apr 8, 2024 15:29:35.878436089 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Apr 8, 2024 15:29:36.113852024 CEST324INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:35 GMT
                                      Content-Type: text/html
                                      Content-Length: 107
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 5761035cc255cb292f6e14ee1ea22ff1
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.849711132.226.247.73801736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      Apr 8, 2024 15:29:36.918076992 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Apr 8, 2024 15:29:37.148477077 CEST324INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:37 GMT
                                      Content-Type: text/html
                                      Content-Length: 107
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 083cd1b35955eb43d9045e409adfe7d9
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.849713132.226.247.73801736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      Apr 8, 2024 15:29:37.948175907 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Apr 8, 2024 15:29:38.179604053 CEST324INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:38 GMT
                                      Content-Type: text/html
                                      Content-Length: 107
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 8d9aa8839861df1fbc48e19290bffb07
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.849715132.226.247.73801736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      Apr 8, 2024 15:29:38.984246969 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Apr 8, 2024 15:29:39.229159117 CEST324INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:39 GMT
                                      Content-Type: text/html
                                      Content-Length: 107
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: d1d137201b1317f8c6d11967c3dfdedf
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.849717132.226.247.73801736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      Apr 8, 2024 15:29:40.027584076 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Apr 8, 2024 15:29:40.261059046 CEST324INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:40 GMT
                                      Content-Type: text/html
                                      Content-Length: 107
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: c4ee395a2738d9838e22e3501eab5633
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.849705104.21.67.1524431736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      2024-04-08 13:29:33 UTC88OUTGET /xml/102.129.152.231 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-04-08 13:29:33 UTC708INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:33 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 84874
                                      Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ljmeYjZRbs1Ydy5P7dwCFjl95M9XWAyk00ifO5BmbgIvr7X69bnbGLYOl0n%2FJT7hCgQ1PaAM8Tu5leyDdK7h4Dm%2BWYjqw58BKM%2FUqZiBvUFFoaqXuqJtgjxuYjoZJ0OW%2BMszVvF4"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 87129b61890c9ab7-MIA
                                      alt-svc: h3=":443"; ma=86400
                                      2024-04-08 13:29:33 UTC380INData Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73
                                      Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
                                      2024-04-08 13:29:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.849706104.21.67.1524431736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      2024-04-08 13:29:34 UTC64OUTGET /xml/102.129.152.231 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2024-04-08 13:29:34 UTC712INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:34 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 84875
                                      Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=si7ISH9EMbYq8hGyCs8qBA7%2Bg9Krt9KQAIELC81ezGhJ6LL%2BP11ZwtP8%2F6CdSMP8xcuBLIaR2FEi7%2BM3y9EyKy6EQdHhJ2x8Hiewu6Hrh0ivvfNatkKv2bK2%2F5%2BktfCrxDeWx8vZ"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 87129b66ac79b3e3-MIA
                                      alt-svc: h3=":443"; ma=86400
                                      2024-04-08 13:29:34 UTC380INData Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73
                                      Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
                                      2024-04-08 13:29:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.849708104.21.67.1524431736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      2024-04-08 13:29:35 UTC88OUTGET /xml/102.129.152.231 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-04-08 13:29:35 UTC710INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:35 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 84876
                                      Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o1%2FfwLnqCoRXtqTUiIOByQsPZ3NT2GQ7qznV1y50V7iZE3wtGDI8gM7PLnzyimlzs%2Bef7tCH8zwNd1tMrGY5Gx6SetXl%2B8mVilGk9%2BV6PIGv%2B7ftoPL6lSPfRWmheUfaHFDnZter"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 87129b6d4b447472-MIA
                                      alt-svc: h3=":443"; ma=86400
                                      2024-04-08 13:29:35 UTC380INData Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73
                                      Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
                                      2024-04-08 13:29:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.849710104.21.67.1524431736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      2024-04-08 13:29:36 UTC88OUTGET /xml/102.129.152.231 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-04-08 13:29:36 UTC708INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:36 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 84877
                                      Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WtEnj0wYhuehiJ5NExB%2FFW2D2W4cIcoH303sKYRaG72ExOceEqQf8XeD%2F51GMchWZBtdzqfaswJoqAGDQSqxKt1SIocT12Rv%2FHxUbQ8xjvc%2Bv9YvcWddFX0OsVu5xY8xhPcr95VE"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 87129b73bf79b3e9-MIA
                                      alt-svc: h3=":443"; ma=86400
                                      2024-04-08 13:29:36 UTC380INData Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73
                                      Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
                                      2024-04-08 13:29:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.849712104.21.67.1524431736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      2024-04-08 13:29:37 UTC88OUTGET /xml/102.129.152.231 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-04-08 13:29:37 UTC714INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:37 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 84878
                                      Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BXK4GPadzewI%2B5bZp3hbAu0iw3rJjVgZkz61%2FXXMQ1JPG97%2FOjUYM%2B4FFb6%2FfeeuPchegGYmA3bIZZXh3AwcmpyHCg%2Boj8lCpHIR4kBkfI%2BnZduZYjoSQryglI9Rm0bR9o48zriH"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 87129b7a3eaa8db5-MIA
                                      alt-svc: h3=":443"; ma=86400
                                      2024-04-08 13:29:37 UTC380INData Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73
                                      Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
                                      2024-04-08 13:29:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.849714104.21.67.1524431736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      2024-04-08 13:29:38 UTC88OUTGET /xml/102.129.152.231 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-04-08 13:29:38 UTC704INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:38 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 84879
                                      Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V2nAPRm4Ygwg4NGAicxNxh8JqQCUpR2T7O%2FjB9sW6ZIg714cUhTHMZpDeOer1LGDaoytSLHFGB003K5eEAH8INBPiT3oROA2KaKlpc4kVwtJ1oLTMnQmxS8lQISeYB%2BL9iPkidrV"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 87129b80ad6da51b-MIA
                                      alt-svc: h3=":443"; ma=86400
                                      2024-04-08 13:29:38 UTC380INData Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73
                                      Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
                                      2024-04-08 13:29:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.849716104.21.67.1524431736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      2024-04-08 13:29:39 UTC88OUTGET /xml/102.129.152.231 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-04-08 13:29:39 UTC712INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:39 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 84880
                                      Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p280%2BeSKci90icT57YHAdI2TwVcsg7A7FiWiHR8q%2FaBZw5msxMuL%2BDgMIL9ZVbAbybEWNKB%2BPesD0t2vK0VfZhI4hk85egB8BuReh8eS1Z%2Bev98Ik%2F3KBY9rEkMt58ZqwmFER57h"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 87129b873e283364-MIA
                                      alt-svc: h3=":443"; ma=86400
                                      2024-04-08 13:29:39 UTC380INData Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73
                                      Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
                                      2024-04-08 13:29:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.849718104.21.67.1524431736C:\Users\user\Desktop\edlyEKgpaz.exe
                                      TimestampBytes transferredDirectionData
                                      2024-04-08 13:29:40 UTC88OUTGET /xml/102.129.152.231 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-04-08 13:29:40 UTC708INHTTP/1.1 200 OK
                                      Date: Mon, 08 Apr 2024 13:29:40 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 84881
                                      Last-Modified: Sun, 07 Apr 2024 13:54:59 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tCClrOWxEni9PLXlCPhA93QRwfb%2Bb6RSkDMmsvkYqHtV01EZ652mLfiZegYx7GKDbJ9DqnVP54whl1uvH4HYgRq6BJnr5gzB4Dq1NOlD5l140Ir1WBI%2B96lgvLACMFB%2B%2FOdws5Gu"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 87129b8db99d5c77-MIA
                                      alt-svc: h3=":443"; ma=86400
                                      2024-04-08 13:29:40 UTC380INData Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73
                                      Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
                                      2024-04-08 13:29:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:15:29:30
                                      Start date:08/04/2024
                                      Path:C:\Users\user\Desktop\edlyEKgpaz.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\edlyEKgpaz.exe"
                                      Imagebase:0x920000
                                      File size:132'608 bytes
                                      MD5 hash:CCFDBF07643AED4C333FAD91828E4A80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.1416628093.0000000000922000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1511341797.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:15:29:40
                                      Start date:08/04/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\edlyEKgpaz.exe"
                                      Imagebase:0x7ff6fbc20000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:15:29:40
                                      Start date:08/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6ee680000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:15:29:40
                                      Start date:08/04/2024
                                      Path:C:\Windows\System32\choice.exe
                                      Wow64 process (32bit):false
                                      Commandline:choice /C Y /N /D Y /T 3
                                      Imagebase:0x7ff691510000
                                      File size:35'840 bytes
                                      MD5 hash:1A9804F0C374283B094E9E55DC5EE128
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FFB4B2308D3 Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;N_^$K;N
                                        • API String ID: 0-2106489120
                                        • Opcode ID: aa1b24018f4755203921ba3dac74feb3c66dc8f8224c54e26d188610828056dd
                                        • Instruction ID: ea10080391e79ae45d204e85e6d593d56a8ee12a4c274c303dc4c55240cb7835
                                        • Opcode Fuzzy Hash: aa1b24018f4755203921ba3dac74feb3c66dc8f8224c54e26d188610828056dd
                                        • Instruction Fuzzy Hash: F3A11571A0892D8FDB94EF6CD884BEDBBB1FF58311F0041AAD54DD7252DA34A881CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B2308D8 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;N_^$K;N
                                        • API String ID: 0-2106489120
                                        • Opcode ID: b5f8d2e6abb2cfd6310a68a3e67e6cf25bffe1da7bfdd54f0e6af59b6e098219
                                        • Instruction ID: 66b3f8abaeb0aecd572e8f9f34f42d8e62f792fe520a1b71e19b179d0191fd92
                                        • Opcode Fuzzy Hash: b5f8d2e6abb2cfd6310a68a3e67e6cf25bffe1da7bfdd54f0e6af59b6e098219
                                        • Instruction Fuzzy Hash: 82A10571A0892D8FDB94EF68D884BEDBBE1FF59311F0041AAD54DD7252DA34A881CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B2308E8 Relevance: 2.8, Strings: 2, Instructions: 315COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;N_^$K;N
                                        • API String ID: 0-2106489120
                                        • Opcode ID: 10c45da2c351cce17e130356ab12eaf8dbd96422d6fe4cb5933e62fa2dc94485
                                        • Instruction ID: 2920b8f3a3d38b47ec059a9890f0acce2b841e17aea3670909484e8f348a188a
                                        • Opcode Fuzzy Hash: 10c45da2c351cce17e130356ab12eaf8dbd96422d6fe4cb5933e62fa2dc94485
                                        • Instruction Fuzzy Hash: 4AA11671A0892D8FDB94EF68D885BEDBBF1FF58311F0041AAD54DD7252CA34A881CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B2308F8 Relevance: 2.8, Strings: 2, Instructions: 308COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;N_^$K;N
                                        • API String ID: 0-2106489120
                                        • Opcode ID: a41e6ab348df7de5d2a837f9e4e477a8a5e1794949e427c8acd81f00a0fba260
                                        • Instruction ID: ea4f8fc5901c4d4279593b2d2cc1709f0305b2664f9bf1bb2e3f63abfc8d168f
                                        • Opcode Fuzzy Hash: a41e6ab348df7de5d2a837f9e4e477a8a5e1794949e427c8acd81f00a0fba260
                                        • Instruction Fuzzy Hash: 43A11771A0892D8FDB94EF68D885BEDBBF1FF58311F0041AAD54DD7252CA34A881CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B230898 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K;N
                                        • API String ID: 0-4198949112
                                        • Opcode ID: 6ef2d95ad57a053ec2d26955992fe14056b044407b47ed5f061582de29b55709
                                        • Instruction ID: 551787ab3cefd38d6fdb94c04db84ab4eeef99bae9b7adbffe63a02e3ed86095
                                        • Opcode Fuzzy Hash: 6ef2d95ad57a053ec2d26955992fe14056b044407b47ed5f061582de29b55709
                                        • Instruction Fuzzy Hash: FAA11771A0892D8FDB94EF6CD885BEDBBE1FF58311F0041AAD54DD7252CA34A881CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B2308A8 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K;N
                                        • API String ID: 0-4198949112
                                        • Opcode ID: 249313c1bbc3ebc34bb3f2c65ce89f75a296a9f918d371f20db5fd9c7b9f605e
                                        • Instruction ID: ebbdcf66372c07226972bcd90e637a0d6377189262628d361cd1799784a9285d
                                        • Opcode Fuzzy Hash: 249313c1bbc3ebc34bb3f2c65ce89f75a296a9f918d371f20db5fd9c7b9f605e
                                        • Instruction Fuzzy Hash: 71A10771A0892D8FDB94EF68D885BEDBBF1FF59311F0041AAD54DD7252CA34A881CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B2308B8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K;N
                                        • API String ID: 0-4198949112
                                        • Opcode ID: 315f36ebfb6cf9ffffc54d8dee39e251bea2a86ac94cdca7a098062a4c3dfcee
                                        • Instruction ID: 9753248759b5a58e2b19a38377fcf0f6988e9201d261957f70878772ba2e4b55
                                        • Opcode Fuzzy Hash: 315f36ebfb6cf9ffffc54d8dee39e251bea2a86ac94cdca7a098062a4c3dfcee
                                        • Instruction Fuzzy Hash: 2BA11871A0892D8FDB94EF68D885BEDBBF1FF59311F0041AAD54DD7252CA34A881CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B2308C8 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K;N
                                        • API String ID: 0-4198949112
                                        • Opcode ID: 94864e479d3d84cf5fb6325fbbc89a0170e6fcc87e0ca46ebefb60dd73ecaf61
                                        • Instruction ID: f178a7d3ec95b36e79a3586fed9795ac3ba15bb9c90088f3cdf24d9e3cf1478d
                                        • Opcode Fuzzy Hash: 94864e479d3d84cf5fb6325fbbc89a0170e6fcc87e0ca46ebefb60dd73ecaf61
                                        • Instruction Fuzzy Hash: 20A11971A0892D8FDB94EF68D884BEDBBF1FF59311F0041AAD54DD7252DA34A881CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B230908 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K;N
                                        • API String ID: 0-4198949112
                                        • Opcode ID: 1af63fe5d5595427d28f9fbcab8bd630444aea43cd74b58542888a8f4acd26f1
                                        • Instruction ID: 1f2522965518fc6bb114ae4b050de50d06e64a6cfb213cff7b11048b8e5e289e
                                        • Opcode Fuzzy Hash: 1af63fe5d5595427d28f9fbcab8bd630444aea43cd74b58542888a8f4acd26f1
                                        • Instruction Fuzzy Hash: ECA10871A0892D8FDB94EF68D885BEDBBF1FF59311F0041AAD54DD7252DA34A881CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B230CF0 Relevance: .6, Instructions: 550COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 94f0c75921d0dba618caa501e22c8f6357bd2dce51d269275cf68c55fd1e8fed
                                        • Instruction ID: 7e6e615b1488cc0345bd2e5f39c4b1333a69509481b966680f6aa67393804d06
                                        • Opcode Fuzzy Hash: 94f0c75921d0dba618caa501e22c8f6357bd2dce51d269275cf68c55fd1e8fed
                                        • Instruction Fuzzy Hash: 4222D87091992D8FDBD1FF28C899BA9BBB2FB98300F5041A5D40DE3655EE34AD818F50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B235276 Relevance: .3, Instructions: 305COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff923287eee15a019e8f27a66b91c9ea8a80ece4567a81dd3efb97001e5eec06
                                        • Instruction ID: 43657a719c18a65057e95116f8e966b51600420e1bb5661d629198eac6d56beb
                                        • Opcode Fuzzy Hash: ff923287eee15a019e8f27a66b91c9ea8a80ece4567a81dd3efb97001e5eec06
                                        • Instruction Fuzzy Hash: 05B12D7190CA5D8FDB95EF68C895BACBBF1FF59300F1041AAD00DE7292DA34A981CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B233A78 Relevance: .3, Instructions: 303COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ded6c782e69138fc205fe5f9a5b6d73470d370b23994cd753a4c94dce7e5c023
                                        • Instruction ID: 7f21ba3575f6c34b0a133e2d8037c9e093d01f7f7f84259fd246de3b79b2312a
                                        • Opcode Fuzzy Hash: ded6c782e69138fc205fe5f9a5b6d73470d370b23994cd753a4c94dce7e5c023
                                        • Instruction Fuzzy Hash: EFB17CB1A0CA598FEB95EF68C8557E9BFF1FF19300F0440AAD44DE72A2CA355981CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B2346A6 Relevance: .3, Instructions: 301COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 109db1f936a2bd28dd0a1ae7eb215ad764daab543bf6c182c26befba1d6ff6d1
                                        • Instruction ID: df3a067ded718aff14dcc0549ac09b2485648e9bb56f24e045420f75e452837e
                                        • Opcode Fuzzy Hash: 109db1f936a2bd28dd0a1ae7eb215ad764daab543bf6c182c26befba1d6ff6d1
                                        • Instruction Fuzzy Hash: ABB12D7190CA5D8FDB95EF68C895BA8BBF1FF59300F1041EAD00DE72A2DA349981CB01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B2332FA Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 252054a2d042f168927362d99200a33fe700a01a9e304c444e2eb7a0d8f485e8
                                        • Instruction ID: 15855be9a71b2944c5cc2f6b16ddd4d4bc4b857845e83d434a490dbae13b039b
                                        • Opcode Fuzzy Hash: 252054a2d042f168927362d99200a33fe700a01a9e304c444e2eb7a0d8f485e8
                                        • Instruction Fuzzy Hash: 8DB10DB1908A5D8FDB94EF68C895BADBBF1FF59300F5041AAD00DE3291DB35A981CB41
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B234EAA Relevance: .3, Instructions: 289COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98ed64c5affb4e7a109b5ec7fe1ff3abeca1c2c5a2b59f6b38e8c99b81c1d888
                                        • Instruction ID: 1d06ec81c44b30befe411b6398180119b42ab6791b1f6641212a82c1bba49951
                                        • Opcode Fuzzy Hash: 98ed64c5affb4e7a109b5ec7fe1ff3abeca1c2c5a2b59f6b38e8c99b81c1d888
                                        • Instruction Fuzzy Hash: CBA11EB190CA1D8FDB94EF68C894BACBBF1FF69300F5041AAD04DE3291DA359981CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B234A96 Relevance: .3, Instructions: 284COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b4d1ccbc507234c10ae43a2719110e408bbeb08cef01f491b3c95eca82c30eb1
                                        • Instruction ID: d86c6bd86404a3d3e71c07c19e36f215bc5ee8a62a6af67c209b772bb724b2ae
                                        • Opcode Fuzzy Hash: b4d1ccbc507234c10ae43a2719110e408bbeb08cef01f491b3c95eca82c30eb1
                                        • Instruction Fuzzy Hash: F1A12B7190CA5D8FDB95EF68C895BA8BBF1FF59300F1441EAD00DE72A2DA346981CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B233B0A Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 962ecad8743d0a17e69bdf089f68504b47aec3e59b0fe61cb52490b908efec6a
                                        • Instruction ID: c0fcc13562f3911c3ece9b3bf09a772528d6eed454d8f6d8f36773818efd97b8
                                        • Opcode Fuzzy Hash: 962ecad8743d0a17e69bdf089f68504b47aec3e59b0fe61cb52490b908efec6a
                                        • Instruction Fuzzy Hash: 8891ECB1D18A1D8FDB94EF68C895BA9BBF1FF68301F5041A9D00DE3291DB35A981CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B233F48 Relevance: .3, Instructions: 252COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: edd696e539b77195f7bee3a514d31231a5d069d2dfa5f0dec3c11077ea33cda9
                                        • Instruction ID: cfadf15c40ee215f92febb67516dbf2f64ea6e1051c084a3375106748d00ae55
                                        • Opcode Fuzzy Hash: edd696e539b77195f7bee3a514d31231a5d069d2dfa5f0dec3c11077ea33cda9
                                        • Instruction Fuzzy Hash: ED91CBB1A0891D8FDF94EF68C895BACBBF1FF68301F5041AAD00DE3251DA35A981CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B234332 Relevance: .2, Instructions: 250COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 876e255d0adbc815905aa627cf75a602e87c672bc3490a07bb043c93aff5dbd5
                                        • Instruction ID: fddeea54f74674deba46adf3cb86073d0157974c1294c77f4d8d6b995759249a
                                        • Opcode Fuzzy Hash: 876e255d0adbc815905aa627cf75a602e87c672bc3490a07bb043c93aff5dbd5
                                        • Instruction Fuzzy Hash: DE91B8B1D1891D8FDB94EF68C895BACBBF1FF68300F5051AAD40DE3261DA35A981CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B23568A Relevance: .2, Instructions: 227COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4658eea6ce716ddd9f860484380a9d2e05094a7b88b2fd6c791f16a8e1b2a885
                                        • Instruction ID: b1313bb02902b87cbb8bc020c2f17d4809cecba29dabfff59f6d0b2096235818
                                        • Opcode Fuzzy Hash: 4658eea6ce716ddd9f860484380a9d2e05094a7b88b2fd6c791f16a8e1b2a885
                                        • Instruction Fuzzy Hash: 5A81B970A08A5D8FDF94EF68C895BACBBF1FF69301F4441AAD44DE7251DA74A881CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B2309A0 Relevance: .2, Instructions: 219COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd9711b8c02af569157a30369e2a55b52f4f8bacfca8fe3614130cc311ec96ca
                                        • Instruction ID: adae77c56b7f0c02522ca4f0dbacd4668baf5b8534b91c95bd911e067a8136e0
                                        • Opcode Fuzzy Hash: fd9711b8c02af569157a30369e2a55b52f4f8bacfca8fe3614130cc311ec96ca
                                        • Instruction Fuzzy Hash: 43718570A18A1D8FDF94EF68C895BADBBF1FF69301F5041A9E40DE7251DA74A881CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B23204A Relevance: .2, Instructions: 218COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 495e601b1d4f22924385808c1e01e915b3619465096e4810f8f0b4fa73d11af1
                                        • Instruction ID: fdeb0b6f376684f450432dd70072f7529973c4ea305b5fed2a062be5f59731ec
                                        • Opcode Fuzzy Hash: 495e601b1d4f22924385808c1e01e915b3619465096e4810f8f0b4fa73d11af1
                                        • Instruction Fuzzy Hash: 5271E870909A1D9FDF95EF68C895AADBBF1FF59300F4010A9D40DE7266DB35A881CB00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B232060 Relevance: .2, Instructions: 208COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 437761d636cb61b292c8e3eb905c2712ef5827ee1eb0cf6abb34fbdd05073d8b
                                        • Instruction ID: 0a5a155b2b099578c1cff85433a752fd710a1435e5a899c43c412ecf91376cb1
                                        • Opcode Fuzzy Hash: 437761d636cb61b292c8e3eb905c2712ef5827ee1eb0cf6abb34fbdd05073d8b
                                        • Instruction Fuzzy Hash: 9571D670A09A1D9FDF94EF68C895BADBBF1FB69300F501069E40DE7255DB35A881CB00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B230B0D Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b18f4fe73a45a0e1e12531b3d9383e3ad3ac40549afb8353d0c44f921ea7c1c
                                        • Instruction ID: ddf086eef37261790a72ca30951afceda29b2cfd17f9cee0b9a55c67f1589abb
                                        • Opcode Fuzzy Hash: 1b18f4fe73a45a0e1e12531b3d9383e3ad3ac40549afb8353d0c44f921ea7c1c
                                        • Instruction Fuzzy Hash: B4315BA291DA4D8FE352BF78C8562E9BFB1EF45214B4441BBC549C71E7ED28240387B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B235E9E Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b2597c1b7ae40427f0e1bd77dcc34b41bfdfd23525a5ad67792922cb11eda13
                                        • Instruction ID: 407fc61e62b8cb65a17858f210d930ceb9b92c11aa15f045e9f983142060bf0e
                                        • Opcode Fuzzy Hash: 6b2597c1b7ae40427f0e1bd77dcc34b41bfdfd23525a5ad67792922cb11eda13
                                        • Instruction Fuzzy Hash: D631B27194A64A8FDB41EBB8C8516EDBBB1EF4A300F011079D509D3592DA399882CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B230B30 Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ad3ea1f325613daf5e09a2059094548fdc5c9649fa73a2877b71f4dea070ab4
                                        • Instruction ID: 0b738198f60def8950301403256ccdfd73dd199eb79bdcec2507b3b492e2b41d
                                        • Opcode Fuzzy Hash: 6ad3ea1f325613daf5e09a2059094548fdc5c9649fa73a2877b71f4dea070ab4
                                        • Instruction Fuzzy Hash: 6C3127A291DA4E8FE792BF78C4552F9BFB2EF85210F4441B6C449D71E6DD28280387B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B230B38 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c21138566a0cba7eab2da0f57bfd9caf84d79b898f087030081689e1183fb32
                                        • Instruction ID: 2090d6b18e5d2edebd5330d0668f2610e0c55a46e210407397d4df9a4ee00786
                                        • Opcode Fuzzy Hash: 2c21138566a0cba7eab2da0f57bfd9caf84d79b898f087030081689e1183fb32
                                        • Instruction Fuzzy Hash: C1214CA291D94D8FE792BF78C4552F9BFB2EF84310F4440B6D449D71A6DD28280387B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B230B40 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3ab1ad668417fcec4f83542f6078fe686bfee90dbc8cae165ecd52a8b491270a
                                        • Instruction ID: 37f49a0ab8ae78fe0d5c290b018f6b1e80fa543eb0597403837f82fc610f4a2e
                                        • Opcode Fuzzy Hash: 3ab1ad668417fcec4f83542f6078fe686bfee90dbc8cae165ecd52a8b491270a
                                        • Instruction Fuzzy Hash: B2214BA291D94D8FE792BF38C4552F9BFB2EF89310F4440B6D449D72AADD2828038771
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B235D81 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b6907108088e79e8f76bf94c30a51ff521e27561b4c985180f52cbd4d4d8b46d
                                        • Instruction ID: 0ed97ac285bfc23b5a9c3ebde7912c11918d1ee1c125c46074cdafe9c52600c4
                                        • Opcode Fuzzy Hash: b6907108088e79e8f76bf94c30a51ff521e27561b4c985180f52cbd4d4d8b46d
                                        • Instruction Fuzzy Hash: DB2126B1C09A1E8EEB41EFA8C5596EDBBF0FF59300F40146AD408E3192DA38A5458B40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B230B48 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a483a8f06c3e0c6bb799e56a0c5338723acebe9839eddfd1413638584d7abe2a
                                        • Instruction ID: a762edd43382943fca10cbec17438bcfa309ea2281db1d3f6a14f5bfb0bab732
                                        • Opcode Fuzzy Hash: a483a8f06c3e0c6bb799e56a0c5338723acebe9839eddfd1413638584d7abe2a
                                        • Instruction Fuzzy Hash: 8F212CA291D94D8FE792FF78C4552F9BFB2EF49300F4441B6D449D72AADD2828028771
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B230B50 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ca92296e85e6571ea6a9f04b7aa70fe77f83394989bd2e5fc06aba495b10dcb
                                        • Instruction ID: 276abcdde2c53a78fb63e2c52fcbef883d02fd79e1dbf1df363a1ffc762a947b
                                        • Opcode Fuzzy Hash: 6ca92296e85e6571ea6a9f04b7aa70fe77f83394989bd2e5fc06aba495b10dcb
                                        • Instruction Fuzzy Hash: B921F9A191D94E8FE792BF78C4552F9BFB2EF49300F4441B6D449D72AADD2828028771
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B231F85 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c2aa33123fc145b7d7aecb271fe667056a7c30c5a29d9b03d0c5128d1f90dba9
                                        • Instruction ID: e448f61213e6dc1a39155c8ee9c95f582cbfd7ea5f97ffd041e420d84b2d5455
                                        • Opcode Fuzzy Hash: c2aa33123fc145b7d7aecb271fe667056a7c30c5a29d9b03d0c5128d1f90dba9
                                        • Instruction Fuzzy Hash: 6A21F8B1D19A4D8FDF81EFA8C859AEDBBB1FF59311F441166D508E32A1DB38A841CB01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFB4B230C32 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1512857006.00007FFB4B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B230000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffb4b230000_edlyEKgpaz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 956096d825913165f6d819b249c18b5259632ac7538488065eaea143e19c44d2
                                        • Instruction ID: 3281e2766297f6c125886611d2f6c6c982482187cfb7120adf18e628d22f7f6f
                                        • Opcode Fuzzy Hash: 956096d825913165f6d819b249c18b5259632ac7538488065eaea143e19c44d2
                                        • Instruction Fuzzy Hash: 29D05EA29388095FE794FE79E855ABDA7A0FF84600B405236A14AC25A1CD2418018220
                                        Uniqueness

                                        Uniqueness Score: -1.00%